Analysis Overview
SHA256
23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3
Threat Level: Known bad
The file 23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3 was found to be: Known bad.
Malicious Activity Summary
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
Djvu Ransomware
Vidar
SmokeLoader
Detected Djvu ransomware
Downloads MZ/PE file
Drops file in Drivers directory
Stops running service(s)
Deletes itself
Themida packer
Reads user/profile data of web browsers
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Modifies system certificate store
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-10 03:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-10 03:39
Reported
2023-08-10 03:44
Platform
win7-20230712-en
Max time kernel
72s
Max time network
303s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4C3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\170E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9D9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E97.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\179796fb-1b36-4224-a8de-99386f0e2eb4\\1B6.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2920 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | C:\Users\Admin\AppData\Local\Temp\1B6.exe |
| PID 1176 set thread context of 1516 | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | C:\Users\Admin\AppData\Local\Temp\2928.exe |
| PID 1452 set thread context of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\2928.exe | C:\Users\Admin\AppData\Local\Temp\2928.exe |
| PID 856 set thread context of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\1B6.exe | C:\Users\Admin\AppData\Local\Temp\1B6.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\2928.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\1B6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4C3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\170E.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe
"C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe"
C:\Users\Admin\AppData\Local\Temp\1B6.exe
C:\Users\Admin\AppData\Local\Temp\1B6.exe
C:\Users\Admin\AppData\Local\Temp\4C3.exe
C:\Users\Admin\AppData\Local\Temp\4C3.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\927.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\927.dll
C:\Users\Admin\AppData\Local\Temp\170E.exe
C:\Users\Admin\AppData\Local\Temp\170E.exe
C:\Users\Admin\AppData\Local\Temp\1B6.exe
C:\Users\Admin\AppData\Local\Temp\1B6.exe
C:\Users\Admin\AppData\Local\Temp\2928.exe
C:\Users\Admin\AppData\Local\Temp\2928.exe
C:\Users\Admin\AppData\Local\Temp\2928.exe
C:\Users\Admin\AppData\Local\Temp\2928.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\179796fb-1b36-4224-a8de-99386f0e2eb4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\2928.exe
"C:\Users\Admin\AppData\Local\Temp\2928.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1B6.exe
"C:\Users\Admin\AppData\Local\Temp\1B6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\2928.exe
"C:\Users\Admin\AppData\Local\Temp\2928.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1B6.exe
"C:\Users\Admin\AppData\Local\Temp\1B6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
C:\Users\Admin\AppData\Local\Temp\9E97.exe
C:\Users\Admin\AppData\Local\Temp\9E97.exe
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe
"C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe"
C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe
"C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe"
C:\Users\Admin\AppData\Local\Temp\9FB1.exe
C:\Users\Admin\AppData\Local\Temp\9FB1.exe
C:\Users\Admin\AppData\Local\Temp\D87D.exe
C:\Users\Admin\AppData\Local\Temp\D87D.exe
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build3.exe
"C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build3.exe"
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe
"C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\F995.exe
C:\Users\Admin\AppData\Local\Temp\F995.exe
C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe
"C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe"
C:\Users\Admin\AppData\Local\Temp\1E36.exe
C:\Users\Admin\AppData\Local\Temp\1E36.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22AA.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\22AA.dll
C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build3.exe
"C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build3.exe"
C:\Users\Admin\AppData\Local\Temp\7942.exe
C:\Users\Admin\AppData\Local\Temp\7942.exe
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
C:\Users\Admin\AppData\Local\Temp\7A0E.exe
C:\Users\Admin\AppData\Local\Temp\7A0E.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7F8B.dll
C:\Users\Admin\AppData\Local\Temp\8160.exe
C:\Users\Admin\AppData\Local\Temp\8160.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7F8B.dll
C:\Users\Admin\AppData\Local\Temp\97AF.exe
C:\Users\Admin\AppData\Local\Temp\97AF.exe
C:\Users\Admin\AppData\Local\Temp\F1C1.exe
C:\Users\Admin\AppData\Local\Temp\F1C1.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {39B2B41B-723D-4CCE-8972-A530C1748808} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\97AF.exe
C:\Users\Admin\AppData\Local\Temp\97AF.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MX | 189.194.9.27:80 | colisumy.com | tcp |
| MD | 176.123.9.142:14845 | tcp | |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| MX | 189.194.9.27:80 | colisumy.com | tcp |
| RU | 79.137.192.18:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 209.250.248.11:33522 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | admaiscont.com.br | udp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| MX | 189.194.9.27:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| MX | 189.194.9.27:80 | colisumy.com | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| MX | 189.194.9.27:80 | colisumy.com | tcp |
| RU | 79.137.192.18:80 | tcp | |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| MX | 189.194.9.27:80 | colisumy.com | tcp |
| RU | 79.137.192.18:80 | tcp | |
| NL | 209.250.248.11:33522 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| NL | 209.250.248.11:33522 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| FI | 95.217.28.234:80 | 95.217.28.234 | tcp |
Files
memory/2068-54-0x0000000000220000-0x0000000000235000-memory.dmp
memory/2068-55-0x0000000000240000-0x0000000000249000-memory.dmp
memory/2068-56-0x0000000000400000-0x00000000018BB000-memory.dmp
memory/1352-58-0x00000000026B0000-0x00000000026C6000-memory.dmp
memory/2068-59-0x0000000000400000-0x00000000018BB000-memory.dmp
memory/2068-62-0x0000000000240000-0x0000000000249000-memory.dmp
memory/2068-63-0x0000000000220000-0x0000000000235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\4C3.exe
| MD5 | 774f757d2c792104dac758a00557b2e7 |
| SHA1 | dc1b4c9de11675339e5f98d311a47ed56a53a9f0 |
| SHA256 | 624bf50e4149abe4f31d19a97a839ac197f9e052093c3312bf3a575fec57e100 |
| SHA512 | 7bc35860f4741085a9fb093404393d7a9df48e5e46f1bbe8e56e1a2a1c44304565c246df65b844041e0410eb2f95fa88e5ba2dc9618e3b613ce191c23916ea73 |
C:\Users\Admin\AppData\Local\Temp\4C3.exe
| MD5 | 774f757d2c792104dac758a00557b2e7 |
| SHA1 | dc1b4c9de11675339e5f98d311a47ed56a53a9f0 |
| SHA256 | 624bf50e4149abe4f31d19a97a839ac197f9e052093c3312bf3a575fec57e100 |
| SHA512 | 7bc35860f4741085a9fb093404393d7a9df48e5e46f1bbe8e56e1a2a1c44304565c246df65b844041e0410eb2f95fa88e5ba2dc9618e3b613ce191c23916ea73 |
memory/1676-80-0x00000000003C0000-0x00000000003F0000-memory.dmp
memory/1676-79-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\927.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
memory/1676-86-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/1676-87-0x0000000000890000-0x0000000000896000-memory.dmp
\Users\Admin\AppData\Local\Temp\927.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
memory/2708-90-0x0000000000AA0000-0x0000000000CE3000-memory.dmp
memory/2708-91-0x0000000000AA0000-0x0000000000CE3000-memory.dmp
memory/1676-92-0x00000000046F0000-0x0000000004730000-memory.dmp
memory/2708-93-0x00000000003B0000-0x00000000003B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\170E.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\170E.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
memory/2920-101-0x0000000000220000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2920-102-0x0000000001940000-0x0000000001A5B000-memory.dmp
\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2704-105-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2704-107-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2704-110-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2704-111-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1676-112-0x0000000074200000-0x00000000748EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/1676-119-0x00000000046F0000-0x0000000004730000-memory.dmp
memory/2312-128-0x0000000000290000-0x00000000002B9000-memory.dmp
memory/2312-130-0x0000000003060000-0x000000000309F000-memory.dmp
memory/2312-129-0x00000000031C0000-0x00000000031F8000-memory.dmp
memory/2312-131-0x0000000003510000-0x0000000003544000-memory.dmp
memory/2312-133-0x0000000000400000-0x00000000018CF000-memory.dmp
memory/2312-132-0x0000000003240000-0x0000000003246000-memory.dmp
memory/2312-134-0x0000000005B20000-0x0000000005B60000-memory.dmp
memory/2312-135-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2312-137-0x0000000005B20000-0x0000000005B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4C6D.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/1352-154-0x000007FEF5270000-0x000007FEF53B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/1352-156-0x000007FF02260000-0x000007FF0226A000-memory.dmp
memory/1516-160-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar55D3.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | a8cfb50a0e434d61c5950c39939c75ab |
| SHA1 | bed51ce8cf805476ca8763e14a8fb83224734587 |
| SHA256 | 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67 |
| SHA512 | 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 4d1072f26d70373d9e192a62836a0f2c |
| SHA1 | ec82869e724667b6751c875e045d45439fd48bd3 |
| SHA256 | 8cde76056b84b6b2786202a558c80a74ac3adc343f556a5b3bc9bc5eb05cfab0 |
| SHA512 | ac0f72ea32a8f0d8974c11c9ff7c7207ecc7d2d091538406cd14433242c5104bf5d77e9ff2dae944cd8a21bce2b6f83ce9d4c217e1bc2aff8e7a7853b75a5f3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | cde3004d458a86374c76b63425fc9b8c |
| SHA1 | 91ed2720991b113dc6ee6b5705ec24b270e081df |
| SHA256 | 3851e2bff744375020167c2341984024cb6ee0e3d120685ad3e984125bb11447 |
| SHA512 | 9ee9bd7550fb17ae13920ffd7a803727a35d823132f0fbe216d8bbbb09959cc673221d58e1f1b81909a634effedfb74ef29b3e0278a37590d2550db9b6d5cb5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 5463accfd07ab264270ed619fd0db708 |
| SHA1 | 0a58387b9ca93d3d39a9caa1a0903057dd035d59 |
| SHA256 | 2a0aeae671999bb4c68c922fa7f79d18dda6668a9c4c79a575ab4d846459fddd |
| SHA512 | 671d1a6f2f9d0a108ef85b105bcaa59ffb55e15cc7f84bd289cc8d3a13c496e7c45c2587e1e5c6ec76cfa6fb02b3dc10970ae353aeb3ec95a9180a97365605ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7eb600787e3415ea21ae3bb0a195c1c4 |
| SHA1 | 33dfef21c9708b80772cc2f8628e1571d8c9e559 |
| SHA256 | 52f56a077b0f0cd6367cc6ed0a38a923d8ca991dc067f60615428b92ef280309 |
| SHA512 | 6d5f61e4ea0efabc63b4b999d4dfc9f7b8a7b34a0b7c7f89390e1c11be0707ded07b0dc6476e63f47a9762d6428340fc545dcc75a1e01365922710353315b45f |
C:\Users\Admin\AppData\Local\179796fb-1b36-4224-a8de-99386f0e2eb4\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/1516-194-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2708-198-0x0000000002370000-0x000000000247C000-memory.dmp
memory/2708-199-0x0000000002480000-0x0000000002571000-memory.dmp
memory/2708-202-0x0000000002480000-0x0000000002571000-memory.dmp
memory/2312-204-0x0000000005B20000-0x0000000005B60000-memory.dmp
memory/2708-203-0x0000000002480000-0x0000000002571000-memory.dmp
memory/2312-205-0x0000000005B20000-0x0000000005B60000-memory.dmp
\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2704-208-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2312-212-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2312-213-0x0000000005B20000-0x0000000005B60000-memory.dmp
memory/2312-214-0x0000000005B20000-0x0000000005B60000-memory.dmp
memory/1676-216-0x0000000074200000-0x00000000748EE000-memory.dmp
\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2256-223-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2928.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2256-224-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\1B6.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2256-234-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2256-243-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1884-248-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2312-247-0x0000000000400000-0x00000000018CF000-memory.dmp
memory/2312-249-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/1884-259-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1884-260-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\9E97.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
memory/2256-279-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2256-277-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/1884-311-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/1884-308-0x0000000000400000-0x0000000000537000-memory.dmp
C:\SystemID\PersonalID.txt
| MD5 | edea70af63654c8ba57a9d59e1525734 |
| SHA1 | ed22b7b9c45a1e8a4df769a0c6f6e626373c640c |
| SHA256 | 5fac3f86ebd9436d74331c7951f44f8626d66dca56e1114b5dbc7fabba04057b |
| SHA512 | 387561eeb34d598fee5af4f4700160b17adcffb5da43fb84bd053a4306f4aba03b7910d0c59feada7a4a60a8901c4b26650f4bf07481164cfdbd6892acec6453 |
memory/2256-306-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/2256-290-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/1884-284-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | fd6fd7111bf7a89890ae55830e151166 |
| SHA1 | 4ececff98c7b4d3603f102e9e4783605e5d43a76 |
| SHA256 | 3c4e107d0f9affe7e9ec0c331f6edde2736084f80294a8bf0151be9bfefbd56b |
| SHA512 | 58ecba98d288b4c437e9ffe1c24063ddb067357c7a5b5ee5a03c6ddba55d03681137bd5c083d30388c1e1d3f2e8ebee541558b50f927835d89419b1682efda4d |
memory/1884-316-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D87D.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
memory/2256-323-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9FB1.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
memory/1884-326-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2256-338-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/2964-339-0x00000000024B0000-0x00000000025B0000-memory.dmp
memory/2964-344-0x0000000000270000-0x00000000002E8000-memory.dmp
C:\Users\Admin\AppData\Local\8d15c752-5cae-440f-b580-aef0cd548800\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/1972-350-0x00000000024D0000-0x00000000025D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F995.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\Temp\22AA.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
C:\Users\Admin\AppData\Local\Temp\1E36.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\40d31b8c-2193-4ca3-bb88-9b4c1f66ae6f\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
\Users\Admin\AppData\Local\Temp\22AA.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
memory/2380-398-0x00000000030F0000-0x0000000003181000-memory.dmp
memory/2380-400-0x00000000031A0000-0x00000000032BB000-memory.dmp
memory/560-401-0x0000000000400000-0x000000000048C000-memory.dmp
\Users\Admin\AppData\Local\Temp\9D9D.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\7A0E.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\97AF.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/1884-437-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7F8B.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
C:\Users\Admin\AppData\Local\Temp\8160.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
memory/2124-442-0x0000000005BC0000-0x0000000005BF4000-memory.dmp
\Users\Admin\AppData\Local\Temp\7F8B.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
C:\Users\Admin\AppData\Local\Temp\7942.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
memory/2124-443-0x0000000000400000-0x00000000018CF000-memory.dmp
memory/2708-445-0x00000000000D0000-0x00000000000D6000-memory.dmp
memory/2124-446-0x0000000005C90000-0x0000000005CD0000-memory.dmp
memory/2124-454-0x0000000005C90000-0x0000000005CD0000-memory.dmp
memory/2124-455-0x0000000005C90000-0x0000000005CD0000-memory.dmp
memory/2124-456-0x0000000072F50000-0x000000007363E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F1C1.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\9D9D.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | f273c3a51c9a69b7f94fd4e2c67824ac |
| SHA1 | 0d33170c7311d6d9dbd05fb538cd881d3973bd0b |
| SHA256 | 31bc671aba992fa915b145456b397f1dc14ef08a6c147f946b073e72ba0317ea |
| SHA512 | c064ee236a685ebc2dd025a1d4e9e7420f71300e1da38a352a72862d5e0308649d1b83332fbade35c1a078ee03f708152b9e5d6bcafb2d84d913f51026dfbe8d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-10 03:39
Reported
2023-08-10 03:44
Platform
win10-20230703-en
Max time kernel
188s
Max time network
299s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 692 created 3724 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 692 created 3724 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 692 created 3724 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 692 created 3724 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 692 created 3724 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
Vidar
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Windows\Temp\setup.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\46f6f315-df16-4b53-860c-b7ba2abf753c\\DECD.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DECD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Temp\setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cli.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\770C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8BD5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E093.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EC2F.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe
"C:\Users\Admin\AppData\Local\Temp\23fdb325235605dd05cda92f0275e08aa1d8e5df6973030835ffa63daffe74d3.exe"
C:\Users\Admin\AppData\Local\Temp\DECD.exe
C:\Users\Admin\AppData\Local\Temp\DECD.exe
C:\Users\Admin\AppData\Local\Temp\E093.exe
C:\Users\Admin\AppData\Local\Temp\E093.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E2B7.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E2B7.dll
C:\Users\Admin\AppData\Local\Temp\EC2F.exe
C:\Users\Admin\AppData\Local\Temp\EC2F.exe
C:\Users\Admin\AppData\Local\Temp\DECD.exe
C:\Users\Admin\AppData\Local\Temp\DECD.exe
C:\Users\Admin\AppData\Local\Temp\C89.exe
C:\Users\Admin\AppData\Local\Temp\C89.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\46f6f315-df16-4b53-860c-b7ba2abf753c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\DECD.exe
"C:\Users\Admin\AppData\Local\Temp\DECD.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\C89.exe
C:\Users\Admin\AppData\Local\Temp\C89.exe
C:\Users\Admin\AppData\Local\Temp\C89.exe
"C:\Users\Admin\AppData\Local\Temp\C89.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\DECD.exe
"C:\Users\Admin\AppData\Local\Temp\DECD.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\C89.exe
"C:\Users\Admin\AppData\Local\Temp\C89.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Users\Admin\AppData\Local\Temp\cli.exe
"C:\Users\Admin\AppData\Local\Temp\cli.exe"
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe
"C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe"
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe
"C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe"
C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build3.exe
"C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe
"C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe"
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build3.exe
"C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build3.exe"
C:\Users\Admin\AppData\Local\Temp\770C.exe
C:\Users\Admin\AppData\Local\Temp\770C.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe
"C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe"
C:\Users\Admin\AppData\Local\Temp\8258.exe
C:\Users\Admin\AppData\Local\Temp\8258.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 288
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=17529 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data8RZ7G" --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data8RZ7G" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data8RZ7G\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data8RZ7G" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffdf7769758,0x7ffdf7769768,0x7ffdf7769778
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1152 --field-trial-handle=1372,i,17481775489954142358,16016726726401795746,131072 --disable-features=PaintHolding /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1544 --field-trial-handle=1372,i,17481775489954142358,16016726726401795746,131072 --disable-features=PaintHolding /prefetch:8
C:\Users\Admin\AppData\Local\Temp\9759.exe
C:\Users\Admin\AppData\Local\Temp\9759.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\A1F8.exe
C:\Users\Admin\AppData\Local\Temp\A1F8.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\C60C.exe
C:\Users\Admin\AppData\Local\Temp\C60C.exe
C:\Users\Admin\AppData\Local\Temp\CC66.exe
C:\Users\Admin\AppData\Local\Temp\CC66.exe
C:\Users\Admin\AppData\Local\Temp\8258.exe
C:\Users\Admin\AppData\Local\Temp\8258.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D3D9.dll
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D3D9.dll
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe" & exit
C:\Users\Admin\AppData\Local\Temp\8258.exe
"C:\Users\Admin\AppData\Local\Temp\8258.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
"C:\Users\Admin\AppData\Local\Temp\8EEB.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\C60C.exe
C:\Users\Admin\AppData\Local\Temp\C60C.exe
C:\Users\Admin\AppData\Local\Temp\CC66.exe
C:\Users\Admin\AppData\Local\Temp\CC66.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe" & exit
C:\Users\Admin\AppData\Local\Temp\C60C.exe
"C:\Users\Admin\AppData\Local\Temp\C60C.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8258.exe
"C:\Users\Admin\AppData\Local\Temp\8258.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
"C:\Users\Admin\AppData\Local\Temp\8EEB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\CC66.exe
"C:\Users\Admin\AppData\Local\Temp\CC66.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\3D33.exe
C:\Users\Admin\AppData\Local\Temp\3D33.exe
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Users\Admin\AppData\Local\Temp\41F6.exe
C:\Users\Admin\AppData\Local\Temp\41F6.exe
C:\Users\Admin\AppData\Local\82c8b64c-4d0d-49d5-967b-57b47a0e7775\build2.exe
"C:\Users\Admin\AppData\Local\82c8b64c-4d0d-49d5-967b-57b47a0e7775\build2.exe"
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Users\Admin\AppData\Local\73501ab4-1fff-4fef-b8d4-2c3a61011401\build2.exe
"C:\Users\Admin\AppData\Local\73501ab4-1fff-4fef-b8d4-2c3a61011401\build2.exe"
C:\Users\Admin\AppData\Local\82c8b64c-4d0d-49d5-967b-57b47a0e7775\build2.exe
"C:\Users\Admin\AppData\Local\82c8b64c-4d0d-49d5-967b-57b47a0e7775\build2.exe"
C:\Users\Admin\AppData\Local\82c8b64c-4d0d-49d5-967b-57b47a0e7775\build3.exe
"C:\Users\Admin\AppData\Local\82c8b64c-4d0d-49d5-967b-57b47a0e7775\build3.exe"
C:\Users\Admin\AppData\Local\73501ab4-1fff-4fef-b8d4-2c3a61011401\build3.exe
"C:\Users\Admin\AppData\Local\73501ab4-1fff-4fef-b8d4-2c3a61011401\build3.exe"
C:\Users\Admin\AppData\Local\Temp\4CE4.exe
C:\Users\Admin\AppData\Local\Temp\4CE4.exe
C:\Users\Admin\AppData\Local\73501ab4-1fff-4fef-b8d4-2c3a61011401\build2.exe
"C:\Users\Admin\AppData\Local\73501ab4-1fff-4fef-b8d4-2c3a61011401\build2.exe"
C:\Users\Admin\AppData\Local\Temp\C60C.exe
"C:\Users\Admin\AppData\Local\Temp\C60C.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5CA5.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5CA5.dll
C:\Windows\System32\sc.exe
sc stop bits
C:\Users\Admin\AppData\Local\Temp\630E.exe
C:\Users\Admin\AppData\Local\Temp\630E.exe
C:\Users\Admin\AppData\Local\Temp\CC66.exe
"C:\Users\Admin\AppData\Local\Temp\CC66.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process <#gbuyogynwdcoue#> powershell <#tqmridvipyhhgoeixtgp#> -Verb <#tqmridvipyhhgoeixtgp#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Users\Admin\AppData\Local\7ea0b8b0-fb08-420d-a8e9-c191cf5aa7ae\build2.exe
"C:\Users\Admin\AppData\Local\7ea0b8b0-fb08-420d-a8e9-c191cf5aa7ae\build2.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\7ea0b8b0-fb08-420d-a8e9-c191cf5aa7ae\build3.exe
"C:\Users\Admin\AppData\Local\7ea0b8b0-fb08-420d-a8e9-c191cf5aa7ae\build3.exe"
C:\Users\Admin\AppData\Local\Temp\8BD5.exe
C:\Users\Admin\AppData\Local\Temp\8BD5.exe
C:\Users\Admin\AppData\Local\7ea0b8b0-fb08-420d-a8e9-c191cf5aa7ae\build2.exe
"C:\Users\Admin\AppData\Local\7ea0b8b0-fb08-420d-a8e9-c191cf5aa7ae\build2.exe"
C:\Users\Admin\AppData\Local\07d87cdd-844d-4f48-ba49-082785507e65\build2.exe
"C:\Users\Admin\AppData\Local\07d87cdd-844d-4f48-ba49-082785507e65\build2.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Users\Admin\AppData\Local\07d87cdd-844d-4f48-ba49-082785507e65\build3.exe
"C:\Users\Admin\AppData\Local\07d87cdd-844d-4f48-ba49-082785507e65\build3.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\82c8b64c-4d0d-49d5-967b-57b47a0e7775\build2.exe" & exit
C:\Users\Admin\AppData\Local\07d87cdd-844d-4f48-ba49-082785507e65\build2.exe
"C:\Users\Admin\AppData\Local\07d87cdd-844d-4f48-ba49-082785507e65\build2.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Users\Admin\AppData\Local\Temp\630E.exe
C:\Users\Admin\AppData\Local\Temp\630E.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\630E.exe
"C:\Users\Admin\AppData\Local\Temp\630E.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8BD5.exe
C:\Users\Admin\AppData\Local\Temp\8BD5.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
C:\Users\Admin\AppData\Local\Temp\8BD5.exe
"C:\Users\Admin\AppData\Local\Temp\8BD5.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\07d87cdd-844d-4f48-ba49-082785507e65\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\F84B.exe
C:\Users\Admin\AppData\Local\Temp\F84B.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 12:34 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 12:34 /f /tn AdobeUpdateTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"
C:\Users\Admin\AppData\Local\Temp\2C.exe
C:\Users\Admin\AppData\Local\Temp\2C.exe
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Users\Admin\AppData\Local\Temp\630E.exe
"C:\Users\Admin\AppData\Local\Temp\630E.exe" --Admin IsNotAutoStart IsNotTask
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\8BD5.exe
"C:\Users\Admin\AppData\Local\Temp\8BD5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\9cc8ad3a-64a3-4ff7-8fc9-c6e2e3702ad1\build2.exe
"C:\Users\Admin\AppData\Local\9cc8ad3a-64a3-4ff7-8fc9-c6e2e3702ad1\build2.exe"
C:\Users\Admin\AppData\Local\9cc8ad3a-64a3-4ff7-8fc9-c6e2e3702ad1\build2.exe
"C:\Users\Admin\AppData\Local\9cc8ad3a-64a3-4ff7-8fc9-c6e2e3702ad1\build2.exe"
C:\Users\Admin\AppData\Local\9cc8ad3a-64a3-4ff7-8fc9-c6e2e3702ad1\build3.exe
"C:\Users\Admin\AppData\Local\9cc8ad3a-64a3-4ff7-8fc9-c6e2e3702ad1\build3.exe"
C:\Users\Admin\AppData\Local\1298b94a-1b95-453e-85dc-f9de44e3d9c2\build2.exe
"C:\Users\Admin\AppData\Local\1298b94a-1b95-453e-85dc-f9de44e3d9c2\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\73501ab4-1fff-4fef-b8d4-2c3a61011401\build2.exe" & exit
C:\Users\Admin\AppData\Local\1298b94a-1b95-453e-85dc-f9de44e3d9c2\build2.exe
"C:\Users\Admin\AppData\Local\1298b94a-1b95-453e-85dc-f9de44e3d9c2\build2.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\1298b94a-1b95-453e-85dc-f9de44e3d9c2\build3.exe
"C:\Users\Admin\AppData\Local\1298b94a-1b95-453e-85dc-f9de44e3d9c2\build3.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\1298b94a-1b95-453e-85dc-f9de44e3d9c2\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\7ea0b8b0-fb08-420d-a8e9-c191cf5aa7ae\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9cc8ad3a-64a3-4ff7-8fc9-c6e2e3702ad1\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| AR | 200.114.247.163:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.247.114.200.in-addr.arpa | udp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| US | 8.8.8.8:53 | 145.99.61.108.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| AR | 200.114.247.163:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.139.241.8.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | tcp | |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| NL | 209.250.248.11:33522 | tcp | |
| US | 8.8.8.8:53 | 11.248.250.209.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 200.114.247.163:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 90.14.59.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 200.114.247.163:80 | zexeq.com | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | admaiscont.com.br | udp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 8.8.8.8:53 | 122.24.4.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| AR | 200.114.247.163:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 240.166.203.116.in-addr.arpa | udp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 163.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| RU | 185.159.129.168:80 | tcp | |
| RU | 79.137.192.18:80 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| RU | 185.149.146.118:80 | tcp | |
| RU | 77.91.77.144:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 209.250.248.11:33522 | tcp | |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| NL | 209.250.248.11:33522 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 200.114.247.163:80 | zexeq.com | tcp |
| AR | 200.114.247.163:80 | zexeq.com | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:80 | pastebin.com | tcp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| RU | 46.29.235.84:80 | 46.29.235.84 | tcp |
| US | 8.8.8.8:53 | 84.235.29.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| AR | 200.114.247.163:80 | zexeq.com | tcp |
| AR | 200.114.247.163:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| AR | 200.114.247.163:80 | zexeq.com | tcp |
| RU | 79.137.192.18:80 | tcp | |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 209.250.248.11:33522 | tcp | |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| NL | 209.250.248.11:33522 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | admaiscont.com.br | udp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| NL | 108.61.99.145:3003 | 108.61.99.145 | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| KR | 115.88.24.200:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 200.24.88.115.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| KR | 115.88.24.200:80 | colisumy.com | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| KR | 211.59.14.90:80 | zexeq.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 209.250.248.11:33522 | tcp | |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 158.108.18.187.in-addr.arpa | udp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| N/A | 127.0.0.1:17529 | tcp | |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| N/A | 127.0.0.1:17529 | tcp | |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| N/A | 127.0.0.1:17529 | tcp | |
| N/A | 127.0.0.1:17529 | tcp | |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| N/A | 127.0.0.1:17529 | tcp | |
| N/A | 127.0.0.1:17529 | tcp | |
| N/A | 127.0.0.1:17529 | tcp | |
| N/A | 127.0.0.1:17529 | tcp | |
| N/A | 127.0.0.1:17529 | tcp | |
| N/A | 127.0.0.1:17529 | tcp | |
| N/A | 127.0.0.1:17529 | tcp | |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| BR | 187.18.108.158:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | greenbi.net | udp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 234.199.142.89.in-addr.arpa | udp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| SI | 89.142.199.234:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
| US | 8.8.8.8:53 | 217.192.94.141.in-addr.arpa | udp |
Files
memory/3704-120-0x00000000034A0000-0x00000000034B5000-memory.dmp
memory/3704-121-0x00000000034C0000-0x00000000034C9000-memory.dmp
memory/3704-122-0x0000000000400000-0x00000000018BB000-memory.dmp
memory/3724-123-0x00000000009D0000-0x00000000009E6000-memory.dmp
memory/3704-124-0x0000000000400000-0x00000000018BB000-memory.dmp
memory/3704-128-0x00000000034C0000-0x00000000034C9000-memory.dmp
memory/3704-127-0x00000000034A0000-0x00000000034B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DECD.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\DECD.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\E093.exe
| MD5 | 774f757d2c792104dac758a00557b2e7 |
| SHA1 | dc1b4c9de11675339e5f98d311a47ed56a53a9f0 |
| SHA256 | 624bf50e4149abe4f31d19a97a839ac197f9e052093c3312bf3a575fec57e100 |
| SHA512 | 7bc35860f4741085a9fb093404393d7a9df48e5e46f1bbe8e56e1a2a1c44304565c246df65b844041e0410eb2f95fa88e5ba2dc9618e3b613ce191c23916ea73 |
C:\Users\Admin\AppData\Local\Temp\E093.exe
| MD5 | 774f757d2c792104dac758a00557b2e7 |
| SHA1 | dc1b4c9de11675339e5f98d311a47ed56a53a9f0 |
| SHA256 | 624bf50e4149abe4f31d19a97a839ac197f9e052093c3312bf3a575fec57e100 |
| SHA512 | 7bc35860f4741085a9fb093404393d7a9df48e5e46f1bbe8e56e1a2a1c44304565c246df65b844041e0410eb2f95fa88e5ba2dc9618e3b613ce191c23916ea73 |
memory/1876-141-0x00000000001C0000-0x00000000001F0000-memory.dmp
memory/1876-143-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E2B7.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
memory/1876-148-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/1876-149-0x0000000000B30000-0x0000000000B36000-memory.dmp
\Users\Admin\AppData\Local\Temp\E2B7.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
memory/3180-152-0x0000000004580000-0x00000000047C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\E2B7.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
memory/3180-155-0x0000000000BF0000-0x0000000000BF6000-memory.dmp
memory/1876-156-0x0000000009F20000-0x000000000A526000-memory.dmp
memory/1876-158-0x000000000A530000-0x000000000A63A000-memory.dmp
memory/3180-154-0x0000000004580000-0x00000000047C3000-memory.dmp
memory/1876-159-0x00000000024C0000-0x00000000024D2000-memory.dmp
memory/1876-160-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/1876-161-0x0000000004B30000-0x0000000004B6E000-memory.dmp
memory/1876-162-0x000000000A690000-0x000000000A6DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC2F.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\EC2F.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
memory/2868-167-0x00000000034F0000-0x0000000003582000-memory.dmp
memory/2868-168-0x0000000003690000-0x00000000037AB000-memory.dmp
memory/2020-169-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DECD.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2020-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2020-172-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1876-173-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/2020-174-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1876-175-0x000000000A7D0000-0x000000000A846000-memory.dmp
memory/1876-176-0x000000000A850000-0x000000000A8E2000-memory.dmp
memory/1876-177-0x000000000A8F0000-0x000000000ADEE000-memory.dmp
memory/1876-178-0x000000000AE30000-0x000000000AE96000-memory.dmp
memory/1876-182-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/5016-183-0x00000000018F0000-0x0000000001919000-memory.dmp
memory/5016-184-0x0000000003790000-0x00000000037C8000-memory.dmp
memory/5016-185-0x0000000003550000-0x000000000358F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C89.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\C89.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/5016-191-0x0000000000400000-0x00000000018CF000-memory.dmp
memory/5016-190-0x00000000038B0000-0x00000000038E4000-memory.dmp
memory/5016-192-0x0000000006030000-0x0000000006040000-memory.dmp
memory/5016-194-0x0000000006030000-0x0000000006040000-memory.dmp
memory/5016-193-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/5016-195-0x0000000006030000-0x0000000006040000-memory.dmp
memory/5016-196-0x0000000003940000-0x0000000003946000-memory.dmp
memory/5016-200-0x0000000006030000-0x0000000006040000-memory.dmp
C:\Users\Admin\AppData\Local\46f6f315-df16-4b53-860c-b7ba2abf753c\DECD.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/3180-206-0x00000000043C0000-0x00000000044CC000-memory.dmp
memory/3180-207-0x0000000004A00000-0x0000000004AF1000-memory.dmp
memory/3180-210-0x0000000004A00000-0x0000000004AF1000-memory.dmp
memory/3180-211-0x0000000004A00000-0x0000000004AF1000-memory.dmp
C:\Users\Admin\AppData\Local\46f6f315-df16-4b53-860c-b7ba2abf753c\DECD.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\DECD.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/2020-213-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1876-216-0x0000000000A00000-0x0000000000A50000-memory.dmp
memory/1876-217-0x0000000006CD0000-0x0000000006E92000-memory.dmp
memory/1876-218-0x000000000D250000-0x000000000D77C000-memory.dmp
memory/5016-219-0x0000000006030000-0x0000000006040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C89.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/4176-222-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4176-223-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5016-224-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/5016-225-0x0000000006030000-0x0000000006040000-memory.dmp
memory/5016-226-0x0000000006030000-0x0000000006040000-memory.dmp
memory/4176-227-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | a8cfb50a0e434d61c5950c39939c75ab |
| SHA1 | bed51ce8cf805476ca8763e14a8fb83224734587 |
| SHA256 | 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67 |
| SHA512 | 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | d4e0f7b4f0493b48882bac519f6cfe3a |
| SHA1 | b0f91a2f5453d71d6a7575c0bd174ce071a3b203 |
| SHA256 | 166dafae15f0d08e851fa4e8e788722b54c72119587c3a8e300b882422c8bdb1 |
| SHA512 | 9f758778b93824965a2b7170734ddec96fd760d1fbce3b5cb68c0233786e38b9ac2fafe446670218f7c60cdc7638595e148bc6ed85c9cb0be8bef883efb61a8c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | cde3004d458a86374c76b63425fc9b8c |
| SHA1 | 91ed2720991b113dc6ee6b5705ec24b270e081df |
| SHA256 | 3851e2bff744375020167c2341984024cb6ee0e3d120685ad3e984125bb11447 |
| SHA512 | 9ee9bd7550fb17ae13920ffd7a803727a35d823132f0fbe216d8bbbb09959cc673221d58e1f1b81909a634effedfb74ef29b3e0278a37590d2550db9b6d5cb5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 77024a68d8d4da64273e4c42dc1e5610 |
| SHA1 | 9535edf02f1f45c7870b7f055985456bc6d53847 |
| SHA256 | 2812c21305cbee6ad4066fefa8716b70e2c92789ea7fb20cccc8103230e16ce9 |
| SHA512 | f3b57947d4632cc12d78b989c830f3049436f4195f2a1ff79dbbadd3430b848046968b7c333243558614362f6448af12bbd775ad49b6a5628a67c99486df86bd |
memory/1876-235-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/4176-234-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C89.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/5016-238-0x0000000006030000-0x0000000006040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DECD.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/4636-242-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4636-243-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4636-244-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4636-245-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4636-246-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4636-250-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4636-253-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4636-252-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C89.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
memory/4012-256-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-257-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-258-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-259-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-260-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-263-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-265-0x0000000000400000-0x0000000000537000-memory.dmp
C:\SystemID\PersonalID.txt
| MD5 | 324770a7653f940b6e66d90455f6e1a8 |
| SHA1 | 5b9edb85029710a458f7a77f474721307d2fb738 |
| SHA256 | 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30 |
| SHA512 | 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23 |
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | e3c640eced72a28f10eac99da233d9fd |
| SHA1 | 1d7678afc24a59de1da0bf74126baf3b8540b5b0 |
| SHA256 | 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e |
| SHA512 | bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7 |
memory/4012-267-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 80b0b41decb53a01e8c87def18400267 |
| SHA1 | 885f327c4e91065486137ca96105190f7a29d0f9 |
| SHA256 | 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1 |
| SHA512 | 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 80b0b41decb53a01e8c87def18400267 |
| SHA1 | 885f327c4e91065486137ca96105190f7a29d0f9 |
| SHA256 | 10d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1 |
| SHA512 | 19bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e |
memory/4636-274-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Windows\Temp\setup.exe
| MD5 | 84741bc02d2e9226a943aa03b6a4568d |
| SHA1 | 617d01316011faf77fba30d49ae1e86ff988380a |
| SHA256 | fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93 |
| SHA512 | 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379 |
C:\Windows\Temp\setup.exe
| MD5 | 84741bc02d2e9226a943aa03b6a4568d |
| SHA1 | 617d01316011faf77fba30d49ae1e86ff988380a |
| SHA256 | fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93 |
| SHA512 | 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379 |
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
C:\Users\Admin\AppData\Local\Temp\cli.exe
| MD5 | b78141a544759e1a07740aa28b35584c |
| SHA1 | af95ccd7d12c7ed7bdc6782373302118d2ebe3a8 |
| SHA256 | e268b72e92c9d9af52c25f4d7643bd96c84172fadb4e7a300091eb287ee3a35d |
| SHA512 | 2f83ef2eaf8951d392f32405dd9c2555be803f63cbdb9118c4204ad148a254a19aa593082a2f5c7a1b962329df08fede026d0715513adf26d838f043fd451959 |
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/4012-275-0x0000000000400000-0x0000000000537000-memory.dmp
memory/236-303-0x0000000000290000-0x000000000051B000-memory.dmp
memory/692-301-0x00007FF7F6BF0000-0x00007FF7F7E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cc.exe
| MD5 | 858f82fe9166c34b6709a3adfe6a625f |
| SHA1 | 63275e4b77e0fe6fa6f1db716b5963b69b68f8a5 |
| SHA256 | 8ec2c1bb10e05a5129269488b53a46c6b5be3691c61ef7da7c6eecf1c0444b28 |
| SHA512 | 1338082ebb6bf658125cd6d72f5885c78865c1abbed50fd10317dacaf41a450eb98b949631f1a1b94a67d335b23cfc0fa78d0d8db3d726adf2a57af50307b89e |
memory/692-306-0x00007FFE04E10000-0x00007FFE04FEB000-memory.dmp
memory/4012-330-0x0000000000400000-0x0000000000537000-memory.dmp
memory/692-315-0x00007FF7F6BF0000-0x00007FF7F7E16000-memory.dmp
memory/2804-332-0x0000000000620000-0x0000000000747000-memory.dmp
memory/3220-331-0x0000000001200000-0x0000000001270000-memory.dmp
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3220-316-0x0000000077DC4000-0x0000000077DC5000-memory.dmp
memory/4636-314-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3220-308-0x00000000012B0000-0x00000000018E4000-memory.dmp
memory/732-341-0x0000000004000000-0x0000000004078000-memory.dmp
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/236-336-0x0000000000290000-0x000000000051B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\770C.exe
| MD5 | a047866a17ef5aeec5308c11bedf7948 |
| SHA1 | 81cb94f70c1c046489807610927cacc52474e6db |
| SHA256 | 35e0cf27eb87b8fa99aef9b1b66b85521337ac77baf9bd8fadb52b66ae810a88 |
| SHA512 | 1ce33202a20c38fb5556e13a21287df8502763e53afee203d6eb01e1eb7799302dd543858e4332d04605218e88dbe0984fbb2c7d4dbcc32d0c7c51d8d4ad54f4 |
C:\Users\Admin\AppData\Local\Temp\770C.exe
| MD5 | a047866a17ef5aeec5308c11bedf7948 |
| SHA1 | 81cb94f70c1c046489807610927cacc52474e6db |
| SHA256 | 35e0cf27eb87b8fa99aef9b1b66b85521337ac77baf9bd8fadb52b66ae810a88 |
| SHA512 | 1ce33202a20c38fb5556e13a21287df8502763e53afee203d6eb01e1eb7799302dd543858e4332d04605218e88dbe0984fbb2c7d4dbcc32d0c7c51d8d4ad54f4 |
memory/5016-333-0x0000000000400000-0x00000000018CF000-memory.dmp
memory/3064-344-0x00000000023D0000-0x00000000024D0000-memory.dmp
C:\Users\Admin\AppData\Local\526e552a-d63e-427f-b2ec-af728bb99514\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/732-350-0x0000000002370000-0x0000000002470000-memory.dmp
memory/5016-353-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/364-343-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\6e6a0f01-6f09-4b78-a840-fb17474bd173\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/3220-362-0x0000000006780000-0x0000000006790000-memory.dmp
memory/3220-365-0x0000000006780000-0x0000000006790000-memory.dmp
memory/3220-372-0x0000000006780000-0x0000000006790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8258.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
memory/5048-375-0x0000000000400000-0x000000000048C000-memory.dmp
memory/3220-371-0x0000000006710000-0x0000000006732000-memory.dmp
memory/364-368-0x0000000000400000-0x000000000048C000-memory.dmp
memory/3220-367-0x0000000006620000-0x00000000066D2000-memory.dmp
memory/3220-357-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/3220-355-0x00000000040E0000-0x000000000414C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8258.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data8RZ7G\CrashpadMetrics-active.pma
| MD5 | 03c4f648043a88675a920425d824e1b3 |
| SHA1 | b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d |
| SHA256 | f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450 |
| SHA512 | 2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192 |
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data8RZ7G\Local State
| MD5 | 4bea083a39e974af711ed5b634ab4d62 |
| SHA1 | 15b77e8d9f2fa9ac1c27878b9863740a5b1248d6 |
| SHA256 | 261464ce48472c160b170afe13e8edc4bed739d319fece22d0b9e539370cf955 |
| SHA512 | e87126295f640978fadcf4fe1b72cff56457a3047206da6c2c3326235a00a0536bf91b72004b13a6e4b70d5c2b0f2d5b740f6c96aecc87d93c2812bb2f25fba1 |
\??\pipe\crashpad_1348_BUCAAZWDUZGHDOFF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\9759.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\9759.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\A1F8.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\A1F8.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
C:\Users\Admin\AppData\Local\Temp\A1F8.exe
| MD5 | b13a7f21bcaf52673454487c20617578 |
| SHA1 | cb81e6d6246dcc8a5662761c780ccb18b6c4169d |
| SHA256 | 944b6fc8f6f1406cf4dd166be1d4d1be9213a773646bd17e84e2ec886c382727 |
| SHA512 | 2d012c00cfc84aa64f34ef23d015bd78fee5831b6814aac1f980f959e01cff90450867eb1c269bf076d6ab3654ccd63dcebcb96741517b6d8cf207c67135ebcc |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\C60C.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Local\Temp\C60C.exe
| MD5 | 188b15e68c69c8877c1f07dcb43a89bb |
| SHA1 | bfd3ab9faf83d0f784c44dce2062edb1dc540355 |
| SHA256 | d1bbf23b1176eb5ce658441233e9847be127fd8117bf6505f4682cc3c6acb5fa |
| SHA512 | 37d3d722b5bfe80af9871ce869d2558641b4c538cd685ece2f3db534a523c0c67472b32065b69af5201e15d42b0ef0bc361e1ae9ceaaa5abe50da073a461f3e0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\Temp\CC66.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\CC66.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\CC66.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\8258.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\D3D9.dll
| MD5 | ab37d4c53a605023d7199153f218a6f6 |
| SHA1 | b02c1b0d562f8d1b7d8833c7442645368a9b5de8 |
| SHA256 | a5239d97202125e36665f294b236b473435677324c18638251e87a56dd100c16 |
| SHA512 | a67f3096e527930a643545d20728e09d160a851122681605df2a30a7bd6b759501cc08d24e6c9aa8a1019c92d283ff97031db207375be04a2f7a9c2b70f552a7 |
C:\Users\Admin\AppData\Local\Temp\8EEB.exe
| MD5 | da0b32b036e2dcdc0d70fcaddca16d94 |
| SHA1 | 9689fc54d47806c48b6dc448f310cb45cfc7e235 |
| SHA256 | fe44cf38c2316a1b8def6167e10f11b4159229c9e2d05731d1a2e621915e1449 |
| SHA512 | 57ae90d1ce8280e8c8a9a1e51b98318d052bca934202e50fb16d4eae5a6939ad98e3309d6a85255b536da07ead40a1d5d68340fa87e9d0d2f209ffb31ae9b93a |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1paykwe.53l.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\73893347390024967473719492
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\57626774944594165232643265
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\Temp\F84B.exe
| MD5 | a047866a17ef5aeec5308c11bedf7948 |
| SHA1 | 81cb94f70c1c046489807610927cacc52474e6db |
| SHA256 | 35e0cf27eb87b8fa99aef9b1b66b85521337ac77baf9bd8fadb52b66ae810a88 |
| SHA512 | 1ce33202a20c38fb5556e13a21287df8502763e53afee203d6eb01e1eb7799302dd543858e4332d04605218e88dbe0984fbb2c7d4dbcc32d0c7c51d8d4ad54f4 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 84741bc02d2e9226a943aa03b6a4568d |
| SHA1 | 617d01316011faf77fba30d49ae1e86ff988380a |
| SHA256 | fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93 |
| SHA512 | 1c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379 |
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |