Analysis Overview
SHA256
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
Threat Level: Known bad
The file asdfg.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Suspicious use of NtCreateUserProcessOtherParentProcess
Loads dropped DLL
Checks computer location settings
Deletes itself
Executes dropped EXE
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-30 12:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-30 12:26
Reported
2023-06-30 12:44
Platform
win10v2004-20230621-en
Max time kernel
110s
Max time network
139s
Command Line
Signatures
Azorult
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1048 created 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\]~[.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EventProvider\kesmv\CanReuseTransform.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\]~[.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2860 set thread context of 1048 | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | C:\Users\Admin\AppData\Local\Temp\asdfg.exe |
| PID 2164 set thread context of 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe |
| PID 4184 set thread context of 4252 | N/A | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe |
| PID 4104 set thread context of 2036 | N/A | C:\Users\Admin\AppData\Local\Microsoft\]~[.exe | C:\Users\Admin\AppData\Local\Microsoft\]~[.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\]~[.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\EventProvider\kesmv\CanReuseTransform.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\asdfg.exe"
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
"C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"
C:\Users\Admin\AppData\Local\Temp\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\asdfg.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Microsoft\]~[.exe
"C:\Users\Admin\AppData\Local\Microsoft\]~[.exe"
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
"C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Local\EventProvider\kesmv\CanReuseTransform.exe
C:\Users\Admin\AppData\Local\EventProvider\kesmv\CanReuseTransform.exe
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
C:\Users\Admin\AppData\Local\Microsoft\]~[.exe
C:\Users\Admin\AppData\Local\Microsoft\]~[.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 20.189.173.1:443 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| RU | 91.103.252.25:5894 | tcp | |
| US | 8.8.8.8:53 | 25.252.103.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| RU | 91.103.252.25:5894 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| RU | 91.103.252.25:5894 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | falling.ug | udp |
| NL | 94.142.138.213:80 | falling.ug | tcp |
| US | 8.8.8.8:53 | 213.138.142.94.in-addr.arpa | udp |
Files
memory/2860-133-0x0000000000730000-0x000000000093A000-memory.dmp
memory/2860-134-0x0000000005940000-0x0000000005EE4000-memory.dmp
memory/2860-135-0x0000000005470000-0x0000000005502000-memory.dmp
memory/2860-136-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-137-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-139-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-142-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/2860-144-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-141-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-146-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-148-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-150-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-152-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-154-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-156-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-158-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-160-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-162-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-164-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-168-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-166-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-170-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-172-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-174-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-176-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-178-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-180-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-182-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-184-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-186-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-188-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-190-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-192-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-194-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-196-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-198-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-200-0x0000000005190000-0x000000000538A000-memory.dmp
memory/2860-624-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/2860-1060-0x0000000005400000-0x0000000005401000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
memory/2164-1072-0x0000000000150000-0x0000000000290000-memory.dmp
memory/1048-1077-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2164-1078-0x0000000004B40000-0x0000000004B50000-memory.dmp
memory/1048-1723-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2164-1846-0x0000000004B40000-0x0000000004B50000-memory.dmp
memory/2164-2014-0x0000000004C80000-0x0000000004C81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
memory/3156-2019-0x0000000000400000-0x000000000049A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLIrlccnw.exe.log
| MD5 | 9150c8f2f2f60368a855cffc9a0fcbb9 |
| SHA1 | 9853f7510a5cf97309ca7af5143b89524951f18b |
| SHA256 | 863bc8477754f103fb8917734952698cfd8c718c6286a4a093cda340e1248c57 |
| SHA512 | caf0399e9162372dbd6121ac312bdf532248be03fcf59cb798e61d1cbdc2468835f0ea68a56d81c95673713c503743cc1defbf3f06f4cee5e65a2f280aaa6228 |
memory/3156-2117-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/3156-3615-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/3156-4214-0x0000000005250000-0x00000000052B6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\]~[.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
C:\Users\Admin\AppData\Local\Microsoft\]~[.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
memory/4104-4220-0x000002A4F69F0000-0x000002A4F6B40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
memory/4184-4223-0x0000000000EB0000-0x0000000000F6C000-memory.dmp
memory/4104-4249-0x000002A4F90E0000-0x000002A4F90F0000-memory.dmp
memory/4184-4251-0x00000000058D0000-0x00000000058E0000-memory.dmp
memory/4104-4723-0x000002A4F90E0000-0x000002A4F90F0000-memory.dmp
memory/4184-4726-0x00000000058D0000-0x00000000058E0000-memory.dmp
C:\Users\Admin\AppData\Local\EventProvider\kesmv\CanReuseTransform.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\EventProvider\kesmv\CanReuseTransform.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
memory/4104-6074-0x000002A4F6F00000-0x000002A4F6F01000-memory.dmp
memory/4184-6075-0x0000000005960000-0x0000000005961000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
C:\Users\Admin\AppData\Local\Microsoft\s6Nlwe2.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
memory/4252-6082-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\]~[.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
memory/2036-6087-0x0000000140000000-0x00000001400AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\]~[.exe.log
| MD5 | 62d23a642ff10936a7b17b938e2f3074 |
| SHA1 | af083c5716cc20a65e6a81329ed8b304c706bee4 |
| SHA256 | d57787b0c77fe2d665bef0d4e87facb013a786bb9310af89d591a6edb4a3b1d7 |
| SHA512 | 1efa6085c9851bddf8517d41d289aca933644d8ce378f43f0c78d67a6dc25e1657d66b8baf68de3cfb814023b10dac5b8a1409d4c2a7625c78b596be7382f08b |
memory/5036-6089-0x000001AAA8370000-0x000001AAA8380000-memory.dmp
memory/2036-6088-0x00000211C1AF0000-0x00000211C1B00000-memory.dmp
memory/1132-6090-0x0000000004A00000-0x0000000004A10000-memory.dmp
memory/5036-6091-0x000001AAA8370000-0x000001AAA8380000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-30 12:26
Reported
2023-06-30 12:45
Platform
win7-20230621-en
Max time kernel
150s
Max time network
96s
Command Line
Signatures
Azorult
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1088 created 1236 | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | C:\Windows\Explorer.EXE |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1760 set thread context of 1088 | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | C:\Users\Admin\AppData\Local\Temp\asdfg.exe |
| PID 752 set thread context of 1476 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe | C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe |
| PID 2000 set thread context of 528 | N/A | C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe | C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe |
| PID 1036 set thread context of 1884 | N/A | C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe | C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\asdfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\asdfg.exe"
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
"C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"
C:\Users\Admin\AppData\Local\Temp\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe
"C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe"
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
"C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe"
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe
C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {D3A7389D-47A7-42D3-90D5-109220A831FF} S-1-5-21-4102714285-680558483-2379744688-1000:ZKKYSKKQ\Admin:S4U:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
C:\Windows\system32\taskeng.exe
taskeng.exe {C23E3157-A657-4D18-8AAF-0F1E2C60FFA9} S-1-5-21-4102714285-680558483-2379744688-1000:ZKKYSKKQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe
C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe
C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe
C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe
Network
| Country | Destination | Domain | Proto |
| RU | 91.103.252.25:5894 | tcp | |
| RU | 91.103.252.25:5894 | tcp | |
| RU | 91.103.252.25:5894 | tcp | |
| US | 8.8.8.8:53 | falling.ug | udp |
| NL | 94.142.138.213:80 | falling.ug | tcp |
Files
memory/1760-54-0x00000000009D0000-0x0000000000BDA000-memory.dmp
memory/1760-55-0x0000000004DA0000-0x0000000004FA0000-memory.dmp
memory/1760-56-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-57-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-59-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-61-0x0000000004D60000-0x0000000004DA0000-memory.dmp
memory/1760-62-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-64-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-66-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-68-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-70-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-72-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-74-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-76-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-78-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-80-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-82-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-84-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-86-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-88-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-90-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-92-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-94-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-96-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-98-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-100-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-102-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-104-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-106-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-108-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-110-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-112-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-114-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-116-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-118-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-120-0x0000000004DA0000-0x0000000004F9A000-memory.dmp
memory/1760-979-0x0000000005280000-0x000000000540A000-memory.dmp
memory/1760-980-0x0000000000600000-0x000000000064C000-memory.dmp
memory/1760-981-0x0000000004D60000-0x0000000004DA0000-memory.dmp
memory/1760-982-0x0000000000430000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
memory/1404-990-0x0000000000370000-0x00000000004B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
memory/1404-991-0x0000000004810000-0x0000000004944000-memory.dmp
memory/1404-1052-0x00000000049B0000-0x00000000049F0000-memory.dmp
memory/1088-1245-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1404-1928-0x0000000004CD0000-0x0000000004D90000-memory.dmp
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
memory/1404-1936-0x0000000000580000-0x0000000000581000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe
| MD5 | fc6f64c6b52d80c505cc7d6f04d0952e |
| SHA1 | 1c472c2ceb83bfcd5adc6770e35594a5b0ec5390 |
| SHA256 | c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040 |
| SHA512 | cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c |
memory/1088-1957-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1088-1959-0x0000000000400000-0x0000000000471000-memory.dmp
\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
memory/752-1981-0x0000000000E10000-0x0000000000ECC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
memory/752-1982-0x00000000045A0000-0x0000000004650000-memory.dmp
memory/752-2245-0x00000000049E0000-0x0000000004A20000-memory.dmp
memory/2000-2455-0x00000000008C0000-0x0000000000A10000-memory.dmp
memory/752-2907-0x0000000000560000-0x0000000000561000-memory.dmp
memory/752-2908-0x00000000008E0000-0x000000000091C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
C:\Users\Admin\AppData\Local\Microsoft\Pf}f.exe
| MD5 | db9ec5471187e3b53474ba5ec0ff8aef |
| SHA1 | 5dcf84d2cae765f57e1ea396f352873c8f84fe2a |
| SHA256 | d1d6d0594f022fe3294417fe335b8d10e8e8853114546eb916b882a8b6ee276b |
| SHA512 | bc807cef37c1337d4a6221035963b6efab80a1554354d0b425c4a8dde93a01af1da2578fdacad4f25566b9a05132d66633a769609b0ea98d84369017a9185bd1 |
memory/2000-2921-0x000000001ABB0000-0x000000001ACF6000-memory.dmp
memory/1476-2992-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2000-2994-0x000000001AFE0000-0x000000001B060000-memory.dmp
memory/1476-3826-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2000-3847-0x00000000007F0000-0x00000000008C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\(k8VfpO.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
memory/2000-3855-0x000000001AFE6000-0x000000001B01D000-memory.dmp
memory/528-3857-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/528-3858-0x000000001AC60000-0x000000001AD70000-memory.dmp
memory/528-4069-0x000000001AE00000-0x000000001AE80000-memory.dmp
memory/528-6762-0x000000001AE00000-0x000000001AE80000-memory.dmp
memory/528-6777-0x0000000002170000-0x00000000021C6000-memory.dmp
memory/528-6778-0x000000001A6E0000-0x000000001A734000-memory.dmp
memory/2040-6784-0x0000000000D80000-0x0000000000E00000-memory.dmp
memory/2040-6785-0x0000000019C50000-0x0000000019F32000-memory.dmp
memory/2040-6786-0x0000000000FB0000-0x0000000000FB8000-memory.dmp
memory/2040-6787-0x0000000000D80000-0x0000000000E00000-memory.dmp
memory/2040-6788-0x0000000000D80000-0x0000000000E00000-memory.dmp
memory/2040-6789-0x0000000000D80000-0x0000000000E00000-memory.dmp
\Users\Admin\AppData\Roaming\Method\DataPointer.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
memory/1036-6794-0x0000000000960000-0x0000000000AB0000-memory.dmp
memory/1036-6795-0x000000001AC70000-0x000000001ACF0000-memory.dmp
memory/1036-7718-0x000000001ABA0000-0x000000001AC72000-memory.dmp
C:\Users\Admin\AppData\Roaming\Method\DataPointer.exe
| MD5 | eb6f02de5404da7420856701fda7f9c3 |
| SHA1 | 01753d8cd1efa2b2fbbad073cbd018790c4b869a |
| SHA256 | ab17190f4061245a370971422a902e32dbd1a559fbf2d37c5b057e907ae7019a |
| SHA512 | 23ffd99e2584ce931663dacab3243f35586288096fc6dc1bb0d18767c61817218eeb847a97acc1a78b53cbf007b567afe27994b3faa7249864775436c814e4c0 |
memory/1036-7725-0x000000001AC76000-0x000000001ACAD000-memory.dmp
memory/1884-7812-0x000000001B090000-0x000000001B110000-memory.dmp