Analysis Overview
SHA256
fd8d1e70b3e9c7188a151be315a9daaf94af8d8da9950899a88af5cf9886e968
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Djvu Ransomware
Vidar
Aurora
SmokeLoader
Detected Djvu ransomware
DcRat
Detects Smokeloader packer
Suspicious use of NtCreateUserProcessOtherParentProcess
IcedID, BokBot
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Checks computer location settings
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Delays execution with timeout.exe
Checks processor information in registry
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-11 19:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-11 19:15
Reported
2023-01-11 19:17
Platform
win7-20221111-en
Max time kernel
150s
Max time network
30s
Command Line
Signatures
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
Files
memory/1148-54-0x0000000075A91000-0x0000000075A93000-memory.dmp
memory/1148-56-0x0000000000230000-0x0000000000239000-memory.dmp
memory/1148-55-0x000000000064D000-0x0000000000663000-memory.dmp
memory/1148-57-0x0000000000400000-0x0000000000456000-memory.dmp
memory/1148-58-0x0000000000400000-0x0000000000456000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-11 19:15
Reported
2023-01-11 19:17
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Aurora
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c920b25-cdd4-42b5-977a-a69c14354eb4\\F514.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F514.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
IcedID, BokBot
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1820 created 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\E7E7.exe | C:\Windows\System32\computerdefaults.exe |
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F514.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F514.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D54.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5c920b25-cdd4-42b5-977a-a69c14354eb4\\F514.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F514.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\WindowsPrograms\\WindowsHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\D54.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 732 set thread context of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\F514.exe | C:\Users\Admin\AppData\Local\Temp\F514.exe |
| PID 3724 set thread context of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\F514.exe | C:\Users\Admin\AppData\Local\Temp\F514.exe |
| PID 4232 set thread context of 5064 | N/A | C:\Users\Admin\AppData\Local\Temp\42.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1640 set thread context of 4048 | N/A | C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe | C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe |
| PID 1260 set thread context of 4068 | N/A | C:\Users\Admin\AppData\Local\Temp\D54.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 4004 set thread context of 388 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\rundll32.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\FB9E.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\42.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\95DC.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\FA07.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\FA07.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\FA07.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002b5622a2100054656d7000003a0009000400efbe0c5519992b5622a22e00000000000000000000000000000000000000000000000000407cda00540065006d007000000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FA07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\F38C.exe
C:\Users\Admin\AppData\Local\Temp\F38C.exe
C:\Users\Admin\AppData\Local\Temp\F514.exe
C:\Users\Admin\AppData\Local\Temp\F514.exe
C:\Users\Admin\AppData\Local\Temp\FA07.exe
C:\Users\Admin\AppData\Local\Temp\FA07.exe
C:\Users\Admin\AppData\Local\Temp\FB9E.exe
C:\Users\Admin\AppData\Local\Temp\FB9E.exe
C:\Users\Admin\AppData\Local\Temp\42.exe
C:\Users\Admin\AppData\Local\Temp\42.exe
C:\Users\Admin\AppData\Local\Temp\F514.exe
C:\Users\Admin\AppData\Local\Temp\F514.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2304 -ip 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 344
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5c920b25-cdd4-42b5-977a-a69c14354eb4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\F514.exe
"C:\Users\Admin\AppData\Local\Temp\F514.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\F514.exe
"C:\Users\Admin\AppData\Local\Temp\F514.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4232 -ip 4232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 140
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
"C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe
"C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\95DC.exe
C:\Users\Admin\AppData\Local\Temp\95DC.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp",Edoqqdswdffqipe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4352 -ip 4352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 544
C:\Users\Admin\AppData\Local\Temp\C7DA.exe
C:\Users\Admin\AppData\Local\Temp\C7DA.exe
C:\Users\Admin\AppData\Local\Temp\D009.exe
C:\Users\Admin\AppData\Local\Temp\D009.exe
C:\Users\Admin\AppData\Local\Temp\E7E7.exe
C:\Users\Admin\AppData\Local\Temp\E7E7.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
C:\Windows\System32\computerdefaults.exe
C:\Windows\System32\computerdefaults.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\ProgramData\intel.dll, Entry
C:\Users\Admin\AppData\Local\Temp\F9AB.exe
C:\Users\Admin\AppData\Local\Temp\F9AB.exe
C:\Users\Admin\AppData\Local\Temp\FE30.exe
C:\Users\Admin\AppData\Local\Temp\FE30.exe
C:\Users\Admin\AppData\Local\Temp\D54.exe
C:\Users\Admin\AppData\Local\Temp\D54.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/release
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe
"C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig/renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23803
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | potunulit.org | udp |
| N/A | 188.114.96.0:80 | potunulit.org | tcp |
| N/A | 8.8.8.8:53 | wagringamuk.com | udp |
| N/A | 8.8.8.8:53 | polyzi.com | udp |
| N/A | 95.217.49.230:443 | polyzi.com | tcp |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 104.46.162.224:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 162.0.217.254:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | uaery.top | udp |
| N/A | 8.8.8.8:53 | spaceris.com | udp |
| N/A | 187.212.192.17:80 | uaery.top | tcp |
| N/A | 211.40.39.251:80 | spaceris.com | tcp |
| N/A | 211.40.39.251:80 | spaceris.com | tcp |
| N/A | 82.115.223.77:8081 | tcp | |
| N/A | 185.106.94.35:80 | 185.106.94.35 | tcp |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 5.75.182.6:80 | 5.75.182.6 | tcp |
| N/A | 8.8.8.8:53 | mightys.at | udp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 194.135.33.44:80 | 194.135.33.44 | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 23.236.181.126:443 | 23.236.181.126 | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 149.248.63.92:80 | 149.248.63.92 | tcp |
| N/A | 8.8.8.8:53 | c3g6gx853u6j.xyz | udp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | transfer.sh | udp |
| N/A | 144.76.136.153:443 | transfer.sh | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | github.com | udp |
| N/A | 140.82.114.4:443 | github.com | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 217.12.206.197:80 | 217.12.206.197 | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 8.8.8.8:53 | wagringamuk.com | udp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 193.56.146.29:80 | 193.56.146.29 | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 193.56.146.29:80 | 193.56.146.29 | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 193.56.146.29:80 | 193.56.146.29 | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 211.171.233.129:80 | mightys.at | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 109.206.243.143:80 | c3g6gx853u6j.xyz | tcp |
| N/A | 8.8.8.8:53 | tinyurl.com | udp |
| N/A | 172.67.1.225:443 | tinyurl.com | tcp |
| N/A | 8.8.8.8:53 | panel382523.site | udp |
| N/A | 31.31.198.106:80 | panel382523.site | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 127.0.0.1:23803 | tcp | |
| N/A | 65.21.237.20:43077 | tcp | |
| N/A | 127.0.0.1:1312 | tcp | |
| N/A | 65.21.237.20:43077 | tcp | |
| N/A | 8.8.8.8:53 | wagringamuk.com | udp |
Files
memory/4844-132-0x00000000005EE000-0x0000000000603000-memory.dmp
memory/4844-133-0x0000000002190000-0x0000000002199000-memory.dmp
memory/4844-134-0x0000000000400000-0x0000000000456000-memory.dmp
memory/4844-135-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2108-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F38C.exe
| MD5 | 02ff76dbe2bb9fc49ddea931896601d3 |
| SHA1 | 037f7708d988957d49243b2e93df0878e22e0030 |
| SHA256 | 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0 |
| SHA512 | 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85 |
C:\Users\Admin\AppData\Local\Temp\F38C.exe
| MD5 | 02ff76dbe2bb9fc49ddea931896601d3 |
| SHA1 | 037f7708d988957d49243b2e93df0878e22e0030 |
| SHA256 | 30ac60ce48ad9a04c19803d9b4dbee395ad362ad782b8912fce238a90f1cced0 |
| SHA512 | 79a9a33b4a61346bfd8440a0c71996a3606d4bc4026e8cf8a5361d1bd02d91fd5802af37e879a799e75881dbb0c577c9e8a7c529f4ffb7f8b47e33935f1e5f85 |
memory/2108-139-0x0000000140000000-0x0000000140008000-memory.dmp
memory/732-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F514.exe
| MD5 | 5d09682b08307cf7e7d4ee43b3b04791 |
| SHA1 | 8668ef968def3d1e58bc5d3bb57088f0550a3b2d |
| SHA256 | b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3 |
| SHA512 | a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0 |
C:\Users\Admin\AppData\Local\Temp\F514.exe
| MD5 | 5d09682b08307cf7e7d4ee43b3b04791 |
| SHA1 | 8668ef968def3d1e58bc5d3bb57088f0550a3b2d |
| SHA256 | b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3 |
| SHA512 | a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0 |
memory/2108-148-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/4396-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FA07.exe
| MD5 | b0ad477a4ca4a8a67f8ca0f8e43d8ef5 |
| SHA1 | b23b74f93f5c2eb4b0ba1b36ff7f27d1240ffbd0 |
| SHA256 | 7b4477362fa5411d483f384852249d5638c0bf93a4e913a7868d37883686f725 |
| SHA512 | 900da510c37c0d060d16b407995e26d8e79a69f13c62d91375c4d4946cd50a81648bdbe75f26d78625dc0abb1452b313de8ab8c58e1cbe4f4117b3e3cb766fad |
C:\Users\Admin\AppData\Local\Temp\FA07.exe
| MD5 | b0ad477a4ca4a8a67f8ca0f8e43d8ef5 |
| SHA1 | b23b74f93f5c2eb4b0ba1b36ff7f27d1240ffbd0 |
| SHA256 | 7b4477362fa5411d483f384852249d5638c0bf93a4e913a7868d37883686f725 |
| SHA512 | 900da510c37c0d060d16b407995e26d8e79a69f13c62d91375c4d4946cd50a81648bdbe75f26d78625dc0abb1452b313de8ab8c58e1cbe4f4117b3e3cb766fad |
memory/2304-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FB9E.exe
| MD5 | 1d04438d49e15bad354bc606852e43dd |
| SHA1 | febdfc26cf1a443bd22ab4b0745ce21fece43556 |
| SHA256 | 1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77 |
| SHA512 | 4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24 |
C:\Users\Admin\AppData\Local\Temp\FB9E.exe
| MD5 | 1d04438d49e15bad354bc606852e43dd |
| SHA1 | febdfc26cf1a443bd22ab4b0745ce21fece43556 |
| SHA256 | 1747f4f45223125c112798c43414259280c6d6ffc19ebb2bd29094a795603c77 |
| SHA512 | 4655c62461be893a9982e8ee99a514394412af543a49204c3080f710ff0ab7dab0a21fc4660f76d295a731ea87947dea0fbd9194188b66838435e156cb434e24 |
memory/4232-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\42.exe
| MD5 | 1a450a1a716cdb1bc3bd0b7467c2f157 |
| SHA1 | 195d2f7052897360b07cf68a9f05794fcb41d88e |
| SHA256 | 88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b |
| SHA512 | de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188 |
C:\Users\Admin\AppData\Local\Temp\42.exe
| MD5 | 1a450a1a716cdb1bc3bd0b7467c2f157 |
| SHA1 | 195d2f7052897360b07cf68a9f05794fcb41d88e |
| SHA256 | 88076120630d47c184b949cb272e69a1df48244300e1f10b09443ef3140d554b |
| SHA512 | de0ba52dc6e62b2da6105c2149e1b3040762634617b6918378ad8c65ef4f59516adeaa6ba74e52369694ab0eeed3ed3a7dc78c275920c27936d467d5168b1188 |
memory/732-159-0x0000000001FAF000-0x0000000002040000-memory.dmp
memory/732-160-0x0000000002290000-0x00000000023AB000-memory.dmp
memory/224-162-0x0000000000400000-0x0000000000537000-memory.dmp
memory/224-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F514.exe
| MD5 | 5d09682b08307cf7e7d4ee43b3b04791 |
| SHA1 | 8668ef968def3d1e58bc5d3bb57088f0550a3b2d |
| SHA256 | b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3 |
| SHA512 | a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0 |
memory/224-164-0x0000000000400000-0x0000000000537000-memory.dmp
memory/224-165-0x0000000000400000-0x0000000000537000-memory.dmp
memory/224-166-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4396-167-0x0000000000460000-0x0000000000560000-memory.dmp
memory/4396-168-0x0000000001F10000-0x0000000001F19000-memory.dmp
memory/4396-169-0x0000000000400000-0x0000000000456000-memory.dmp
memory/2304-170-0x000000000056D000-0x0000000000583000-memory.dmp
memory/2304-171-0x0000000000400000-0x0000000000458000-memory.dmp
memory/3672-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\5c920b25-cdd4-42b5-977a-a69c14354eb4\F514.exe
| MD5 | 5d09682b08307cf7e7d4ee43b3b04791 |
| SHA1 | 8668ef968def3d1e58bc5d3bb57088f0550a3b2d |
| SHA256 | b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3 |
| SHA512 | a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0 |
memory/3724-174-0x0000000000000000-mapping.dmp
memory/224-176-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F514.exe
| MD5 | 5d09682b08307cf7e7d4ee43b3b04791 |
| SHA1 | 8668ef968def3d1e58bc5d3bb57088f0550a3b2d |
| SHA256 | b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3 |
| SHA512 | a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0 |
memory/3836-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F514.exe
| MD5 | 5d09682b08307cf7e7d4ee43b3b04791 |
| SHA1 | 8668ef968def3d1e58bc5d3bb57088f0550a3b2d |
| SHA256 | b0fe9334ec54815e8eda224488e34d41fcdaef253cad3c7cb751b273b3dc91e3 |
| SHA512 | a362e95e79b100178bce102b015e3d0107cd3df808980d84b63bc940ee7c90221f06cc2dc9f087b7e15e20ec994418483f5b913d954badf60d70f6c56b96f4d0 |
memory/3724-181-0x0000000002053000-0x00000000020E4000-memory.dmp
memory/3836-180-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3836-182-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4396-183-0x0000000000400000-0x0000000000456000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 61a9f01083346a0ee40dc68983932b14 |
| SHA1 | 85737a00e510acc709a5ea03d04a666bf41eb912 |
| SHA256 | db745e7939f305e69baa8e6fda50687f545b5b9af3cffbd290f1223d7956c1e7 |
| SHA512 | 80edf82ede77a5657e92ca9c6ec45fe28118f1f0372d33e377185f7043580ee136927922556795552b41b9bd03aaef9a0273758af375b56ad4470aa23ac88349 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 64412091db0f45c3b3b874fca834e218 |
| SHA1 | 4357fb4cd9ae84ec01c34f207ae762151a558f63 |
| SHA256 | 94b12ac2a928111f086c26336e68027d5fd730c7d743dbad3d3290ddf2ca4fe6 |
| SHA512 | 593ecf05377ef874e6f922f66a079f1a454cc1189a07507e79bdfff04390c41ffa30b22ba35fe789a7bf3526d297d52d9f46f11d846ce48d4694f6929a8f771d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | deb5907196e6e5e0e915c276f65a6924 |
| SHA1 | 62802115ee04a17e66297fbfd5ab8d933040ffdb |
| SHA256 | 48c65c4f7dfbf070a4e8157cd0ec68e495eb3f963668f3d51ae6fedcff7fcda1 |
| SHA512 | 4881fd5f46e1846f4e4dd3cb0295c5b48f62181bba01f8113520d97ee31b1489429281778d1ac0d58d02a3343ad97d24a96ce1d2bdbb1ddda2f77e5101f51c43 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 5d41cfd5676516ee25dc3b52690ecd74 |
| SHA1 | f4c825cc88aa0d48fbec9919d8b3df6f0ad7de4c |
| SHA256 | 042247a466bdb0a48fa2c287b37b9e54be19d6c26a55d9403a2e77c4ca60dd12 |
| SHA512 | 2f8c9e7cb9ce40fde173ad17a2405fac09164dbda5c2f43fa65558c969dc7b6bb0a690b32725423e8eaa94b7cc27d938909238000920c22a2fb03889e918ed26 |
memory/3836-188-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1640-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
| MD5 | 866933fee5234be619d89a6d6a60bd88 |
| SHA1 | fd279d026264dbb75ea46be965ea163d94d67f0c |
| SHA256 | ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185 |
| SHA512 | fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d |
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
| MD5 | 866933fee5234be619d89a6d6a60bd88 |
| SHA1 | fd279d026264dbb75ea46be965ea163d94d67f0c |
| SHA256 | ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185 |
| SHA512 | fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d |
memory/5064-192-0x0000000000000000-mapping.dmp
memory/5064-193-0x0000000000400000-0x0000000000876000-memory.dmp
memory/5064-202-0x0000000000400000-0x0000000000876000-memory.dmp
memory/4232-203-0x0000000000F20000-0x000000000139E000-memory.dmp
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1428-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1836-204-0x0000000000000000-mapping.dmp
memory/4452-208-0x0000000000000000-mapping.dmp
memory/2736-209-0x0000000000000000-mapping.dmp
memory/2948-210-0x0000000000000000-mapping.dmp
memory/3524-211-0x0000000000000000-mapping.dmp
memory/1420-212-0x0000000000000000-mapping.dmp
memory/4048-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\59a27a92-5252-4a90-837b-244aec449f55\build2.exe
| MD5 | 866933fee5234be619d89a6d6a60bd88 |
| SHA1 | fd279d026264dbb75ea46be965ea163d94d67f0c |
| SHA256 | ab6396ad69a961a9f879e58725ed66fa01f7add478b61cbaf4db1f26a9e47185 |
| SHA512 | fab7b9cfa5c38cff35068334b8525fcc1c6a5ca694f379db3322fc1bd8df9bbfa3446504297fec4c42c55e805fee2be9f96a3eff8eed7db72816a080aff7933d |
memory/4048-214-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1640-217-0x000000000055D000-0x000000000058A000-memory.dmp
memory/4048-216-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4048-219-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1640-218-0x0000000001FB0000-0x0000000001FFC000-memory.dmp
memory/4048-220-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4888-221-0x0000000000000000-mapping.dmp
memory/4888-222-0x0000000002BD0000-0x0000000002C06000-memory.dmp
memory/4888-223-0x0000000005820000-0x0000000005E48000-memory.dmp
memory/4888-224-0x0000000005560000-0x0000000005582000-memory.dmp
memory/4888-225-0x0000000005E50000-0x0000000005EB6000-memory.dmp
memory/4888-226-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/3836-227-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4888-228-0x00000000064F0000-0x000000000650E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4888-231-0x0000000006A80000-0x0000000006B16000-memory.dmp
memory/4888-232-0x0000000006A00000-0x0000000006A1A000-memory.dmp
memory/3152-233-0x0000000000000000-mapping.dmp
memory/4888-234-0x0000000006A50000-0x0000000006A72000-memory.dmp
memory/4888-235-0x0000000007A80000-0x0000000008024000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe
| MD5 | c6917bc242058814f64360de5b4320be |
| SHA1 | 4c1959cc707acb43a1466d166e151c517164edc2 |
| SHA256 | 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516 |
| SHA512 | 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb |
memory/3912-237-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GHjsL5oybm.exe
| MD5 | c6917bc242058814f64360de5b4320be |
| SHA1 | 4c1959cc707acb43a1466d166e151c517164edc2 |
| SHA256 | 732c3e3887c7e83b84fd96c6a8a2377235a29995c8656c1616dee40f8be81516 |
| SHA512 | 2bf75a0ebcbd5ff7b65a47b9b8016081c272acb6b4fe1b487a6928e682dd93e5809cd2354f4d21acbef0703c4d1b6c87af4c0d731e2799be1a6197815ec1b6bb |
memory/3912-239-0x0000000002E49000-0x0000000002E59000-memory.dmp
memory/3912-240-0x0000000002CE0000-0x0000000002CE9000-memory.dmp
memory/3912-241-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/4048-242-0x0000000000400000-0x0000000000460000-memory.dmp
memory/3912-243-0x0000000000400000-0x0000000002B9D000-memory.dmp
memory/4048-244-0x00000000509A0000-0x0000000050A32000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/4344-265-0x0000000000000000-mapping.dmp
memory/4048-266-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4576-267-0x0000000000000000-mapping.dmp
memory/4352-268-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95DC.exe
| MD5 | 7a66992f14ec9015181ed2d580c190ff |
| SHA1 | 9674bf45d8017f7753ddd6e106a8974bb87860c0 |
| SHA256 | 34d3c6e0521570cf69ae828b240b19b3314e9b63d534d9a62ce81f6ac5eee8f7 |
| SHA512 | e499c16f7cd9516e72745618443630bc9ca0218bc31118c49dde9ca63ffb067e65fd8b62c0326c80204156ffc030d1163910440197905be7333f64f056776dc7 |
C:\Users\Admin\AppData\Local\Temp\95DC.exe
| MD5 | 7a66992f14ec9015181ed2d580c190ff |
| SHA1 | 9674bf45d8017f7753ddd6e106a8974bb87860c0 |
| SHA256 | 34d3c6e0521570cf69ae828b240b19b3314e9b63d534d9a62ce81f6ac5eee8f7 |
| SHA512 | e499c16f7cd9516e72745618443630bc9ca0218bc31118c49dde9ca63ffb067e65fd8b62c0326c80204156ffc030d1163910440197905be7333f64f056776dc7 |
memory/4004-271-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp
| MD5 | 710af73b2d7e92d33fac751318c08101 |
| SHA1 | 2208c96a528b1d96e18ae47ab274f303e4099fff |
| SHA256 | 72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3 |
| SHA512 | 1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a |
C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp
| MD5 | 710af73b2d7e92d33fac751318c08101 |
| SHA1 | 2208c96a528b1d96e18ae47ab274f303e4099fff |
| SHA256 | 72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3 |
| SHA512 | 1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a |
memory/4352-274-0x000000000216A000-0x000000000224B000-memory.dmp
memory/4352-275-0x0000000002350000-0x0000000002470000-memory.dmp
memory/4352-276-0x0000000000400000-0x0000000000523000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C7DA.exe
| MD5 | 322740661a3e59ff7e4fc4482c17b6cd |
| SHA1 | 107b0dad706cd1acaf76cd31caea9fff87a0cd0b |
| SHA256 | b9cbe1bc0246eb38236e67fb2039168c2998a205809843f16f771722d1d67d0f |
| SHA512 | a46b00879932f217b8ff5d4d88fe61a4ed747e2ffa66b8bcb1f08286f336fe2d56714b23bace9dc3219668632d3028d4f0bf337b83ddf7a2c6f8815743c0de86 |
memory/420-277-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C7DA.exe
| MD5 | 322740661a3e59ff7e4fc4482c17b6cd |
| SHA1 | 107b0dad706cd1acaf76cd31caea9fff87a0cd0b |
| SHA256 | b9cbe1bc0246eb38236e67fb2039168c2998a205809843f16f771722d1d67d0f |
| SHA512 | a46b00879932f217b8ff5d4d88fe61a4ed747e2ffa66b8bcb1f08286f336fe2d56714b23bace9dc3219668632d3028d4f0bf337b83ddf7a2c6f8815743c0de86 |
C:\Users\Admin\AppData\Local\Temp\D009.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
C:\Users\Admin\AppData\Local\Temp\D009.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
memory/2448-280-0x0000000000000000-mapping.dmp
memory/2448-283-0x0000000000DA0000-0x0000000000DA8000-memory.dmp
memory/2448-284-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp
memory/420-285-0x000000000050D000-0x0000000000527000-memory.dmp
memory/420-286-0x0000000001F80000-0x0000000001FAA000-memory.dmp
memory/420-287-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | 3c66ee468dfa0688e6d22ca20d761140 |
| SHA1 | 965c713cd69439ee5662125f0390a2324a7859bf |
| SHA256 | 4b230d2eaf9e5441f56db135faca2c761001787249d2358133e4f368061a1ea3 |
| SHA512 | 4b29902d881bf20305322cc6a7bffb312187be86f4efa658a9d3c455e84f9f8b0d07f6f2bb6dac42ac050dc6f8d876e2b9df0ef4d5d1bb7e9be1223d652e04c6 |
memory/1820-289-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\E7E7.exe
| MD5 | a05183b5af3370cc1bcc933c061d8596 |
| SHA1 | d8e5157a786191e35847c3fa25a07d6fc4462ac3 |
| SHA256 | a22e9b633917deb3d58c264577786289e3e0fbf5cd76a93debf52c5f630ba58e |
| SHA512 | 9fb93e8b34aec3917f06a18a042cdcc7d27fc76c155b9ee63d387c8d5ebe70c04c9dec4b86088f14bb16053f6fdb959013e592c16fa74267cc3fade7dda0f42e |
C:\Users\Admin\AppData\Local\Temp\E7E7.exe
| MD5 | a05183b5af3370cc1bcc933c061d8596 |
| SHA1 | d8e5157a786191e35847c3fa25a07d6fc4462ac3 |
| SHA256 | a22e9b633917deb3d58c264577786289e3e0fbf5cd76a93debf52c5f630ba58e |
| SHA512 | 9fb93e8b34aec3917f06a18a042cdcc7d27fc76c155b9ee63d387c8d5ebe70c04c9dec4b86088f14bb16053f6fdb959013e592c16fa74267cc3fade7dda0f42e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 423dbe8bdc384a0c17da1b937a22a084 |
| SHA1 | 1f98a54997dc09e70b93aa85cc533ad1d97e22cb |
| SHA256 | ea72a9be0c8e86059b34268fd9fef271acf177c96d4b77c08484f6b9db36487d |
| SHA512 | e81e407f135235d9ba6005da3680e50bfadc64a85339855ce100964fcd9024b2c14b3817490606f94c09a27ec53d29ab3560e07c828dfa3f8b048f4ab1c3e043 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 674500a7bab0b260aa09403d126204eb |
| SHA1 | 63f0a5474fb2c30ac23a224ff9cfcda7009abb72 |
| SHA256 | 298fa716d7ed652783ad89d0ddf50435caef4f35c422afc689ea21f3f5f0d107 |
| SHA512 | 37233a4f52a54ae43a03c3ccee875410385b4e520a0307093e332787bb86c3677d05ffdfb82d18bbb36ac43a6ddd12011591f7217230970b5ce7677a1ca7979c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | cfd5200468ca20b4561e49d536b74f1b |
| SHA1 | 8abac3f0e8e0384ef3d3eb27c2b1876a43061bfd |
| SHA256 | c0c39dcc1a459a7ab51209e52342480d91076253dbb53303ce5c01465d271ac0 |
| SHA512 | cb84e19fe1e2f08367874a78fe325cfca5f08a7408adf39c2fbff1da7abdb304e392a7260c5bd683e622bf498f88315f7383854430e8755bb6fa8e217023503f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | cb25b902cb00a5f817ff4e2d3c2ff512 |
| SHA1 | eb18d25b536b58ac2b70b7444bb95616915c798a |
| SHA256 | 8eb0284f8a54400a3e31f969fae9e81defe1fa3f9aefdda4f6a3f35227a5e587 |
| SHA512 | d02bf534f92cb0aca4176ce6674f40d1533fd7d73e5f176c2145a34a251f2434189d9c490e2e39e682c5d6c9c6067d78bd91f5c3173090a1f0e3c3364d584f45 |
memory/3404-296-0x0000000000000000-mapping.dmp
C:\ProgramData\intel.dll
| MD5 | a8375653ea2b8b06eb7e6f3760d11d7e |
| SHA1 | f6b84d7179d8a3fd6e911d94e7cef4db71457df1 |
| SHA256 | 1e88c720fba0938e82bd81bb75fea4e4edd2a612d0ad4913de334cd16bc972f2 |
| SHA512 | 82182199246d9cfd8eb0682cdd11484fcda785390b98f0fa19fc7d0a34eea1ba56de5a6026a2228a1fe6cf582deda7c20de89adf5cb188786d9b7dfb0d0ff6f9 |
C:\ProgramData\intel.dll
| MD5 | a8375653ea2b8b06eb7e6f3760d11d7e |
| SHA1 | f6b84d7179d8a3fd6e911d94e7cef4db71457df1 |
| SHA256 | 1e88c720fba0938e82bd81bb75fea4e4edd2a612d0ad4913de334cd16bc972f2 |
| SHA512 | 82182199246d9cfd8eb0682cdd11484fcda785390b98f0fa19fc7d0a34eea1ba56de5a6026a2228a1fe6cf582deda7c20de89adf5cb188786d9b7dfb0d0ff6f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
| MD5 | 27ceb86384eae5123785ec9a99d7a82a |
| SHA1 | a26a9db3d8749f700c8bdb555810a9d229728684 |
| SHA256 | 97ab1083a8b2fb0a5b5a009088374deeef3877f7e9bff27b281f910eef43d797 |
| SHA512 | b05bc4184537369923b73c062842a7640734f4156f833459fd03a214b65e5c188d1a0d5de7cd9221e6bb071015b9fc5fa3a768ffcaab1150a0ac702c1f59cbbc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7EEA265692AC7955311B9E4CB27AFC35_3F411C6719032639C08C134E44D08A86
| MD5 | 9f6f2feb04b8662fc9907be249c72b0f |
| SHA1 | 7f34ef3307815bbc4b4ca446b7306d4a0965856e |
| SHA256 | 763c83abd46fbc55573e597449323045e7df169dd4fd1e8cbe3b6a70db2f8811 |
| SHA512 | 1f0e6daca94d786fa2bb9db9fe985fc3f2bc12868a35067dd9639728acdfc8aeec23ddcc6b2fff8bec6a0c81e7250546e9ff4d305524b18ff8b64e7c322cedb5 |
memory/3404-301-0x00000000055F0000-0x00000000057B2000-memory.dmp
memory/420-302-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3404-303-0x0000000005E30000-0x000000000635C000-memory.dmp
memory/4488-304-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F9AB.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
C:\Users\Admin\AppData\Local\Temp\F9AB.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
memory/4488-307-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp
memory/2288-308-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FE30.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
C:\Users\Admin\AppData\Local\Temp\FE30.exe
| MD5 | 9748489855d9dd82ab09da5e3e55b19e |
| SHA1 | 6ed2bf6a1a53a59cd2137812cb43b5032817f6a1 |
| SHA256 | 05bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b |
| SHA512 | 7eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be |
memory/2288-311-0x00007FFDF4180000-0x00007FFDF4C41000-memory.dmp
memory/1260-312-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D54.exe
| MD5 | 65abb47a2e20764cc72afb0ffb5db36e |
| SHA1 | b734b77de71565b307272e9b76519d7ee1fbd468 |
| SHA256 | 0c9720d53f929fa105c068e3383bf62bc5bb6f964796de182d21306270b2a496 |
| SHA512 | 8d385b4581145fa5ea2cc4185f27c9f71b29e1f73b917710270e96d5d1c1a7530db6ebd1c1185ebb9fb8742628b7b8a74641dcdcac62407a7dcf64169e6f4658 |
C:\Users\Admin\AppData\Local\Temp\D54.exe
| MD5 | 65abb47a2e20764cc72afb0ffb5db36e |
| SHA1 | b734b77de71565b307272e9b76519d7ee1fbd468 |
| SHA256 | 0c9720d53f929fa105c068e3383bf62bc5bb6f964796de182d21306270b2a496 |
| SHA512 | 8d385b4581145fa5ea2cc4185f27c9f71b29e1f73b917710270e96d5d1c1a7530db6ebd1c1185ebb9fb8742628b7b8a74641dcdcac62407a7dcf64169e6f4658 |
memory/1260-315-0x00000000009B0000-0x00000000009B8000-memory.dmp
memory/1260-316-0x0000000005250000-0x00000000052E2000-memory.dmp
memory/1260-317-0x0000000002DE0000-0x0000000002DEA000-memory.dmp
memory/3564-318-0x0000000000000000-mapping.dmp
memory/3564-319-0x00000000004F0000-0x00000000004F7000-memory.dmp
memory/3564-320-0x00000000004E0000-0x00000000004EB000-memory.dmp
memory/3912-321-0x0000000000000000-mapping.dmp
memory/3912-322-0x0000000001080000-0x0000000001089000-memory.dmp
memory/3912-323-0x0000000000DF0000-0x0000000000DFF000-memory.dmp
memory/3656-324-0x0000000000000000-mapping.dmp
memory/3656-325-0x0000000000BE0000-0x0000000000BE5000-memory.dmp
memory/3656-326-0x0000000000BD0000-0x0000000000BD9000-memory.dmp
memory/1748-327-0x0000000000000000-mapping.dmp
memory/1748-328-0x0000000000720000-0x0000000000726000-memory.dmp
memory/1748-329-0x0000000000710000-0x000000000071C000-memory.dmp
memory/1812-330-0x0000000000000000-mapping.dmp
memory/4408-331-0x0000000000000000-mapping.dmp
memory/532-332-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
memory/1768-334-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 07fd8db6ff76a0b7e1fb2a919d1af689 |
| SHA1 | 1a6355cd500d1ae67e72d6b94946c07783966d6a |
| SHA256 | 46a4dc2397d79efe89dcd65f373555abbd7947f3d24b0eb3f1e33cd9a29d7cf4 |
| SHA512 | 4013b56b4ea238b5bd0979988b77e2b0aa1647e73b4c2632004607752cd7d67b4bd73e89fa7216b6f8d0cf45fb725b81cca4be71aee1d8f0337bfce7fe21d2c6 |
memory/1768-336-0x0000000001430000-0x0000000001452000-memory.dmp
memory/1768-337-0x0000000001400000-0x0000000001427000-memory.dmp
memory/1208-339-0x0000000000000000-mapping.dmp
memory/752-342-0x0000000000000000-mapping.dmp
memory/2736-345-0x0000000000000000-mapping.dmp
memory/2604-348-0x0000000000000000-mapping.dmp
memory/4004-352-0x00000000061C0000-0x0000000006D1B000-memory.dmp
memory/4004-356-0x00000000046F0000-0x0000000004830000-memory.dmp
memory/4004-357-0x00000000046F0000-0x0000000004830000-memory.dmp
memory/1840-360-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe
| MD5 | ee2e25daf0fe98f9e5d3bd1898f9913a |
| SHA1 | e98706c52a37848beaa3623592c6ff6a8b2faf5b |
| SHA256 | 6255901c51fb16a8638004f7f953903391eb40fb96d49f27616a8ca537334983 |
| SHA512 | dc03a6c07f6fa778915f586b05aa0c8c2b3cd2f4c3672cedd2ec7fb47857dffba05b50d843490cd00d8f9913fde74d0617e27c1410618a1ead826537fbea8c38 |
C:\Users\Admin\AppData\Local\Temp\Iwhwwflmjnchqylwsotldpkjhsfkj3hjkh54.exe
| MD5 | ee2e25daf0fe98f9e5d3bd1898f9913a |
| SHA1 | e98706c52a37848beaa3623592c6ff6a8b2faf5b |
| SHA256 | 6255901c51fb16a8638004f7f953903391eb40fb96d49f27616a8ca537334983 |
| SHA512 | dc03a6c07f6fa778915f586b05aa0c8c2b3cd2f4c3672cedd2ec7fb47857dffba05b50d843490cd00d8f9913fde74d0617e27c1410618a1ead826537fbea8c38 |
memory/1480-368-0x0000000000000000-mapping.dmp
memory/3876-369-0x0000000000000000-mapping.dmp
memory/448-370-0x0000000000000000-mapping.dmp
memory/4068-371-0x0000000000000000-mapping.dmp
memory/4004-377-0x00000000046F0000-0x0000000004830000-memory.dmp
memory/4004-378-0x00000000046F0000-0x0000000004830000-memory.dmp
memory/4004-379-0x00000000046F0000-0x0000000004830000-memory.dmp
memory/4004-380-0x00000000046F0000-0x0000000004830000-memory.dmp
memory/388-381-0x00007FF7167E6890-mapping.dmp
memory/388-382-0x000001AFA53F0000-0x000001AFA5530000-memory.dmp
memory/388-383-0x000001AFA53F0000-0x000001AFA5530000-memory.dmp