Analysis Overview
SHA256
f556ab5cb7ef703c3584b538c8056657fedea624cfcc262295bca3b0dd8c839a
Threat Level: Known bad
The file 195abb468e546fbaa66ec219c4ceb298.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Vidar
Amadey
Djvu Ransomware
Process spawned unexpected child process
Rhadamanthys
Detected Djvu ransomware
Detect rhadamanthys stealer shellcode
Laplas Clipper
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Script User-Agent
Modifies registry class
Creates scheduled task(s)
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-17 19:03
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-17 19:03
Reported
2023-03-17 19:05
Platform
win10v2004-20230220-en
Max time kernel
89s
Max time network
147s
Command Line
Signatures
Amadey
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Laplas Clipper
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
Rhadamanthys
SmokeLoader
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F9B7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\293B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F7D2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F7D2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\458.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1C96.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F9B7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1C96.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1e050285-91d3-4d79-8796-d730c2feced4\\F7D2.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F7D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" | C:\Users\Admin\AppData\Local\Temp\293B.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\A16.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\A16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2CE5.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2CE5.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2CE5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\A16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825} | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825} | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application" | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application" | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4} | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zyy.exe" | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}" | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}" | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD} | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application" | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2CE5.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2755.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zyy.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe
"C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe"
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1e050285-91d3-4d79-8796-d730c2feced4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
C:\Users\Admin\AppData\Local\Temp\179.exe
C:\Users\Admin\AppData\Local\Temp\179.exe
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
"C:\Users\Admin\AppData\Local\Temp\F7D2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\458.exe
C:\Users\Admin\AppData\Local\Temp\458.exe
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
"C:\Users\Admin\AppData\Local\Temp\F9B7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
"C:\Users\Admin\AppData\Local\Temp\F7D2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\A16.exe
C:\Users\Admin\AppData\Local\Temp\A16.exe
C:\Users\Admin\AppData\Local\Temp\zyy.exe
"C:\Users\Admin\AppData\Local\Temp\zyy.exe"
C:\Users\Admin\AppData\Local\Temp\zyy.exe
"C:\Users\Admin\AppData\Local\Temp\zyy.exe"
C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
C:\Users\Admin\AppData\Local\Temp\BEC.exe
C:\Users\Admin\AppData\Local\Temp\BEC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4320 -ip 4320
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
"C:\Users\Admin\AppData\Local\Temp\F9B7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 1524
C:\Users\Admin\AppData\Local\Temp\zyy.exe
"C:\Users\Admin\AppData\Local\Temp\zyy.exe" -h
C:\Users\Admin\AppData\Local\Temp\zyy.exe
"C:\Users\Admin\AppData\Local\Temp\zyy.exe" -h
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3908 -ip 3908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 340
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1C96.exe
C:\Users\Admin\AppData\Local\Temp\1C96.exe
C:\Users\Admin\AppData\Local\Temp\1C96.exe
C:\Users\Admin\AppData\Local\Temp\1C96.exe
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe
"C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe"
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe
"C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2136 -ip 2136
C:\Users\Admin\AppData\Local\Temp\2755.exe
C:\Users\Admin\AppData\Local\Temp\2755.exe
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 408 -ip 408
C:\Users\Admin\AppData\Local\Temp\293B.exe
C:\Users\Admin\AppData\Local\Temp\293B.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 608
C:\Users\Admin\AppData\Local\Temp\1C96.exe
"C:\Users\Admin\AppData\Local\Temp\1C96.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe
"C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 604
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build3.exe
"C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build3.exe"
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe
"C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe"
C:\Users\Admin\AppData\Local\Temp\2CE5.exe
C:\Users\Admin\AppData\Local\Temp\2CE5.exe
C:\Users\Admin\AppData\Local\Temp\2FE4.exe
C:\Users\Admin\AppData\Local\Temp\2FE4.exe
C:\Users\Admin\AppData\Local\Temp\1C96.exe
"C:\Users\Admin\AppData\Local\Temp\1C96.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build3.exe
"C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build3.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2436 -ip 2436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 340
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe
"C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe"
C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe
"C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe"
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build3.exe
"C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1196 -ip 1196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1120
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\a8dda146-fe08-4358-a4e5-aa5b516bdf13\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\8306.exe
C:\Users\Admin\AppData\Local\Temp\8306.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 948
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1300 -ip 1300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 400
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe" & exit
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1300 -ip 1300
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1300 -s 644
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24126
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 104.21.18.99:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | uaery.top | udp |
| KR | 211.171.233.129:80 | uaery.top | tcp |
| US | 8.8.8.8:53 | 99.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.233.171.211.in-addr.arpa | udp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | akar.av.tr | udp |
| TR | 159.253.45.38:443 | akar.av.tr | tcp |
| US | 8.8.8.8:53 | 38.45.253.159.in-addr.arpa | udp |
| KR | 211.171.233.129:80 | uaery.top | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | bz.bbbeioaag.com | udp |
| US | 45.136.113.107:80 | bz.bbbeioaag.com | tcp |
| US | 45.136.113.107:80 | bz.bbbeioaag.com | tcp |
| US | 8.8.8.8:53 | 107.113.136.45.in-addr.arpa | udp |
| KR | 211.171.233.129:80 | uaery.top | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| US | 8.8.8.8:53 | j.ffbbjjkk.com | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 104.21.8.227:443 | j.ffbbjjkk.com | tcp |
| US | 104.21.8.227:443 | j.ffbbjjkk.com | tcp |
| KR | 210.182.29.70:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 227.8.21.104.in-addr.arpa | udp |
| KR | 211.171.233.129:80 | zexeq.com | tcp |
| KR | 210.182.29.70:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 70.29.182.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| AT | 77.73.134.27:80 | 77.73.134.27 | tcp |
| US | 8.8.8.8:53 | 27.134.73.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ebfertility.com | udp |
| US | 89.190.157.61:80 | ebfertility.com | tcp |
| KR | 210.182.29.70:80 | zexeq.com | tcp |
| US | 13.89.179.8:443 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 61.157.190.89.in-addr.arpa | udp |
| KR | 210.182.29.70:80 | zexeq.com | tcp |
| DE | 77.91.84.172:80 | 77.91.84.172 | tcp |
| US | 8.8.8.8:53 | 172.84.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | count.iiagjaggg.com | udp |
| US | 45.66.159.179:80 | count.iiagjaggg.com | tcp |
| KR | 211.171.233.129:80 | zexeq.com | tcp |
| DE | 116.203.13.130:80 | 116.203.13.130 | tcp |
| US | 45.66.159.179:80 | count.iiagjaggg.com | tcp |
| US | 8.8.8.8:53 | 179.159.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.13.203.116.in-addr.arpa | udp |
| KR | 210.182.29.70:80 | zexeq.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.13.130:80 | 116.203.13.130 | tcp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vispik.at | udp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| US | 8.8.8.8:53 | 200.162.158.95.in-addr.arpa | udp |
| IT | 190.211.254.211:80 | 190.211.254.211 | tcp |
| NL | 45.159.189.105:80 | 45.159.189.105 | tcp |
| US | 8.8.8.8:53 | 105.189.159.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.254.211.190.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| DE | 116.203.13.130:80 | 116.203.13.130 | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| US | 8.8.8.8:53 | hoh0aeghwugh2gie.com | udp |
| NL | 109.206.243.140:80 | hoh0aeghwugh2gie.com | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| US | 8.8.8.8:53 | 140.243.206.109.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| US | 104.234.147.45:443 | 104.234.147.45 | tcp |
| BG | 95.158.162.200:80 | vispik.at | tcp |
| US | 8.8.8.8:53 | 45.147.234.104.in-addr.arpa | udp |
Files
memory/1636-134-0x0000000004830000-0x0000000004839000-memory.dmp
memory/3156-135-0x0000000000C90000-0x0000000000CA6000-memory.dmp
memory/1636-136-0x0000000000400000-0x0000000002AFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
memory/1396-147-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1396-149-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
memory/4248-150-0x00000000048E0000-0x00000000049FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
| MD5 | e4a9214897620fcfedbf8163504806cd |
| SHA1 | 52a3701970b2e3fca793ae23ce20a04f8e8db9db |
| SHA256 | 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d |
| SHA512 | a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b |
memory/1396-155-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
| MD5 | e4a9214897620fcfedbf8163504806cd |
| SHA1 | 52a3701970b2e3fca793ae23ce20a04f8e8db9db |
| SHA256 | 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d |
| SHA512 | a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b |
memory/1396-163-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\1e050285-91d3-4d79-8796-d730c2feced4\F7D2.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
memory/4676-166-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
| MD5 | e4a9214897620fcfedbf8163504806cd |
| SHA1 | 52a3701970b2e3fca793ae23ce20a04f8e8db9db |
| SHA256 | 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d |
| SHA512 | a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b |
memory/1228-169-0x00000000022B0000-0x00000000023CB000-memory.dmp
memory/4676-170-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4676-168-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\179.exe
| MD5 | 9b8786c9e74cfd314d7fe9fab571d451 |
| SHA1 | e5725184c2da0103046f44c211cc943582c1b2b2 |
| SHA256 | d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09 |
| SHA512 | 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9 |
C:\Users\Admin\AppData\Local\Temp\179.exe
| MD5 | 9b8786c9e74cfd314d7fe9fab571d451 |
| SHA1 | e5725184c2da0103046f44c211cc943582c1b2b2 |
| SHA256 | d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09 |
| SHA512 | 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9 |
memory/4676-175-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | cdc105f9b440a6e48a5668a56bb20df4 |
| SHA1 | 3876d7213409b27f4934ef8062b2bd49ce1fd8e7 |
| SHA256 | 6613baac61b4482d1476ef01e7f877ff4cf301375d9069d45defd5054f23b2f0 |
| SHA512 | 52ae1d9b4d4d9fc2822c916a9fc3f46a604090cd063200e48a28d12eea73e28bec1dc3458c7baef56fe0a696b36373c29de3138214efea0e2a648cf7da7620df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | f93c1c109641cc2d33c9bf48b088ebe0 |
| SHA1 | 174856f3602c1008c8409fdcb1bfacae7e8aed52 |
| SHA256 | 8a50654a8b847b7108d7279ac73db528206d8ae9ee8ec7692bb2f3d4c1dfa334 |
| SHA512 | f96202f8f656d048216017bd3e9752a2141a5edaf90251a9d8e4da2d980064e34e568da1d013ab66a5c7bd38ce4769f0622645dd3cbd46063123a85347674948 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 110cf742e7da59e417e5b51e23c5a044 |
| SHA1 | 2fe4ee009a9a99de850dd8d6d92c9d4837f444d2 |
| SHA256 | ebe97ccfc0c50239665d939f865896143ffcb6921361e18dcba32b3bfa19a633 |
| SHA512 | 117498742030a11f129b3b3281f304ad50c53dd39d638af0ad0f6234a1207efc6622d5d886806b376e7ae773feef177afc74449adbda16a40b31588017d5c4a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 1d250612e6dae7b523e288ee29b1cec3 |
| SHA1 | ca6306b194b06f9c24bbe0ba6808579130d8d810 |
| SHA256 | 1756c98601857a08b021117ea464d47e926dad494ba218a3d1402d04cf3b25ec |
| SHA512 | 6f2afbfa81fb6254118244272782219bb07e28ecf6717b21d5578d324b4922cc5c46d8383341d6f1dcd701c44f994296047635b2e4b821c7c7333b2a322eac5a |
memory/1396-180-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
memory/4320-188-0x0000000000A10000-0x0000000000B96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\458.exe
| MD5 | 9b8786c9e74cfd314d7fe9fab571d451 |
| SHA1 | e5725184c2da0103046f44c211cc943582c1b2b2 |
| SHA256 | d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09 |
| SHA512 | 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9 |
C:\Users\Admin\AppData\Local\Temp\458.exe
| MD5 | 9b8786c9e74cfd314d7fe9fab571d451 |
| SHA1 | e5725184c2da0103046f44c211cc943582c1b2b2 |
| SHA256 | d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09 |
| SHA512 | 9400e778bf8e57a9bcb9593f762f2473084ed06d04bf6d90566ab17019b0dd8c03f4a6190f72eeeb94fe1d0acf5d42223735d625a2a935a21d61182acef827d9 |
C:\Users\Admin\AppData\Local\Temp\zyy.exe
| MD5 | bbaa394e6b0ecb7808722986b90d290c |
| SHA1 | 682e835d7ea19c9aa3d464436d673e5c89ab2bb6 |
| SHA256 | baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73 |
| SHA512 | 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f |
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
| MD5 | e4a9214897620fcfedbf8163504806cd |
| SHA1 | 52a3701970b2e3fca793ae23ce20a04f8e8db9db |
| SHA256 | 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d |
| SHA512 | a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b |
memory/4676-192-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1680-197-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F7D2.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
C:\Users\Admin\AppData\Local\Temp\zyy.exe
| MD5 | bbaa394e6b0ecb7808722986b90d290c |
| SHA1 | 682e835d7ea19c9aa3d464436d673e5c89ab2bb6 |
| SHA256 | baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73 |
| SHA512 | 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f |
C:\Users\Admin\AppData\Local\Temp\A16.exe
| MD5 | ed27879f000b8faeed15d993273425a1 |
| SHA1 | d901cd5724f000c2de492d162d836d21e9b10f04 |
| SHA256 | 6bc748ef2da232bd7ec6e60093ce0d41f0c04d506e98bcfea7e88f8ec8a0942d |
| SHA512 | f7c2906a7a3adcc5cafee4795cd172bf2ef74ddc4479c303a18c9601b2ad14b79364e9c1289c97c4f1ff02753945aa002b4ad0028963541bee1bad5b263a5c02 |
C:\Users\Admin\AppData\Local\Temp\zyy.exe
| MD5 | bbaa394e6b0ecb7808722986b90d290c |
| SHA1 | 682e835d7ea19c9aa3d464436d673e5c89ab2bb6 |
| SHA256 | baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73 |
| SHA512 | 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 2c29457ffd728428540c91aec6b22cc3 |
| SHA1 | 8de27d76e9b04e92af69202b0f0bdafd9f3aff61 |
| SHA256 | 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871 |
| SHA512 | 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7 |
C:\Users\Admin\AppData\Local\Temp\BEC.exe
| MD5 | 54908ce0d3f5a394c1250e83face2f89 |
| SHA1 | d3a5df4a01b785fde9bbafb6d18ca4b8d9d10165 |
| SHA256 | c98a71df404d9126b63d57c867bac3445d1dbc23af69214a49d48710e739ff24 |
| SHA512 | ada59574243f5e0146259449f1c60edf0de9e09cf40a9587785c1bebb2fac89665ba6fc3e752c8eb466b2e73614ac4b7ef08ef978bffbc272823d420de4ca08c |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 2c29457ffd728428540c91aec6b22cc3 |
| SHA1 | 8de27d76e9b04e92af69202b0f0bdafd9f3aff61 |
| SHA256 | 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871 |
| SHA512 | 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7 |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 2c29457ffd728428540c91aec6b22cc3 |
| SHA1 | 8de27d76e9b04e92af69202b0f0bdafd9f3aff61 |
| SHA256 | 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871 |
| SHA512 | 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\BEC.exe
| MD5 | 54908ce0d3f5a394c1250e83face2f89 |
| SHA1 | d3a5df4a01b785fde9bbafb6d18ca4b8d9d10165 |
| SHA256 | c98a71df404d9126b63d57c867bac3445d1dbc23af69214a49d48710e739ff24 |
| SHA512 | ada59574243f5e0146259449f1c60edf0de9e09cf40a9587785c1bebb2fac89665ba6fc3e752c8eb466b2e73614ac4b7ef08ef978bffbc272823d420de4ca08c |
memory/1680-218-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 2c29457ffd728428540c91aec6b22cc3 |
| SHA1 | 8de27d76e9b04e92af69202b0f0bdafd9f3aff61 |
| SHA256 | 97af1eceb6079f69333105e7fda2c391bad555f78946901748480e26ec29a871 |
| SHA512 | 964da7908a578df6a342a5bf58be55b805294d08bcf4578e8fb3a6ad9347dedacb335da3ec2ddfa14cf62a48a416b9d15def1c9c2f6d36f61b5cd0ef09bf00d7 |
C:\Users\Admin\AppData\Local\Temp\zyy.exe
| MD5 | bbaa394e6b0ecb7808722986b90d290c |
| SHA1 | 682e835d7ea19c9aa3d464436d673e5c89ab2bb6 |
| SHA256 | baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73 |
| SHA512 | 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f |
C:\Users\Admin\AppData\Local\Temp\A16.exe
| MD5 | ed27879f000b8faeed15d993273425a1 |
| SHA1 | d901cd5724f000c2de492d162d836d21e9b10f04 |
| SHA256 | 6bc748ef2da232bd7ec6e60093ce0d41f0c04d506e98bcfea7e88f8ec8a0942d |
| SHA512 | f7c2906a7a3adcc5cafee4795cd172bf2ef74ddc4479c303a18c9601b2ad14b79364e9c1289c97c4f1ff02753945aa002b4ad0028963541bee1bad5b263a5c02 |
C:\Users\Admin\AppData\Local\Temp\zyy.exe
| MD5 | bbaa394e6b0ecb7808722986b90d290c |
| SHA1 | 682e835d7ea19c9aa3d464436d673e5c89ab2bb6 |
| SHA256 | baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73 |
| SHA512 | 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f |
memory/1680-198-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4620-237-0x0000000002B30000-0x0000000002B39000-memory.dmp
memory/4984-240-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F9B7.exe
| MD5 | e4a9214897620fcfedbf8163504806cd |
| SHA1 | 52a3701970b2e3fca793ae23ce20a04f8e8db9db |
| SHA256 | 26515e880aaf2e119424c894836ed5c79a590c4764f4bae20d473d217832a01d |
| SHA512 | a303e4281d9dba41b290299567b86ee82b4c7bb77a6628e19ad7fe2b7bfb555fe8d45d215446654719bfd055ba6538c961df6b4a2a54f495db20d6f914ce486b |
C:\Users\Admin\AppData\Local\Temp\zyy.exe
| MD5 | bbaa394e6b0ecb7808722986b90d290c |
| SHA1 | 682e835d7ea19c9aa3d464436d673e5c89ab2bb6 |
| SHA256 | baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73 |
| SHA512 | 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f |
memory/4984-251-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1680-253-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1680-250-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zyy.exe
| MD5 | bbaa394e6b0ecb7808722986b90d290c |
| SHA1 | 682e835d7ea19c9aa3d464436d673e5c89ab2bb6 |
| SHA256 | baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73 |
| SHA512 | 2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
memory/4984-254-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4984-255-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4984-256-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3908-257-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2012-260-0x0000018412E70000-0x0000018412FE3000-memory.dmp
memory/2012-261-0x0000018412FF0000-0x0000018413124000-memory.dmp
memory/1680-265-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1680-269-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1680-270-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4984-282-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | 3c66ee468dfa0688e6d22ca20d761140 |
| SHA1 | 965c713cd69439ee5662125f0390a2324a7859bf |
| SHA256 | 4b230d2eaf9e5441f56db135faca2c761001787249d2358133e4f368061a1ea3 |
| SHA512 | 4b29902d881bf20305322cc6a7bffb312187be86f4efa658a9d3c455e84f9f8b0d07f6f2bb6dac42ac050dc6f8d876e2b9df0ef4d5d1bb7e9be1223d652e04c6 |
C:\Users\Admin\AppData\Local\Temp\1C96.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | ee5d452cc4ee71e1f544582bf6fca143 |
| SHA1 | a193952075b2b4a83759098754e814a931b8ba90 |
| SHA256 | f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe |
| SHA512 | 7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b |
C:\SystemID\PersonalID.txt
| MD5 | 8a336d5bff8f129e980f6d2038544ccb |
| SHA1 | 5238d75ab615dcdd09eef84e8f93f42bd7a1a37b |
| SHA256 | 63faf4362c0b32dc765847896fdb1484957c29a92a4b601ba573e85c784faacd |
| SHA512 | 83178f9fa1e0c8878f486923f1d6f3b007c565b10e3bfdf4818afb188c339ff9674bbf35bef74b017b1e081cf434ed823b5e3461f06c3d0d4faf1da98195af47 |
memory/2912-293-0x000001FD8A940000-0x000001FD8AA74000-memory.dmp
memory/4984-292-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 1b20e998d058e813dfc515867d31124f |
| SHA1 | c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f |
| SHA256 | 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00 |
| SHA512 | 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6 |
C:\Users\Admin\AppData\Local\Temp\1C96.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe
| MD5 | 1ea00519a643ae1ab0f4f9a6ecc81ead |
| SHA1 | 551c4fd300092a51a7fd3ceee009db249fd2a70f |
| SHA256 | 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683 |
| SHA512 | 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d |
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe
| MD5 | 1ea00519a643ae1ab0f4f9a6ecc81ead |
| SHA1 | 551c4fd300092a51a7fd3ceee009db249fd2a70f |
| SHA256 | 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683 |
| SHA512 | 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d |
memory/3156-312-0x0000000007AF0000-0x0000000007B06000-memory.dmp
memory/4816-320-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2368-319-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2368-324-0x0000000000400000-0x0000000000471000-memory.dmp
memory/5008-323-0x00000000024B0000-0x000000000250D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\013461898371
| MD5 | 8091f8d171d1121766992e6e057663a2 |
| SHA1 | 107dbe190804121a4042c0522882025566ce6264 |
| SHA256 | 14e491946e7a7240889d735fd9c3e7ed010e290b690b9a7ef257f33e87463825 |
| SHA512 | 49386d0d7cbee00065a918810e78562671feb6d125d7d5215532cccc3a43400c88122aeafe9c35365b86a3e6c0ad454e233e38dc7e11399fd8982799740775a1 |
memory/4620-325-0x0000000000400000-0x0000000002AFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 1b20e998d058e813dfc515867d31124f |
| SHA1 | c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f |
| SHA256 | 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00 |
| SHA512 | 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6 |
memory/2368-332-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 1b20e998d058e813dfc515867d31124f |
| SHA1 | c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f |
| SHA256 | 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00 |
| SHA512 | 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6 |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 1b20e998d058e813dfc515867d31124f |
| SHA1 | c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f |
| SHA256 | 24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00 |
| SHA512 | 79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6 |
C:\Users\Admin\AppData\Local\Temp\2755.exe
| MD5 | 4ce1907bedf5f7b62e6b8b637c4d7c1b |
| SHA1 | 7b1c5ad0b74d0fa927243aaaf431e1c74d0c8ec5 |
| SHA256 | a2ee2e380c444d62824c944a9ed1a7d12e4b49d3d571d639eceb87680a259139 |
| SHA512 | 80c0b3636eda571bee3a9e9cb9ac2f4d022e1a9390a0ba0721efe90d9c26f26d444ac6a7d6662a1ca0fe620e4d687ffc50f033946ab362ba3d3f78f4aea1d6c8 |
C:\Users\Admin\AppData\Local\Temp\2755.exe
| MD5 | 4ce1907bedf5f7b62e6b8b637c4d7c1b |
| SHA1 | 7b1c5ad0b74d0fa927243aaaf431e1c74d0c8ec5 |
| SHA256 | a2ee2e380c444d62824c944a9ed1a7d12e4b49d3d571d639eceb87680a259139 |
| SHA512 | 80c0b3636eda571bee3a9e9cb9ac2f4d022e1a9390a0ba0721efe90d9c26f26d444ac6a7d6662a1ca0fe620e4d687ffc50f033946ab362ba3d3f78f4aea1d6c8 |
C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe
| MD5 | 1ea00519a643ae1ab0f4f9a6ecc81ead |
| SHA1 | 551c4fd300092a51a7fd3ceee009db249fd2a70f |
| SHA256 | 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683 |
| SHA512 | 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d |
C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe
| MD5 | 1ea00519a643ae1ab0f4f9a6ecc81ead |
| SHA1 | 551c4fd300092a51a7fd3ceee009db249fd2a70f |
| SHA256 | 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683 |
| SHA512 | 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | ee5d452cc4ee71e1f544582bf6fca143 |
| SHA1 | a193952075b2b4a83759098754e814a931b8ba90 |
| SHA256 | f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe |
| SHA512 | 7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b |
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe
| MD5 | 1ea00519a643ae1ab0f4f9a6ecc81ead |
| SHA1 | 551c4fd300092a51a7fd3ceee009db249fd2a70f |
| SHA256 | 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683 |
| SHA512 | 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d |
C:\Users\Admin\AppData\Local\Temp\293B.exe
| MD5 | d2779449f8672bd4205df39b0b523ebe |
| SHA1 | 84101f1c60c21da288951150fdc7a163636a06f7 |
| SHA256 | e1028352af138b56c740c27ed1c3f2244afcf9bc91776f3255acf05f4976ce5c |
| SHA512 | 1135ad7edbd05be3bd1ff1d91285125a28ef0f7422a50825fc757251b5e86aadbb7d672851185ce6aa5e93dc76701c05bfc21c5f4d83bd961806f72b8eaf8f9e |
C:\Users\Admin\AppData\Local\Temp\293B.exe
| MD5 | d2779449f8672bd4205df39b0b523ebe |
| SHA1 | 84101f1c60c21da288951150fdc7a163636a06f7 |
| SHA256 | e1028352af138b56c740c27ed1c3f2244afcf9bc91776f3255acf05f4976ce5c |
| SHA512 | 1135ad7edbd05be3bd1ff1d91285125a28ef0f7422a50825fc757251b5e86aadbb7d672851185ce6aa5e93dc76701c05bfc21c5f4d83bd961806f72b8eaf8f9e |
memory/2368-311-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build2.exe
| MD5 | 1ea00519a643ae1ab0f4f9a6ecc81ead |
| SHA1 | 551c4fd300092a51a7fd3ceee009db249fd2a70f |
| SHA256 | 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683 |
| SHA512 | 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d |
memory/4816-304-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4816-298-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C96.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
memory/4984-289-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C96.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
memory/4816-363-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\f493d610-82ea-4ace-9a36-3a951904fec8\build2.exe
| MD5 | 1ea00519a643ae1ab0f4f9a6ecc81ead |
| SHA1 | 551c4fd300092a51a7fd3ceee009db249fd2a70f |
| SHA256 | 04e8128c405994d18f26b6394b32686c6e07a65b2c90c98f16295a48a16ba683 |
| SHA512 | 187897c856c6b7b45d9f85898103b8560d25c694c150c1c1efd1370be0c4e3ba3799d2f4c3cc5c2618b0a84f80cff19cf9be47d0961df20c47b73783f6d0491d |
memory/776-376-0x0000000000400000-0x0000000000471000-memory.dmp
memory/776-375-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2FE4.exe
| MD5 | 9be2584483492e7561c14da1a54cfb3a |
| SHA1 | dc5c59d31a1afc3515508c10cd21c945c1e71b2e |
| SHA256 | aea265dbb2d373e488a4b0ac87533e9350ccdcb992a75fd31d2ae7c1897b80b8 |
| SHA512 | 89126213575fd4fbc3ff5166818760c47cabc4327c965dc18b7007d0d6351b4430deebad9beafd2c5c57d13d59e05652c14e68743ff7b8fb823d8ccad6532455 |
C:\Users\Admin\AppData\Local\Temp\2CE5.exe
| MD5 | 34c48c548dbdf212c3158b5088670e86 |
| SHA1 | ddf9390d3636bc8f61716762f31c1c198e66cf8e |
| SHA256 | 2b72e00b17db683179828dc23ed8d3fe4cd1073c739f8523010bb236363a6359 |
| SHA512 | 0790e5a910a701a301900bc1339d3deebb9bd63ea56cdcce7960dec6fa7f49a0ed3e11a5caeb3105deec6a0f60f7e8820cc4eac86cf0bc6f4b8511315ac73d06 |
C:\Users\Admin\AppData\Local\Temp\2CE5.exe
| MD5 | 34c48c548dbdf212c3158b5088670e86 |
| SHA1 | ddf9390d3636bc8f61716762f31c1c198e66cf8e |
| SHA256 | 2b72e00b17db683179828dc23ed8d3fe4cd1073c739f8523010bb236363a6359 |
| SHA512 | 0790e5a910a701a301900bc1339d3deebb9bd63ea56cdcce7960dec6fa7f49a0ed3e11a5caeb3105deec6a0f60f7e8820cc4eac86cf0bc6f4b8511315ac73d06 |
memory/2848-367-0x0000000002C50000-0x0000000002C7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C96.exe
| MD5 | bea14d484e11b88a5a1f76233f52f732 |
| SHA1 | 0c391495bc75c4926b52b14fdd27bd3f7e410911 |
| SHA256 | 22235a4142e982638d4bbd3e51b686d89b269789ef2dc48a47443c0f4513b1fc |
| SHA512 | 310012caa123450d5cac0f4ea77cb86bb6453450e51eefa35c67ad00fb8c4674f73f4cf20304bc4a02caa5abecd654f92c6e1de139ef2a5b029f6b7f02c7228c |
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1680-359-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\2ac8d47c-ab47-4d8a-95a7-a2e2e50c89d9\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4984-390-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-391-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1280-394-0x0000000002C00000-0x0000000002C09000-memory.dmp
memory/776-392-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4420-393-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-400-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1196-401-0x0000000001FD0000-0x000000000200E000-memory.dmp
memory/4420-409-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-410-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-412-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-413-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-411-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2436-414-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2368-416-0x0000000050AA0000-0x0000000050B93000-memory.dmp
memory/3156-415-0x0000000008550000-0x0000000008566000-memory.dmp
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
| MD5 | db10c723a584f9e05657f043993f1952 |
| SHA1 | db1b5c32a5464367b224a963de87e7080eedbd50 |
| SHA256 | 17902375b920df46c348575ded30e8f763a11c63db892bdf90e2e6f0013f9bb4 |
| SHA512 | 7e35f7709ce6bb3dcbcd57e7ba300db73b727b8f08bd563f5811599aad76a9b2856aa9d05a81032950cb755d230a88d2d38d1be5d8b245c78a87fc1a135d1444 |
memory/2012-458-0x0000018412FF0000-0x0000018413124000-memory.dmp
memory/2912-504-0x000001FD8A940000-0x000001FD8AA74000-memory.dmp
memory/2732-505-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2368-520-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2368-525-0x0000000000400000-0x0000000000471000-memory.dmp
memory/776-527-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4420-528-0x0000000000400000-0x0000000000537000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\20105614405120054424929923
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\ProgramData\92505092780221259107389340
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\ProgramData\92505092780221259107389340
| MD5 | 780853cddeaee8de70f28a4b255a600b |
| SHA1 | ad7a5da33f7ad12946153c497e990720b09005ed |
| SHA256 | 1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3 |
| SHA512 | e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8 |
C:\ProgramData\20105614405120054424929923
| MD5 | ec9dc2b3a8b24bcbda00502af0fedd51 |
| SHA1 | b555e8192e4aef3f0beb5f5381a7ad7095442e8d |
| SHA256 | 7378950f042c94b08cc138fd8c02e41f88b616cd17f23c0c06d4e3ca3e2937d2 |
| SHA512 | 9040813d94956771ce06cdc1f524e0174c481cdc0e1d93cbf8a7d76dd321a641229e5a9dd1c085e92a9f66d92b6d7edc80b77cd54bb8905852c150234a190194 |
memory/2732-607-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2732-610-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2848-614-0x0000000002C80000-0x0000000002C9C000-memory.dmp
memory/2848-615-0x0000000002CA0000-0x0000000002CA2000-memory.dmp
memory/2848-621-0x00000000049F0000-0x00000000059F0000-memory.dmp
memory/1300-623-0x0000000004BF0000-0x0000000004F2F000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\23306363969953827888032358
| MD5 | b396bd88821a6e797e22c3ca300f11c2 |
| SHA1 | 8c37621f28582c5fb697411d27f4f76474191f9f |
| SHA256 | c63776152f5f941365f580e0159591871e9e37de1ba1dcd9c332efc2b77349e2 |
| SHA512 | 680726f46b2a25ec9645c356e4c3641889995a900e83a141a437cf098a4abb23642b72468332240f2d4f2443dc31a7c75ecf72c6b9518f82d9e4b645cd3f29e6 |
C:\ProgramData\23306363969953827888032358
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\ProgramData\68941993298968431583112973
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\54060402927097605215309645
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\ProgramData\13321780004664479502030034
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Roaming\vgaggtv
| MD5 | 34c48c548dbdf212c3158b5088670e86 |
| SHA1 | ddf9390d3636bc8f61716762f31c1c198e66cf8e |
| SHA256 | 2b72e00b17db683179828dc23ed8d3fe4cd1073c739f8523010bb236363a6359 |
| SHA512 | 0790e5a910a701a301900bc1339d3deebb9bd63ea56cdcce7960dec6fa7f49a0ed3e11a5caeb3105deec6a0f60f7e8820cc4eac86cf0bc6f4b8511315ac73d06 |
memory/2848-701-0x0000000002C80000-0x0000000002C9C000-memory.dmp
memory/1316-704-0x0000000001080000-0x0000000001089000-memory.dmp
memory/3168-706-0x0000000000DF0000-0x0000000000DFF000-memory.dmp
memory/1316-705-0x0000000000DF0000-0x0000000000DFF000-memory.dmp
memory/3168-707-0x0000000000C90000-0x0000000000C9B000-memory.dmp
memory/4020-712-0x0000000000CA0000-0x0000000000CA5000-memory.dmp
memory/4020-713-0x0000000000C90000-0x0000000000C99000-memory.dmp
memory/776-716-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1380-719-0x0000000000C90000-0x0000000000C99000-memory.dmp
memory/1380-720-0x00000000009E0000-0x00000000009EC000-memory.dmp
memory/2136-724-0x00000000009E0000-0x00000000009EC000-memory.dmp
memory/2136-725-0x0000000000CF0000-0x0000000000D17000-memory.dmp
memory/5008-727-0x0000000000CF0000-0x0000000000D17000-memory.dmp
memory/5008-728-0x0000000000470000-0x0000000000479000-memory.dmp
memory/4688-732-0x0000000000470000-0x0000000000479000-memory.dmp
memory/4688-733-0x0000000000170000-0x000000000017B000-memory.dmp
memory/4812-734-0x0000000000E10000-0x0000000000E1D000-memory.dmp
memory/3668-736-0x0000000000E10000-0x0000000000E1D000-memory.dmp
memory/3668-737-0x00000000012C0000-0x00000000012CB000-memory.dmp
memory/1316-740-0x0000000001080000-0x0000000001089000-memory.dmp
memory/3168-741-0x0000000000DF0000-0x0000000000DFF000-memory.dmp
memory/4020-742-0x0000000000CA0000-0x0000000000CA5000-memory.dmp
memory/1380-744-0x0000000000C90000-0x0000000000C99000-memory.dmp
memory/2136-746-0x00000000009E0000-0x00000000009EC000-memory.dmp
memory/5008-748-0x0000000000CF0000-0x0000000000D17000-memory.dmp
memory/4688-751-0x0000000000470000-0x0000000000479000-memory.dmp
memory/4812-752-0x0000000000170000-0x000000000017B000-memory.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll
| MD5 | d3074d3a19629c3c6a533c86733e044e |
| SHA1 | 5b15823311f97036dbaf4a3418c6f50ffade0eb9 |
| SHA256 | b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401 |
| SHA512 | 7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf |
memory/3668-771-0x0000000000E10000-0x0000000000E1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 3ee19144dcc99975865fa98db51e00b6 |
| SHA1 | d97f962744a6a0bb5de9b28bbf29dbfd43cafc7e |
| SHA256 | e45d194746bd615d2a8ccccb465ff56a9f518af571bf6eab0563c3963033d5e0 |
| SHA512 | 0a55e86b1095f9f557bbf1b1953001f57eac16a06660e20be04f2db5a77c0160634089dbb3908ec9a3947da52ed29a29db1859e5a2ccaccdd14178f855627518 |
C:\Users\Admin\AppData\Local\Temp\BEC.exe
| MD5 | 54908ce0d3f5a394c1250e83face2f89 |
| SHA1 | d3a5df4a01b785fde9bbafb6d18ca4b8d9d10165 |
| SHA256 | c98a71df404d9126b63d57c867bac3445d1dbc23af69214a49d48710e739ff24 |
| SHA512 | ada59574243f5e0146259449f1c60edf0de9e09cf40a9587785c1bebb2fac89665ba6fc3e752c8eb466b2e73614ac4b7ef08ef978bffbc272823d420de4ca08c |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | ee5d452cc4ee71e1f544582bf6fca143 |
| SHA1 | a193952075b2b4a83759098754e814a931b8ba90 |
| SHA256 | f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe |
| SHA512 | 7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b |
memory/3644-826-0x00000000007D0000-0x0000000000A66000-memory.dmp
memory/3644-827-0x000001F7BCC10000-0x000001F7BCEB8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-17 19:03
Reported
2023-03-17 19:05
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe
"C:\Users\Admin\AppData\Local\Temp\195abb468e546fbaa66ec219c4ceb298.exe"
Network
Files
memory/1768-55-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1200-56-0x00000000029F0000-0x0000000002A06000-memory.dmp
memory/1768-57-0x0000000000400000-0x0000000002AFB000-memory.dmp