Malware Analysis Report

2025-06-16 04:57

Sample ID 230317-1c2enaaa96
Target 98b75c052e1c6cb0ba7fa1d96428d511.exe
SHA256 e73684efd4a0a9582be97a9353e9044c0fb501af7a9c89e15fce2434595d4156
Tags
smokeloader backdoor trojan amadey djvu laplas rhadamanthys vidar d6ef050131e7d5a1d595c51613328971 pub1 sprg clipper discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e73684efd4a0a9582be97a9353e9044c0fb501af7a9c89e15fce2434595d4156

Threat Level: Known bad

The file 98b75c052e1c6cb0ba7fa1d96428d511.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan amadey djvu laplas rhadamanthys vidar d6ef050131e7d5a1d595c51613328971 pub1 sprg clipper discovery persistence ransomware spyware stealer

Detected Djvu ransomware

Djvu Ransomware

Vidar

SmokeLoader

Rhadamanthys

Detect rhadamanthys stealer shellcode

Amadey

Process spawned unexpected child process

Laplas Clipper

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Delays execution with timeout.exe

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-17 21:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-17 21:31

Reported

2023-03-17 21:33

Platform

win7-20230220-en

Max time kernel

150s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe

"C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe"

Network

N/A

Files

memory/1556-55-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1248-56-0x00000000029E0000-0x00000000029F6000-memory.dmp

memory/1556-57-0x0000000000400000-0x0000000002AFA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-17 21:31

Reported

2023-03-17 21:33

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe"

Signatures

Amadey

trojan amadey

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Laplas Clipper

stealer clipper laplas

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FCCC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Player3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F056.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D72D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CAB7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CC7D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CAB7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CC7D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Player3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E24B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
N/A N/A C:\Windows\SysWOW64\cacls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F056.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F056.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FCCC.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1DF.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F056.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60A9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0ddb77eb-e560-4257-b79b-1f4076006555\\CAB7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CAB7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" C:\Users\Admin\AppData\Local\Temp\FCCC.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F875.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E076.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E076.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E076.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F875.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\ C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32 C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0 C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825} C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0 C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4} C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825} C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}" C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application" C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID C:\Users\Admin\AppData\Local\Temp\zyy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000071560cb4100054656d7000003a0009000400efbe5456c795715611b42e00000000000000000000000000000000000000000000000000d6031201540065006d007000000014000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 N/A N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E076.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\F875.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4580 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 3176 wrote to memory of 4580 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 3176 wrote to memory of 4580 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 4580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 3176 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 3176 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 3176 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 1092 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Windows\SysWOW64\icacls.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Windows\SysWOW64\icacls.exe
PID 2880 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Windows\SysWOW64\icacls.exe
PID 2880 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 2880 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 2880 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 1496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\CAB7.exe C:\Users\Admin\AppData\Local\Temp\CAB7.exe
PID 5100 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 5100 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 5100 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 3176 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe
PID 3176 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe
PID 3176 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe
PID 3176 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe
PID 3176 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe
PID 3176 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe
PID 1552 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
PID 1552 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
PID 1552 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
PID 1500 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe C:\Users\Admin\AppData\Local\Temp\zyy.exe
PID 1500 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe C:\Users\Admin\AppData\Local\Temp\zyy.exe
PID 1500 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe C:\Users\Admin\AppData\Local\Temp\zyy.exe
PID 1552 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe C:\Users\Admin\AppData\Local\Temp\ss31.exe
PID 1552 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\D72D.exe C:\Users\Admin\AppData\Local\Temp\ss31.exe
PID 1500 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe C:\Users\Admin\AppData\Local\Temp\ss31.exe
PID 1500 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe C:\Users\Admin\AppData\Local\Temp\ss31.exe
PID 5064 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 5064 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe
PID 5064 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\CC7D.exe C:\Users\Admin\AppData\Local\Temp\CC7D.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe

"C:\Users\Admin\AppData\Local\Temp\98b75c052e1c6cb0ba7fa1d96428d511.exe"

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0ddb77eb-e560-4257-b79b-1f4076006555" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

"C:\Users\Admin\AppData\Local\Temp\CAB7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

"C:\Users\Admin\AppData\Local\Temp\CAB7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

"C:\Users\Admin\AppData\Local\Temp\CC7D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D72D.exe

C:\Users\Admin\AppData\Local\Temp\D72D.exe

C:\Users\Admin\AppData\Local\Temp\D9CE.exe

C:\Users\Admin\AppData\Local\Temp\D9CE.exe

C:\Users\Admin\AppData\Local\Temp\zyy.exe

"C:\Users\Admin\AppData\Local\Temp\zyy.exe"

C:\Users\Admin\AppData\Local\Temp\zyy.exe

"C:\Users\Admin\AppData\Local\Temp\zyy.exe"

C:\Users\Admin\AppData\Local\Temp\ss31.exe

"C:\Users\Admin\AppData\Local\Temp\ss31.exe"

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

"C:\Users\Admin\AppData\Local\Temp\CC7D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ss31.exe

"C:\Users\Admin\AppData\Local\Temp\ss31.exe"

C:\Users\Admin\AppData\Local\Temp\E24B.exe

C:\Users\Admin\AppData\Local\Temp\E24B.exe

C:\Users\Admin\AppData\Local\Temp\zyy.exe

"C:\Users\Admin\AppData\Local\Temp\zyy.exe" -h

C:\Users\Admin\AppData\Local\Temp\zyy.exe

"C:\Users\Admin\AppData\Local\Temp\zyy.exe" -h

C:\Users\Admin\AppData\Local\Temp\Player3.exe

"C:\Users\Admin\AppData\Local\Temp\Player3.exe"

C:\Users\Admin\AppData\Local\Temp\Player3.exe

"C:\Users\Admin\AppData\Local\Temp\Player3.exe"

C:\Users\Admin\AppData\Local\Temp\E076.exe

C:\Users\Admin\AppData\Local\Temp\E076.exe

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe

"C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe"

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe

"C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build3.exe

"C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2004 -ip 2004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 340

C:\Users\Admin\AppData\Local\Temp\F056.exe

C:\Users\Admin\AppData\Local\Temp\F056.exe

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe

"C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe"

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe

"C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe"

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build3.exe

"C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\F875.exe

C:\Users\Admin\AppData\Local\Temp\F875.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\F056.exe

C:\Users\Admin\AppData\Local\Temp\F056.exe

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4056 -ip 4056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 444 -ip 444

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\FCCC.exe

C:\Users\Admin\AppData\Local\Temp\FCCC.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open

C:\Users\Admin\AppData\Local\Temp\57.exe

C:\Users\Admin\AppData\Local\Temp\57.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 604

C:\Users\Admin\AppData\Local\Temp\1DF.exe

C:\Users\Admin\AppData\Local\Temp\1DF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 608

C:\Windows\SysWOW64\cacls.exe

CACLS "nbveek.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\F056.exe

"C:\Users\Admin\AppData\Local\Temp\F056.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F056.exe

"C:\Users\Admin\AppData\Local\Temp\F056.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 340

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\16de06bfb4" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\16de06bfb4" /P "Admin:R" /E

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 764

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\60A9.exe

C:\Users\Admin\AppData\Local\Temp\60A9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4256 -ip 4256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 672

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll,start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1092 -ip 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 400

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 476 -p 976 -ip 976

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 976 -s 648

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24133

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 172.67.181.144:80 potunulit.org tcp
US 8.8.8.8:53 uaery.top udp
MX 189.245.141.165:80 uaery.top tcp
US 8.8.8.8:53 144.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 165.141.245.189.in-addr.arpa udp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 68.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
MX 189.245.141.165:80 uaery.top tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 akar.av.tr udp
TR 159.253.45.38:443 akar.av.tr tcp
RO 109.98.58.98:80 zexeq.com tcp
US 8.8.8.8:53 38.45.253.159.in-addr.arpa udp
US 8.8.8.8:53 98.58.98.109.in-addr.arpa udp
US 8.8.8.8:53 bz.bbbeioaag.com udp
US 45.136.113.107:80 bz.bbbeioaag.com tcp
US 45.136.113.107:80 bz.bbbeioaag.com tcp
MX 189.245.141.165:80 uaery.top tcp
RO 109.98.58.98:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 107.113.136.45.in-addr.arpa udp
US 8.8.8.8:53 j.ffbbjjkk.com udp
US 52.152.110.14:443 tcp
US 104.21.8.227:443 j.ffbbjjkk.com tcp
US 104.21.8.227:443 j.ffbbjjkk.com tcp
MX 189.245.141.165:80 uaery.top tcp
US 8.8.8.8:53 227.8.21.104.in-addr.arpa udp
AT 77.73.134.27:80 77.73.134.27 tcp
AT 77.73.134.27:80 77.73.134.27 tcp
US 8.8.8.8:53 ebfertility.com udp
US 8.8.8.8:53 27.134.73.77.in-addr.arpa udp
US 89.190.157.61:80 ebfertility.com tcp
RO 109.98.58.98:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 61.157.190.89.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 77.91.84.172:80 77.91.84.172 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 172.84.91.77.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.214.35:443 www.facebook.com tcp
DE 116.203.13.130:80 116.203.13.130 tcp
GB 157.240.214.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 130.13.203.116.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 count.iiagjaggg.com udp
US 45.66.159.179:80 count.iiagjaggg.com tcp
US 45.66.159.179:80 count.iiagjaggg.com tcp
US 8.8.8.8:53 179.159.66.45.in-addr.arpa udp
NL 84.53.175.11:80 tcp
NL 84.53.175.11:80 tcp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.203.13.130:80 116.203.13.130 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 vispik.at udp
KR 211.171.233.126:80 vispik.at tcp
NL 45.159.189.105:80 45.159.189.105 tcp
US 8.8.8.8:53 105.189.159.45.in-addr.arpa udp
US 8.8.8.8:53 126.233.171.211.in-addr.arpa udp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
IT 190.211.254.211:80 190.211.254.211 tcp
US 8.8.8.8:53 211.254.211.190.in-addr.arpa udp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
US 8.8.8.8:53 hoh0aeghwugh2gie.com udp
NL 109.206.243.140:80 hoh0aeghwugh2gie.com tcp
KR 211.171.233.126:80 vispik.at tcp
US 8.8.8.8:53 140.243.206.109.in-addr.arpa udp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
US 104.234.147.45:443 104.234.147.45 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.147.234.104.in-addr.arpa udp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
US 52.152.110.14:443 tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
KR 211.171.233.126:80 vispik.at tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
US 52.152.110.14:443 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp
N/A 127.0.0.1:24133 tcp
N/A 127.0.0.1:1312 tcp

Files

memory/2724-134-0x00000000046F0000-0x00000000046F9000-memory.dmp

memory/3176-135-0x0000000000470000-0x0000000000486000-memory.dmp

memory/2724-136-0x0000000000400000-0x0000000002AFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

memory/2880-147-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

memory/4580-152-0x0000000004880000-0x000000000499B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

MD5 e4a9214897620fcfedbf8163504806cd
SHA1 52a3701970b2e3fca793ae23ce20a04f8e8db9db
SHA256 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d
SHA512 a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

MD5 e4a9214897620fcfedbf8163504806cd
SHA1 52a3701970b2e3fca793ae23ce20a04f8e8db9db
SHA256 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d
SHA512 a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b

memory/2880-155-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2880-150-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2880-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5100-164-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

MD5 e4a9214897620fcfedbf8163504806cd
SHA1 52a3701970b2e3fca793ae23ce20a04f8e8db9db
SHA256 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d
SHA512 a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b

memory/5100-166-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0ddb77eb-e560-4257-b79b-1f4076006555\CAB7.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

memory/5100-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1092-168-0x0000000002310000-0x000000000242B000-memory.dmp

memory/5100-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2880-178-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 cdc105f9b440a6e48a5668a56bb20df4
SHA1 3876d7213409b27f4934ef8062b2bd49ce1fd8e7
SHA256 6613baac61b4482d1476ef01e7f877ff4cf301375d9069d45defd5054f23b2f0
SHA512 52ae1d9b4d4d9fc2822c916a9fc3f46a604090cd063200e48a28d12eea73e28bec1dc3458c7baef56fe0a696b36373c29de3138214efea0e2a648cf7da7620df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a47de0327dd8516aa4f7fa11032cc538
SHA1 232bb949d165636fd0e60820c0563d186b86a15e
SHA256 373af034ec017d60d6e159f57b48295555ad262322545ae0f6b0d27b637b55cb
SHA512 626910fc373665dff08c5ed3dcb8e3ec702058623beb8a4f6624c467e9799bd49706b5db5f453f08473e3ec86f887914ce59e7f6fa88ee6b01ee4ae49dfcce4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 110cf742e7da59e417e5b51e23c5a044
SHA1 2fe4ee009a9a99de850dd8d6d92c9d4837f444d2
SHA256 ebe97ccfc0c50239665d939f865896143ffcb6921361e18dcba32b3bfa19a633
SHA512 117498742030a11f129b3b3281f304ad50c53dd39d638af0ad0f6234a1207efc6622d5d886806b376e7ae773feef177afc74449adbda16a40b31588017d5c4a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a88909c9f483243b81f42896d9b9b930
SHA1 a7ff1384032096198de68ab58dd61e0273991250
SHA256 8a5b2f299b5dd9e1ed9712ae2a9885b392a131ac66230e41e116582e25506523
SHA512 a15420934bdb359a386480ad973d586b7f4dcbdcf92c136cab5054b1c75ade012f490629fd3f1ad9b8459ef670215b89d459bfb5e447c581fe12b6e93790959a

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

memory/2916-182-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAB7.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

memory/2916-183-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

MD5 e4a9214897620fcfedbf8163504806cd
SHA1 52a3701970b2e3fca793ae23ce20a04f8e8db9db
SHA256 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d
SHA512 a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b

memory/5100-184-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-188-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D72D.exe

MD5 9b8786c9e74cfd314d7fe9fab571d451
SHA1 e5725184c2da0103046f44c211cc943582c1b2b2
SHA256 d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
SHA512 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

C:\Users\Admin\AppData\Local\Temp\D72D.exe

MD5 9b8786c9e74cfd314d7fe9fab571d451
SHA1 e5725184c2da0103046f44c211cc943582c1b2b2
SHA256 d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
SHA512 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

memory/1552-192-0x0000000000810000-0x0000000000996000-memory.dmp

memory/2916-193-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-197-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9CE.exe

MD5 9b8786c9e74cfd314d7fe9fab571d451
SHA1 e5725184c2da0103046f44c211cc943582c1b2b2
SHA256 d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
SHA512 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

C:\Users\Admin\AppData\Local\Temp\zyy.exe

MD5 bbaa394e6b0ecb7808722986b90d290c
SHA1 682e835d7ea19c9aa3d464436d673e5c89ab2bb6
SHA256 baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73
SHA512 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

C:\Users\Admin\AppData\Local\Temp\D9CE.exe

MD5 9b8786c9e74cfd314d7fe9fab571d451
SHA1 e5725184c2da0103046f44c211cc943582c1b2b2
SHA256 d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
SHA512 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

C:\Users\Admin\AppData\Local\Temp\zyy.exe

MD5 bbaa394e6b0ecb7808722986b90d290c
SHA1 682e835d7ea19c9aa3d464436d673e5c89ab2bb6
SHA256 baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73
SHA512 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

C:\Users\Admin\AppData\Local\Temp\zyy.exe

MD5 bbaa394e6b0ecb7808722986b90d290c
SHA1 682e835d7ea19c9aa3d464436d673e5c89ab2bb6
SHA256 baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73
SHA512 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

C:\Users\Admin\AppData\Local\Temp\zyy.exe

MD5 bbaa394e6b0ecb7808722986b90d290c
SHA1 682e835d7ea19c9aa3d464436d673e5c89ab2bb6
SHA256 baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73
SHA512 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

memory/2916-212-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2916-214-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss31.exe

MD5 2c29457ffd728428540c91aec6b22cc3
SHA1 8de27d76e9b04e92af69202b0f0bdafd9f3aff61
SHA256 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871
SHA512 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

C:\Users\Admin\AppData\Local\Temp\ss31.exe

MD5 2c29457ffd728428540c91aec6b22cc3
SHA1 8de27d76e9b04e92af69202b0f0bdafd9f3aff61
SHA256 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871
SHA512 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

memory/2916-219-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss31.exe

MD5 2c29457ffd728428540c91aec6b22cc3
SHA1 8de27d76e9b04e92af69202b0f0bdafd9f3aff61
SHA256 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871
SHA512 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

C:\Users\Admin\AppData\Local\Temp\Player3.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

C:\Users\Admin\AppData\Local\Temp\Player3.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

C:\Users\Admin\AppData\Local\Temp\ss31.exe

MD5 2c29457ffd728428540c91aec6b22cc3
SHA1 8de27d76e9b04e92af69202b0f0bdafd9f3aff61
SHA256 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871
SHA512 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

C:\Users\Admin\AppData\Local\Temp\ss31.exe

MD5 2c29457ffd728428540c91aec6b22cc3
SHA1 8de27d76e9b04e92af69202b0f0bdafd9f3aff61
SHA256 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871
SHA512 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7

memory/3876-237-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E076.exe

MD5 2d5a24f2691df1f7dad9a10ca469178d
SHA1 0af3855f13b32c254f2702be126a2faacdf60487
SHA256 031f6bb2f1c5c910fd3c13fc9d16a0154b6da1f0c1c54d21938ee493a189396d
SHA512 f22cc540a8b6c5d01369886f3df4435cd22f0b94faec860100abf5804e7c50b4a361f428ec548b77bcf08477b0ef806981086c09008c50b970322f5f16031a48

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

C:\Users\Admin\AppData\Local\Temp\Player3.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

memory/3876-240-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

C:\Users\Admin\AppData\Local\Temp\zyy.exe

MD5 bbaa394e6b0ecb7808722986b90d290c
SHA1 682e835d7ea19c9aa3d464436d673e5c89ab2bb6
SHA256 baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73
SHA512 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

C:\Users\Admin\AppData\Local\Temp\E24B.exe

MD5 54908ce0d3f5a394c1250e83face2f89
SHA1 d3a5df4a01b785fde9bbafb6d18ca4b8d9d10165
SHA256 c98a71df404d9126b63d57c867bac3445d1dbc23af69214a49d48710e739ff24
SHA512 ada59574243f5e0146259449f1c60edf0de9e09cf40a9587785c1bebb2fac89665ba6fc3e752c8eb466b2e73614ac4b7ef08ef978bffbc272823d420de4ca08c

C:\Users\Admin\AppData\Local\Temp\zyy.exe

MD5 bbaa394e6b0ecb7808722986b90d290c
SHA1 682e835d7ea19c9aa3d464436d673e5c89ab2bb6
SHA256 baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73
SHA512 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

C:\Users\Admin\AppData\Local\Temp\E24B.exe

MD5 54908ce0d3f5a394c1250e83face2f89
SHA1 d3a5df4a01b785fde9bbafb6d18ca4b8d9d10165
SHA256 c98a71df404d9126b63d57c867bac3445d1dbc23af69214a49d48710e739ff24
SHA512 ada59574243f5e0146259449f1c60edf0de9e09cf40a9587785c1bebb2fac89665ba6fc3e752c8eb466b2e73614ac4b7ef08ef978bffbc272823d420de4ca08c

C:\Users\Admin\AppData\Local\Temp\Player3.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

C:\Users\Admin\AppData\Local\Temp\E076.exe

MD5 2d5a24f2691df1f7dad9a10ca469178d
SHA1 0af3855f13b32c254f2702be126a2faacdf60487
SHA256 031f6bb2f1c5c910fd3c13fc9d16a0154b6da1f0c1c54d21938ee493a189396d
SHA512 f22cc540a8b6c5d01369886f3df4435cd22f0b94faec860100abf5804e7c50b4a361f428ec548b77bcf08477b0ef806981086c09008c50b970322f5f16031a48

C:\Users\Admin\AppData\Local\Temp\CC7D.exe

MD5 e4a9214897620fcfedbf8163504806cd
SHA1 52a3701970b2e3fca793ae23ce20a04f8e8db9db
SHA256 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d
SHA512 a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b

memory/3876-259-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe

MD5 1ea00519a643ae1ab0f4f9a6ecc81ead
SHA1 551c4fd300092a51a7fd3ceee009db249fd2a70f
SHA256 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683
SHA512 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe

MD5 1ea00519a643ae1ab0f4f9a6ecc81ead
SHA1 551c4fd300092a51a7fd3ceee009db249fd2a70f
SHA256 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683
SHA512 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe

MD5 1ea00519a643ae1ab0f4f9a6ecc81ead
SHA1 551c4fd300092a51a7fd3ceee009db249fd2a70f
SHA256 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683
SHA512 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

MD5 43a3e1c9723e124a9b495cd474a05dcb
SHA1 d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA512 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

memory/1696-264-0x0000000002C00000-0x0000000002C09000-memory.dmp

memory/2916-283-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3876-291-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2612-292-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3804-294-0x0000021BD5390000-0x0000021BD5503000-memory.dmp

memory/3804-297-0x0000021BD5510000-0x0000021BD5644000-memory.dmp

memory/3876-299-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3876-303-0x0000000000400000-0x0000000000537000-memory.dmp

C:\SystemID\PersonalID.txt

MD5 7e3e9fcc42d297e9f68ca04b13a9fb44
SHA1 f263e27f040e44de2370f38499296e6dd25d84ff
SHA256 dbf4a18b623d921cef08c6a0959cc2a0d7df484ab0f208553363f901e5f6eed1
SHA512 8dd3e934d8e8acc72ac97f2d87bbda44da0cc78b48e358024840c8bf9fa3d6363b1ccbcd35f21a74a6f2474c681dc01d7c34e4d863212b1f52b5196273aa2cb5

memory/3876-296-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 26f46db1233de6727079d7a2a95ea4b6
SHA1 5e0535394a608411c1a1c6cb1d5b4d6b52e1364d
SHA256 fb1b78c5bdcfedc3c928847a89411870bfd5b69c3c0054db272c84b8d282cdab
SHA512 81cf0bdf4215aa51c93ec0a581d2a35eda53f3d496b9dc4d6c720512b13301639d97bccd5a13570786301b552185a1afab2ea88606a2d536e6895024eaea1b4b

memory/3876-293-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2612-289-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build2.exe

MD5 1ea00519a643ae1ab0f4f9a6ecc81ead
SHA1 551c4fd300092a51a7fd3ceee009db249fd2a70f
SHA256 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683
SHA512 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

memory/2380-290-0x00000000024F0000-0x000000000254D000-memory.dmp

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/2612-284-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\ef4f365b-350a-4751-b822-8b043d0c2fe1\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/2612-304-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 ee5d452cc4ee71e1f544582bf6fca143
SHA1 a193952075b2b4a83759098754e814a931b8ba90
SHA256 f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe
SHA512 7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b

memory/2944-312-0x000002BFE62A0000-0x000002BFE63D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F056.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

C:\Users\Admin\AppData\Local\Temp\F056.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

C:\Users\Admin\AppData\Local\Temp\F056.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 1b20e998d058e813dfc515867d31124f
SHA1 c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA256 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA512 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe

MD5 1ea00519a643ae1ab0f4f9a6ecc81ead
SHA1 551c4fd300092a51a7fd3ceee009db249fd2a70f
SHA256 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683
SHA512 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe

MD5 1ea00519a643ae1ab0f4f9a6ecc81ead
SHA1 551c4fd300092a51a7fd3ceee009db249fd2a70f
SHA256 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683
SHA512 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

C:\Users\Admin\AppData\Local\Temp\529757233348

MD5 ef11cda381531e28ed3b41227d046b21
SHA1 64dc2ef43e2e8c18f7f36a22f677b3c330c926ba
SHA256 700b468e7974c6da58d8cd194c80e86b2bdbb4e87f96653b4f947d64372ae0b6
SHA512 091d82da9dc9a84654bb3f9d9142f78d75f2a5c4a362bdbd6b73a7628572441d530d5c2f834e408866ff5370e4fe86349e569aa994fdd2d73451fca6d5d57ba9

memory/3176-336-0x0000000007850000-0x0000000007866000-memory.dmp

memory/3912-335-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3912-334-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build2.exe

MD5 1ea00519a643ae1ab0f4f9a6ecc81ead
SHA1 551c4fd300092a51a7fd3ceee009db249fd2a70f
SHA256 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683
SHA512 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d

memory/3876-350-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\2eef45a0-3783-4eb1-bfb8-04cffa2ce415\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\Temp\F875.exe

MD5 3d8665b4bb1b80f1074f616276bdced6
SHA1 2d8db72b378e7c7a5855fc7bf29271e09a8fbf48
SHA256 b406d3562b067ed75aa83352f260f8499322d8bbe2fdb5e172da70e1d945a104
SHA512 81d634ba6bde50e1e820e6907badb9acd473c84d9054f60d19bd0c06fb3a7e41a1a859137450277cfcb6323c2cb729d3c5bde167ce60d8b882737b097d6fd903

memory/1420-367-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F056.exe

MD5 36768027a713c9dffd63bfcb6b455d1a
SHA1 90088ffacce7509aa87e0487ad71389df8b0d992
SHA256 cabdc51c4c4a89f857e5e948dc5c57019b5cd6b0a1a480c00554a52b083edf65
SHA512 6dde47b2065ce3a894b1d028b7215d6da8137aceed31d48d3bf646f2479d514c7043effc8e60adb47c4c4b42f87ba134cd7d314c5335036045e5bcc7c5f2044f

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 1b20e998d058e813dfc515867d31124f
SHA1 c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA256 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA512 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 1b20e998d058e813dfc515867d31124f
SHA1 c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA256 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA512 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

memory/1420-373-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCCC.exe

MD5 d2779449f8672bd4205df39b0b523ebe
SHA1 84101f1c60c21da288951150fdc7a163636a06f7
SHA256 e1028352af138b56c740c27ed1c3f2244afcf9bc91776f3255acf05f4976ce5c
SHA512 1135ad7edbd05be3bd1ff1d91285125a28ef0f7422a50825fc757251b5e86aadbb7d672851185ce6aa5e93dc76701c05bfc21c5f4d83bd961806f72b8eaf8f9e

memory/1696-358-0x0000000000400000-0x0000000002AFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F875.exe

MD5 3d8665b4bb1b80f1074f616276bdced6
SHA1 2d8db72b378e7c7a5855fc7bf29271e09a8fbf48
SHA256 b406d3562b067ed75aa83352f260f8499322d8bbe2fdb5e172da70e1d945a104
SHA512 81d634ba6bde50e1e820e6907badb9acd473c84d9054f60d19bd0c06fb3a7e41a1a859137450277cfcb6323c2cb729d3c5bde167ce60d8b882737b097d6fd903

memory/3912-362-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1420-382-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4256-380-0x0000000004720000-0x000000000474E000-memory.dmp

memory/2004-359-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1420-389-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4988-392-0x0000000002C50000-0x0000000002C59000-memory.dmp

memory/3032-393-0x0000000002110000-0x000000000214E000-memory.dmp

memory/3248-399-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3248-400-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2612-402-0x0000000050AA0000-0x0000000050B93000-memory.dmp

memory/3248-405-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

MD5 cbac5446506439aa49d01cc245a1d08f
SHA1 7d77c5558888daef135ba31401335b2a9128debe
SHA256 b4f4b8ad24dc20eb1c505bf476370243acd3f14f006b20bfb99fc326106fc2f3
SHA512 7f0aa722269e242c52c0b5acc884f26779b9e598e2a7b0de8df71c52973b2a323d1a27ea74004f3d91c9f452ba5c62ae7ca329014d43c1a22a680f94da2be9bc

memory/3804-484-0x0000021BD5510000-0x0000021BD5644000-memory.dmp

memory/2612-487-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2944-488-0x000002BFE62A0000-0x000002BFE63D4000-memory.dmp

memory/3912-492-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2612-495-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3248-498-0x0000000000400000-0x0000000000537000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\ceubjwd

MD5 2d5a24f2691df1f7dad9a10ca469178d
SHA1 0af3855f13b32c254f2702be126a2faacdf60487
SHA256 031f6bb2f1c5c910fd3c13fc9d16a0154b6da1f0c1c54d21938ee493a189396d
SHA512 f22cc540a8b6c5d01369886f3df4435cd22f0b94faec860100abf5804e7c50b4a361f428ec548b77bcf08477b0ef806981086c09008c50b970322f5f16031a48

C:\ProgramData\71110769445725849819336398

MD5 4b609cebb20f08b79628408f4fa2ad42
SHA1 f725278c8bc0527c316e01827f195de5c9a8f934
SHA256 2802818c570f9da1ce2e2fe2ff12cd3190b4c287866a3e4dfe2ad3a7df4cecdf
SHA512 19111811722223521c8ef801290e2d5d8a49c0800363b9cf4232ca037dbcc515aa16ba6c043193f81388260db0e9a7cdb31b0da8c7ffa5bcad67ddbd842e2c60

C:\ProgramData\56647557292288193773523286

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\ProgramData\15156526688347554088989187

MD5 780853cddeaee8de70f28a4b255a600b
SHA1 ad7a5da33f7ad12946153c497e990720b09005ed
SHA256 1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512 e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

C:\ProgramData\15156526688347554088989187

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

memory/4256-581-0x0000000002B90000-0x0000000002BAC000-memory.dmp

memory/4256-582-0x0000000004750000-0x000000000476A000-memory.dmp

memory/4256-583-0x0000000004A30000-0x0000000005A30000-memory.dmp

memory/3912-589-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1092-594-0x0000000004D50000-0x000000000508F000-memory.dmp

memory/4256-597-0x0000000002B90000-0x0000000002BAC000-memory.dmp

C:\Users\Admin\AppData\Roaming\ibubjwd

MD5 3dcb6a0d2f3ff93b20b95f9b93626ab0
SHA1 ef69000352792fb1834a3fc9f6d27eb7e56c40fa
SHA256 7cb9edabc72fd0d1fe0767d27a4369297ba0f5229c476ba31f91640ca17b9d1e
SHA512 8f1d2e372ceecf7024421ec01d7fdd91fa268eca548bd02e07c7c9d169127b6bccd6c2575aae07aa11b8d7ebf095f7efc39cdf49b6ed5ed941928172683402b5

memory/3856-607-0x0000000000C60000-0x0000000000C67000-memory.dmp

memory/996-610-0x0000000000BE0000-0x0000000000BEF000-memory.dmp

memory/3856-609-0x0000000000C50000-0x0000000000C5B000-memory.dmp

memory/996-614-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

memory/980-615-0x0000000000570000-0x0000000000575000-memory.dmp

memory/980-616-0x0000000000560000-0x0000000000569000-memory.dmp

memory/760-621-0x0000000000110000-0x000000000011C000-memory.dmp

memory/760-620-0x0000000000120000-0x0000000000126000-memory.dmp

memory/2580-625-0x0000000000C90000-0x0000000000CB2000-memory.dmp

memory/2580-626-0x0000000000C60000-0x0000000000C87000-memory.dmp

memory/2132-628-0x00000000006C0000-0x00000000006C5000-memory.dmp

memory/2132-629-0x00000000006B0000-0x00000000006B9000-memory.dmp

memory/1772-631-0x00000000008B0000-0x00000000008B6000-memory.dmp

memory/1772-632-0x00000000008A0000-0x00000000008AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dat

MD5 ee5d452cc4ee71e1f544582bf6fca143
SHA1 a193952075b2b4a83759098754e814a931b8ba90
SHA256 f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe
SHA512 7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b

C:\Users\Admin\AppData\Local\Temp\D72D.exe

MD5 9b8786c9e74cfd314d7fe9fab571d451
SHA1 e5725184c2da0103046f44c211cc943582c1b2b2
SHA256 d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
SHA512 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9

memory/1804-666-0x0000000000C00000-0x0000000000C0D000-memory.dmp

memory/1804-665-0x0000000000C10000-0x0000000000C17000-memory.dmp

memory/4988-668-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/4988-669-0x0000000000A10000-0x0000000000A1B000-memory.dmp

memory/3856-671-0x0000000000C60000-0x0000000000C67000-memory.dmp

memory/996-673-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

memory/980-674-0x0000000000570000-0x0000000000575000-memory.dmp

memory/760-677-0x0000000000120000-0x0000000000126000-memory.dmp

memory/2580-678-0x0000000000C90000-0x0000000000CB2000-memory.dmp

memory/2132-679-0x00000000006C0000-0x00000000006C5000-memory.dmp

memory/1772-680-0x00000000008B0000-0x00000000008B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

MD5 2c4e958144bd089aa93a564721ed28bb
SHA1 38ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256 b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512 a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

MD5 d3074d3a19629c3c6a533c86733e044e
SHA1 5b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256 b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA512 7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

memory/1804-703-0x0000000000C10000-0x0000000000C17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\db.dll

MD5 1b20e998d058e813dfc515867d31124f
SHA1 c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA256 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA512 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

C:\Users\Admin\AppData\Local\Temp\F875.exe

MD5 3d8665b4bb1b80f1074f616276bdced6
SHA1 2d8db72b378e7c7a5855fc7bf29271e09a8fbf48
SHA256 b406d3562b067ed75aa83352f260f8499322d8bbe2fdb5e172da70e1d945a104
SHA512 81d634ba6bde50e1e820e6907badb9acd473c84d9054f60d19bd0c06fb3a7e41a1a859137450277cfcb6323c2cb729d3c5bde167ce60d8b882737b097d6fd903

memory/4988-716-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/1296-740-0x00000000009B0000-0x0000000000C46000-memory.dmp

memory/1296-741-0x000001FF4EED0000-0x000001FF4F178000-memory.dmp