Malware Analysis Report

2025-01-18 08:55

Sample ID 230811-d5by5saf29
Target 51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7
SHA256 51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7
Tags
djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer ransomware trojan vidar d2840cabd9794f85353e1fae1cd95a0b pub1 evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7

Threat Level: Known bad

The file 51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7 was found to be: Known bad.

Malicious Activity Summary

djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) lux3 backdoor discovery infostealer ransomware trojan vidar d2840cabd9794f85353e1fae1cd95a0b pub1 evasion persistence spyware stealer

RedLine

Detected Djvu ransomware

Djvu Ransomware

Vidar

SmokeLoader

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Modifies file permissions

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Modifies data under HKEY_USERS

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-11 03:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-11 03:35

Reported

2023-08-11 03:40

Platform

win7-20230712-en

Max time kernel

48s

Max time network

267s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DA2A.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 1300 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 1300 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 1300 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 1300 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA2A.exe
PID 1300 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA2A.exe
PID 1300 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA2A.exe
PID 1300 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\DA2A.exe
PID 1300 wrote to memory of 2756 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2756 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2756 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2756 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 2756 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2756 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2756 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2756 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2756 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2756 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2756 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2756 wrote to memory of 2828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1300 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1300 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1300 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1300 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1300 wrote to memory of 516 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 516 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 516 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 516 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1300 wrote to memory of 516 N/A N/A C:\Windows\system32\regsvr32.exe
PID 516 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 516 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 516 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 516 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 516 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 516 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 516 wrote to memory of 964 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1300 wrote to memory of 1420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1300 wrote to memory of 1420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1300 wrote to memory of 1420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1300 wrote to memory of 1420 N/A N/A C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 3016 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\D855.exe C:\Users\Admin\AppData\Local\Temp\D855.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1420 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\F424.exe C:\Users\Admin\AppData\Local\Temp\F424.exe
PID 1300 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\93.exe
PID 1300 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\93.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe

"C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe"

C:\Users\Admin\AppData\Local\Temp\D855.exe

C:\Users\Admin\AppData\Local\Temp\D855.exe

C:\Users\Admin\AppData\Local\Temp\DA2A.exe

C:\Users\Admin\AppData\Local\Temp\DA2A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DEDC.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\DEDC.dll

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F08A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F08A.dll

C:\Users\Admin\AppData\Local\Temp\F424.exe

C:\Users\Admin\AppData\Local\Temp\F424.exe

C:\Users\Admin\AppData\Local\Temp\D855.exe

C:\Users\Admin\AppData\Local\Temp\D855.exe

C:\Users\Admin\AppData\Local\Temp\F424.exe

C:\Users\Admin\AppData\Local\Temp\F424.exe

C:\Users\Admin\AppData\Local\Temp\93.exe

C:\Users\Admin\AppData\Local\Temp\93.exe

C:\Users\Admin\AppData\Local\Temp\BBB.exe

C:\Users\Admin\AppData\Local\Temp\BBB.exe

C:\Users\Admin\AppData\Local\Temp\93.exe

C:\Users\Admin\AppData\Local\Temp\93.exe

C:\Users\Admin\AppData\Local\Temp\BBB.exe

C:\Users\Admin\AppData\Local\Temp\BBB.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\1E14.exe

C:\Users\Admin\AppData\Local\Temp\1E14.exe

C:\Users\Admin\AppData\Local\Temp\31D3.exe

C:\Users\Admin\AppData\Local\Temp\31D3.exe

C:\Users\Admin\AppData\Local\Temp\1E14.exe

C:\Users\Admin\AppData\Local\Temp\1E14.exe

C:\Users\Admin\AppData\Local\Temp\39D0.exe

C:\Users\Admin\AppData\Local\Temp\39D0.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\de9f1ab7-a085-4d3d-92d5-2d259b618766" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3D4A.exe

C:\Users\Admin\AppData\Local\Temp\3D4A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\41DD.dll

C:\Users\Admin\AppData\Local\Temp\F424.exe

"C:\Users\Admin\AppData\Local\Temp\F424.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\BBB.exe

"C:\Users\Admin\AppData\Local\Temp\BBB.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\41DD.dll

C:\Users\Admin\AppData\Local\Temp\93.exe

"C:\Users\Admin\AppData\Local\Temp\93.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5A00.exe

C:\Users\Admin\AppData\Local\Temp\5A00.exe

C:\Users\Admin\AppData\Local\Temp\BBB.exe

"C:\Users\Admin\AppData\Local\Temp\BBB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1E14.exe

"C:\Users\Admin\AppData\Local\Temp\1E14.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F424.exe

"C:\Users\Admin\AppData\Local\Temp\F424.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DDEF.exe

C:\Users\Admin\AppData\Local\Temp\DDEF.exe

C:\Users\Admin\AppData\Local\Temp\F49B.exe

C:\Users\Admin\AppData\Local\Temp\F49B.exe

C:\Users\Admin\AppData\Local\Temp\D855.exe

"C:\Users\Admin\AppData\Local\Temp\D855.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

"C:\Users\Admin\AppData\Local\Temp\E5B1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5A00.exe

C:\Users\Admin\AppData\Local\Temp\5A00.exe

C:\Users\Admin\AppData\Local\Temp\E726.exe

C:\Users\Admin\AppData\Local\Temp\E726.exe

C:\Users\Admin\AppData\Local\Temp\E5DE.exe

C:\Users\Admin\AppData\Local\Temp\E5DE.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E457.dll

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /D /T

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E457.dll

C:\Users\Admin\AppData\Local\Temp\2AFA.exe

C:\Users\Admin\AppData\Local\Temp\2AFA.exe

C:\Users\Admin\AppData\Local\Temp\8A7A.exe

C:\Users\Admin\AppData\Local\Temp\8A7A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8895.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8895.dll

C:\Users\Admin\AppData\Local\Temp\E5DE.exe

C:\Users\Admin\AppData\Local\Temp\E5DE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
RO 109.98.58.98:80 colisumy.com tcp
RO 109.98.58.98:80 colisumy.com tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
US 142.4.24.122:443 admaiscont.com.br tcp
RO 109.98.58.98:80 colisumy.com tcp
US 142.4.24.122:443 admaiscont.com.br tcp
US 142.4.24.122:443 admaiscont.com.br tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 209.250.242.222:3003 209.250.242.222 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 lightyearsaheads.com udp
US 198.54.119.115:443 lightyearsaheads.com tcp
US 198.54.119.115:443 lightyearsaheads.com tcp
US 198.54.119.115:443 lightyearsaheads.com tcp
US 198.54.119.115:443 lightyearsaheads.com tcp
NL 209.250.242.222:3003 209.250.242.222 tcp
RO 109.98.58.98:80 colisumy.com tcp
US 142.4.24.122:443 admaiscont.com.br tcp
NL 209.250.242.222:3003 209.250.242.222 tcp
US 198.54.119.115:443 lightyearsaheads.com tcp
US 198.54.119.115:443 lightyearsaheads.com tcp
US 8.8.8.8:53 colisumy.com udp
KR 220.82.134.215:80 colisumy.com tcp
US 142.4.24.122:443 admaiscont.com.br tcp
US 142.4.24.122:443 admaiscont.com.br tcp

Files

memory/2504-54-0x00000000023C0000-0x00000000024C0000-memory.dmp

memory/2504-55-0x0000000000400000-0x00000000022E8000-memory.dmp

memory/2504-56-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1300-57-0x00000000025A0000-0x00000000025B6000-memory.dmp

memory/2504-58-0x0000000000400000-0x00000000022E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D855.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\D855.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\DA2A.exe

MD5 ae448e12c7d473e2696fc5b215cf32d7
SHA1 12aa5fcc6ef9d0127c4d05893d4dc638d6f768d4
SHA256 8b39ba1de46f2aa1b72f9b2a54297e890cdef8252dcdc67221eb18b46e4d9da6
SHA512 2b5cb99c1f198a121820472fe1774316097c4ec0370e982652038e1cb0af9940c5eddc1aab99291314b5d5b9dcd40332426d63cd752d51812b3e927db8981f88

C:\Users\Admin\AppData\Local\Temp\DA2A.exe

MD5 ae448e12c7d473e2696fc5b215cf32d7
SHA1 12aa5fcc6ef9d0127c4d05893d4dc638d6f768d4
SHA256 8b39ba1de46f2aa1b72f9b2a54297e890cdef8252dcdc67221eb18b46e4d9da6
SHA512 2b5cb99c1f198a121820472fe1774316097c4ec0370e982652038e1cb0af9940c5eddc1aab99291314b5d5b9dcd40332426d63cd752d51812b3e927db8981f88

memory/2956-76-0x00000000001B0000-0x00000000001E0000-memory.dmp

memory/2956-77-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2956-83-0x0000000000660000-0x0000000000666000-memory.dmp

memory/2956-81-0x0000000074240000-0x000000007492E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEDC.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/2828-86-0x00000000020C0000-0x0000000002303000-memory.dmp

\Users\Admin\AppData\Local\Temp\DEDC.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/2956-87-0x0000000004740000-0x0000000004780000-memory.dmp

memory/2828-94-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2828-95-0x00000000020C0000-0x0000000002303000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F08A.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

C:\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/964-106-0x0000000000990000-0x0000000000BD3000-memory.dmp

memory/964-107-0x0000000000990000-0x0000000000BD3000-memory.dmp

\Users\Admin\AppData\Local\Temp\F08A.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

C:\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/964-108-0x0000000000170000-0x0000000000176000-memory.dmp

memory/3016-110-0x0000000003070000-0x0000000003102000-memory.dmp

memory/3016-111-0x0000000003110000-0x000000000322B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D855.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

\Users\Admin\AppData\Local\Temp\D855.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/2692-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2692-116-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D855.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/1420-119-0x0000000002370000-0x0000000002402000-memory.dmp

memory/2956-120-0x0000000074240000-0x000000007492E000-memory.dmp

memory/1420-121-0x0000000002370000-0x0000000002402000-memory.dmp

memory/2276-126-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1420-123-0x0000000003CF0000-0x0000000003E0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2276-128-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2692-133-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2276-137-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-138-0x0000000004740000-0x0000000004780000-memory.dmp

memory/2692-139-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2276-140-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2804-148-0x0000000002370000-0x0000000002402000-memory.dmp

memory/2804-149-0x0000000002370000-0x0000000002402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/344-154-0x00000000002A0000-0x0000000000332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/344-152-0x00000000002A0000-0x0000000000332000-memory.dmp

\Users\Admin\AppData\Local\Temp\93.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/3052-168-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2128-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2828-170-0x0000000000A00000-0x0000000000AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\1E14.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/2828-186-0x0000000002540000-0x0000000002625000-memory.dmp

memory/2308-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2828-188-0x0000000002540000-0x0000000002625000-memory.dmp

memory/2828-190-0x0000000002540000-0x0000000002625000-memory.dmp

memory/2828-191-0x0000000002540000-0x0000000002625000-memory.dmp

memory/964-201-0x0000000002410000-0x000000000250E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2E8F.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/964-210-0x0000000002510000-0x00000000025F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2F7A.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

memory/964-212-0x0000000002510000-0x00000000025F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31D3.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\Local\Temp\31D3.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

memory/964-240-0x0000000002510000-0x00000000025F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E14.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

\Users\Admin\AppData\Local\Temp\1E14.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\1E14.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/1464-250-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9f8236185d50b9268631ea3f2b00340
SHA1 af21dd841dc938fdbe87d47f5ccc6ce5acee10f1
SHA256 7742a5e38d798512944b3759fe924ee4d3a555b09e3dccc5171cf56ed51569f9
SHA512 9faa78523924a3770f684f928b9629f4bd3d142dbb1b549985b7ed1182b9fd620a5c343fcfcb7eb30e9034318ca95a5fcbec5611538e32dc90ca1c861e08a34a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a9d78d8e9ce4be1a713d1f6e476f0f24
SHA1 51f02b77157d96b7190c5de680b4d20c4c0162c3
SHA256 d08d3f359883b4c008eea5122483ccfe951104100f291f6b3e68a7495be34acd
SHA512 903e2c7d43e5f08a4090208acffa61762e52a18ffba6b121d2194418024461a375daf2afe6376efac89553039203e6220aa2dea444645debf5b2d77a99acebcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a9d78d8e9ce4be1a713d1f6e476f0f24
SHA1 51f02b77157d96b7190c5de680b4d20c4c0162c3
SHA256 d08d3f359883b4c008eea5122483ccfe951104100f291f6b3e68a7495be34acd
SHA512 903e2c7d43e5f08a4090208acffa61762e52a18ffba6b121d2194418024461a375daf2afe6376efac89553039203e6220aa2dea444645debf5b2d77a99acebcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a9d78d8e9ce4be1a713d1f6e476f0f24
SHA1 51f02b77157d96b7190c5de680b4d20c4c0162c3
SHA256 d08d3f359883b4c008eea5122483ccfe951104100f291f6b3e68a7495be34acd
SHA512 903e2c7d43e5f08a4090208acffa61762e52a18ffba6b121d2194418024461a375daf2afe6376efac89553039203e6220aa2dea444645debf5b2d77a99acebcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a9d78d8e9ce4be1a713d1f6e476f0f24
SHA1 51f02b77157d96b7190c5de680b4d20c4c0162c3
SHA256 d08d3f359883b4c008eea5122483ccfe951104100f291f6b3e68a7495be34acd
SHA512 903e2c7d43e5f08a4090208acffa61762e52a18ffba6b121d2194418024461a375daf2afe6376efac89553039203e6220aa2dea444645debf5b2d77a99acebcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a9d78d8e9ce4be1a713d1f6e476f0f24
SHA1 51f02b77157d96b7190c5de680b4d20c4c0162c3
SHA256 d08d3f359883b4c008eea5122483ccfe951104100f291f6b3e68a7495be34acd
SHA512 903e2c7d43e5f08a4090208acffa61762e52a18ffba6b121d2194418024461a375daf2afe6376efac89553039203e6220aa2dea444645debf5b2d77a99acebcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a9d78d8e9ce4be1a713d1f6e476f0f24
SHA1 51f02b77157d96b7190c5de680b4d20c4c0162c3
SHA256 d08d3f359883b4c008eea5122483ccfe951104100f291f6b3e68a7495be34acd
SHA512 903e2c7d43e5f08a4090208acffa61762e52a18ffba6b121d2194418024461a375daf2afe6376efac89553039203e6220aa2dea444645debf5b2d77a99acebcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 a9d78d8e9ce4be1a713d1f6e476f0f24
SHA1 51f02b77157d96b7190c5de680b4d20c4c0162c3
SHA256 d08d3f359883b4c008eea5122483ccfe951104100f291f6b3e68a7495be34acd
SHA512 903e2c7d43e5f08a4090208acffa61762e52a18ffba6b121d2194418024461a375daf2afe6376efac89553039203e6220aa2dea444645debf5b2d77a99acebcb

C:\Users\Admin\AppData\Local\Temp\39D0.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 310e073027fde79d81ea925b88ae9a35
SHA1 132116919345aa33a9eadd83e2a4ecf8ad03b9ac
SHA256 fd6109599e3410cc3c99d786ad34688a27bafc302d2c3fc46de5c12a0f9a003b
SHA512 7f6a0c19c11fc58fe384f81f16337905ecae4c06e0127151252306073a446713fc2589bb5e64fc24225b46b3b407b9c0c70d5ab8e30d612e68012523af3f7904

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a8cfb50a0e434d61c5950c39939c75ab
SHA1 bed51ce8cf805476ca8763e14a8fb83224734587
SHA256 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67
SHA512 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 107fa764a22474d49973903e66d62104
SHA1 114b8348c820372e341fba1081726e26b102a06c
SHA256 3c4d37d5a6421c8f7d7433d6221023f002415d611ef66a86645225ba9f9ba905
SHA512 bd96e2c1398eaca28b45f0c1be2f498f04acb361992e37ce48fedcf20b53593fa4aaca22058590e5354df8e308f51a36806e91e5fef7dbabdc110ce7b3a366e6

C:\Users\Admin\AppData\Local\Temp\3D4A.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 d8191cb3a5ce80f66b289f3617f328bc
SHA1 02041a9fd6f24376e3f3f3b5d32f4ac87a1c4e68
SHA256 51da131d622d76e6bc96f536008a3b11f0e425dc7a99ba6a46219e14a93c0e95
SHA512 7adda3cb2044b8c8c1779b2bc94ce60c78e4268e9b15dec22ccb1864a9167d1408891ffa38301856e725dc0f6b79b1a4fce3fd1554b3aa30148da00e48531c00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a8cfb50a0e434d61c5950c39939c75ab
SHA1 bed51ce8cf805476ca8763e14a8fb83224734587
SHA256 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67
SHA512 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 96b9b6745f182308e90601177ed3fa40
SHA1 b5d8d676b55c1d2199c108225a34be850e128943
SHA256 f6295810cf609d4a47c4022ff1d46956cc976003fdb652d452e490a4574da57d
SHA512 e26eeacce3ba4c2208c05dc017de1116f08f6f757d048d41a9f622ea76aedcd509c691fdef7f5fef334222e7a4d6366fd1c32a41d2f94f587665fcb3ff6cfcd8

C:\Users\Admin\AppData\Local\Temp\41DD.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

C:\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\F424.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/1588-397-0x0000000001A60000-0x0000000001A98000-memory.dmp

memory/2276-394-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A00.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\93.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\93.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

\Users\Admin\AppData\Local\Temp\41DD.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2128-416-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1588-418-0x0000000003310000-0x0000000003344000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\de9f1ab7-a085-4d3d-92d5-2d259b618766\E5B1.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/1336-434-0x00000000002E0000-0x0000000000372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBB.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\93.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/3052-438-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2284-451-0x00000000018D0000-0x0000000001904000-memory.dmp

memory/2692-454-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2956-477-0x0000000074240000-0x000000007492E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8895.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-11 03:35

Reported

2023-08-11 03:40

Platform

win10-20230703-en

Max time kernel

231s

Max time network

307s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3CCA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\449C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\449C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\449C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E1E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84E6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCC5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1178.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build3.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8D33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9591.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D71.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9A83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ACD4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B2C0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCC5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C1A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D35C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCC5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4E0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\240.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCC5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\03d52d47-2751-439d-afe5-c2e5f08f2aec\\1BFF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1BFF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5072 set thread context of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 432 set thread context of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 832 set thread context of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 4812 set thread context of 3728 N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe C:\Users\Admin\AppData\Local\Temp\4F3C.exe
PID 3120 set thread context of 3844 N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe C:\Users\Admin\AppData\Local\Temp\34E9.exe
PID 3476 set thread context of 5044 N/A C:\Windows\system32\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 64 set thread context of 2804 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 4864 set thread context of 4792 N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe C:\Users\Admin\AppData\Local\Temp\4F3C.exe
PID 1408 set thread context of 2920 N/A C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe
PID 2880 set thread context of 2768 N/A C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe
PID 4364 set thread context of 808 N/A C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe
PID 4044 set thread context of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1D71.exe C:\Users\Admin\AppData\Local\Temp\1D71.exe
PID 4568 set thread context of 4220 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 708 set thread context of 2020 N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe C:\Users\Admin\AppData\Local\Temp\6D35.exe
PID 4600 set thread context of 8 N/A C:\Users\Admin\AppData\Local\Temp\BCC5.exe C:\Users\Admin\AppData\Local\Temp\BCC5.exe
PID 5084 set thread context of 664 N/A C:\Users\Admin\AppData\Local\Temp\1D71.exe C:\Users\Admin\AppData\Local\Temp\1D71.exe
PID 4412 set thread context of 708 N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe C:\Users\Admin\AppData\Local\Temp\34E9.exe
PID 4260 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\240.exe C:\Users\Admin\AppData\Local\Temp\240.exe
PID 3216 set thread context of 3712 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 3676 set thread context of 4396 N/A C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe
PID 3952 set thread context of 2108 N/A C:\Users\Admin\AppData\Local\Temp\BCC5.exe C:\Users\Admin\AppData\Local\Temp\BCC5.exe
PID 3964 set thread context of 2608 N/A C:\Users\Admin\AppData\Local\Temp\ACD4.exe C:\Users\Admin\AppData\Local\Temp\ACD4.exe
PID 5020 set thread context of 212 N/A C:\Users\Admin\AppData\Local\Temp\EA31.exe C:\Users\Admin\AppData\Local\Temp\EA31.exe
PID 3416 set thread context of 4432 N/A C:\Users\Admin\AppData\Local\Temp\6D35.exe C:\Users\Admin\AppData\Local\Temp\6D35.exe
PID 632 set thread context of 348 N/A C:\Users\Admin\AppData\Local\Temp\240.exe C:\Users\Admin\AppData\Local\Temp\240.exe
PID 1948 set thread context of 1964 N/A C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build2.exe C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build2.exe
PID 5056 set thread context of 2864 N/A C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build2.exe C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build2.exe
PID 3848 set thread context of 4448 N/A C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build2.exe C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build2.exe
PID 4584 set thread context of 3832 N/A C:\Users\Admin\AppData\Local\Temp\ACD4.exe C:\Users\Admin\AppData\Local\Temp\ACD4.exe
PID 5008 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build2.exe C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build2.exe
PID 3248 set thread context of 4136 N/A C:\Users\Admin\AppData\Local\Temp\EA31.exe C:\Users\Admin\AppData\Local\Temp\EA31.exe
PID 2320 set thread context of 3736 N/A C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build2.exe C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build2.exe
PID 5608 set thread context of 5748 N/A C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build2.exe C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build2.exe
PID 5860 set thread context of 5972 N/A C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build2.exe C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build2.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84E6.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 3256 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 3256 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 3256 wrote to memory of 4248 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 3256 wrote to memory of 4248 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 3256 wrote to memory of 4248 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DE4.exe
PID 3256 wrote to memory of 4356 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3256 wrote to memory of 4356 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4356 wrote to memory of 4332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4356 wrote to memory of 4332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4356 wrote to memory of 4332 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3256 wrote to memory of 3120 N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe
PID 3256 wrote to memory of 3120 N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe
PID 3256 wrote to memory of 3120 N/A N/A C:\Users\Admin\AppData\Local\Temp\34E9.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 5072 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Users\Admin\AppData\Local\Temp\1BFF.exe
PID 3256 wrote to memory of 4388 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CCA.exe
PID 3256 wrote to memory of 4388 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CCA.exe
PID 3256 wrote to memory of 4388 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CCA.exe
PID 3256 wrote to memory of 856 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3256 wrote to memory of 856 N/A N/A C:\Windows\system32\regsvr32.exe
PID 856 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 856 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 856 wrote to memory of 1128 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3256 wrote to memory of 432 N/A N/A C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 3256 wrote to memory of 432 N/A N/A C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 3256 wrote to memory of 432 N/A N/A C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 3256 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 3256 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 3256 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 3256 wrote to memory of 4812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe
PID 3256 wrote to memory of 4812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe
PID 3256 wrote to memory of 4812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 432 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\449C.exe C:\Users\Admin\AppData\Local\Temp\449C.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 832 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\48A4.exe C:\Users\Admin\AppData\Local\Temp\48A4.exe
PID 4368 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Windows\SysWOW64\icacls.exe
PID 4368 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Windows\SysWOW64\icacls.exe
PID 4368 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\1BFF.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe

"C:\Users\Admin\AppData\Local\Temp\51e955c9297fd841aa12fc39dc7b4dc3b7cc290a9641c2a5b343d30e52cda4b7.exe"

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2085.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2085.dll

C:\Users\Admin\AppData\Local\Temp\34E9.exe

C:\Users\Admin\AppData\Local\Temp\34E9.exe

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\40F1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\40F1.dll

C:\Users\Admin\AppData\Local\Temp\449C.exe

C:\Users\Admin\AppData\Local\Temp\449C.exe

C:\Users\Admin\AppData\Local\Temp\48A4.exe

C:\Users\Admin\AppData\Local\Temp\48A4.exe

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

C:\Users\Admin\AppData\Local\Temp\449C.exe

C:\Users\Admin\AppData\Local\Temp\449C.exe

C:\Users\Admin\AppData\Local\Temp\48A4.exe

C:\Users\Admin\AppData\Local\Temp\48A4.exe

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\03d52d47-2751-439d-afe5-c2e5f08f2aec" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\449C.exe

"C:\Users\Admin\AppData\Local\Temp\449C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\34E9.exe

C:\Users\Admin\AppData\Local\Temp\34E9.exe

C:\Users\Admin\AppData\Local\Temp\48A4.exe

"C:\Users\Admin\AppData\Local\Temp\48A4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6D35.exe

C:\Users\Admin\AppData\Local\Temp\6D35.exe

C:\Users\Admin\AppData\Local\Temp\449C.exe

"C:\Users\Admin\AppData\Local\Temp\449C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

"C:\Users\Admin\AppData\Local\Temp\4F3C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\48A4.exe

"C:\Users\Admin\AppData\Local\Temp\48A4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7E1E.exe

C:\Users\Admin\AppData\Local\Temp\7E1E.exe

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

"C:\Users\Admin\AppData\Local\Temp\4F3C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\34E9.exe

"C:\Users\Admin\AppData\Local\Temp\34E9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\84E6.exe

C:\Users\Admin\AppData\Local\Temp\84E6.exe

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe

"C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe"

C:\Users\Admin\AppData\Local\Temp\542.exe

C:\Users\Admin\AppData\Local\Temp\542.exe

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe

"C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe"

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build3.exe

"C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build3.exe"

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build3.exe

"C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\1178.exe

C:\Users\Admin\AppData\Local\Temp\1178.exe

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe

"C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe"

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe

"C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1AC0.dll

C:\Users\Admin\AppData\Local\Temp\1D71.exe

C:\Users\Admin\AppData\Local\Temp\1D71.exe

C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe

"C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1AC0.dll

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

"C:\Users\Admin\AppData\Local\Temp\1BFF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build3.exe

"C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build3.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe

"C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe"

C:\Users\Admin\AppData\Local\Temp\8D33.exe

C:\Users\Admin\AppData\Local\Temp\8D33.exe

C:\Users\Admin\AppData\Local\Temp\9591.exe

C:\Users\Admin\AppData\Local\Temp\9591.exe

C:\Users\Admin\AppData\Local\Temp\1D71.exe

C:\Users\Admin\AppData\Local\Temp\1D71.exe

C:\Users\Admin\AppData\Local\Temp\9A83.exe

C:\Users\Admin\AppData\Local\Temp\9A83.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\ACD4.exe

C:\Users\Admin\AppData\Local\Temp\ACD4.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1488

C:\Users\Admin\AppData\Local\Temp\B2C0.exe

C:\Users\Admin\AppData\Local\Temp\B2C0.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B774.dll

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\6D35.exe

C:\Users\Admin\AppData\Local\Temp\6D35.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B774.dll

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\BCC5.exe

C:\Users\Admin\AppData\Local\Temp\BCC5.exe

C:\Users\Admin\AppData\Local\Temp\C1A8.exe

C:\Users\Admin\AppData\Local\Temp\C1A8.exe

C:\Users\Admin\AppData\Local\Temp\BCC5.exe

C:\Users\Admin\AppData\Local\Temp\BCC5.exe

C:\Users\Admin\AppData\Local\Temp\D35C.exe

C:\Users\Admin\AppData\Local\Temp\D35C.exe

C:\Users\Admin\AppData\Local\Temp\1D71.exe

"C:\Users\Admin\AppData\Local\Temp\1D71.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 780

C:\Users\Admin\AppData\Local\Temp\EA31.exe

C:\Users\Admin\AppData\Local\Temp\EA31.exe

C:\Users\Admin\AppData\Local\Temp\1D71.exe

"C:\Users\Admin\AppData\Local\Temp\1D71.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F4E0.exe

C:\Users\Admin\AppData\Local\Temp\F4E0.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FB69.dll

C:\Users\Admin\AppData\Local\Temp\6D35.exe

"C:\Users\Admin\AppData\Local\Temp\6D35.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\240.exe

C:\Users\Admin\AppData\Local\Temp\240.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FB69.dll

C:\Users\Admin\AppData\Local\Temp\34E9.exe

"C:\Users\Admin\AppData\Local\Temp\34E9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\240.exe

C:\Users\Admin\AppData\Local\Temp\240.exe

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

"C:\Users\Admin\AppData\Local\Temp\1BFF.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe" & exit

C:\Users\Admin\AppData\Local\Temp\BCC5.exe

"C:\Users\Admin\AppData\Local\Temp\BCC5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe

"C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe"

C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build3.exe

"C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build3.exe"

C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe

"C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe"

C:\Users\Admin\AppData\Local\Temp\BCC5.exe

"C:\Users\Admin\AppData\Local\Temp\BCC5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ACD4.exe

C:\Users\Admin\AppData\Local\Temp\ACD4.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\EA31.exe

C:\Users\Admin\AppData\Local\Temp\EA31.exe

C:\Users\Admin\AppData\Local\Temp\6D35.exe

"C:\Users\Admin\AppData\Local\Temp\6D35.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 476

C:\Users\Admin\AppData\Local\Temp\240.exe

"C:\Users\Admin\AppData\Local\Temp\240.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build2.exe

"C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build2.exe"

C:\Users\Admin\AppData\Local\Temp\240.exe

"C:\Users\Admin\AppData\Local\Temp\240.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build2.exe

"C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build2.exe"

C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build3.exe

"C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build3.exe"

C:\Users\Admin\AppData\Local\Temp\ACD4.exe

"C:\Users\Admin\AppData\Local\Temp\ACD4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EA31.exe

"C:\Users\Admin\AppData\Local\Temp\EA31.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build2.exe

"C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build2.exe"

C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build2.exe

"C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build2.exe"

C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build3.exe

"C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build3.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe" & exit

C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build2.exe

"C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build2.exe"

C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build3.exe

"C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build3.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build2.exe

"C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build2.exe"

C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build2.exe

"C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build2.exe"

C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build2.exe

"C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build2.exe"

C:\Users\Admin\AppData\Local\Temp\ACD4.exe

"C:\Users\Admin\AppData\Local\Temp\ACD4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build2.exe

"C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build2.exe"

C:\Users\Admin\AppData\Local\Temp\EA31.exe

"C:\Users\Admin\AppData\Local\Temp\EA31.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build2.exe

"C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build2.exe"

C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build3.exe

"C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build3.exe"

C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build3.exe

"C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build2.exe

"C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build2.exe"

C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build2.exe

"C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build2.exe"

C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build2.exe

"C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build2.exe"

C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build3.exe

"C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build3.exe"

C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build2.exe

"C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\234e1953-1c58-4d89-9410-c858b1a7c632\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build3.exe

"C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build3.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4188eb52-7712-4c52-9d1e-f09135ab59fd\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\3947eec1-f922-4681-93ca-44ed9659af5d\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4ef3b5e1-4d37-4790-b7cc-60754278f2d9\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\15c904bc-926c-4a59-91d3-27db9bea5541\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\9bc92e97-62ac-430c-ad73-639362c94617\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\fbc100c6-440a-4833-94bb-685de5bdf22f\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\db8ef86c-6473-40fe-9237-c8b7677e1e8a\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Roaming\tgicsaf

C:\Users\Admin\AppData\Roaming\tgicsaf

C:\Users\Admin\AppData\Roaming\hiicsaf

C:\Users\Admin\AppData\Roaming\hiicsaf

C:\Users\Admin\AppData\Roaming\bgicsaf

C:\Users\Admin\AppData\Roaming\bgicsaf

C:\Users\Admin\AppData\Roaming\tgicsaf

C:\Users\Admin\AppData\Roaming\tgicsaf

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.1:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 210.182.29.70:80 colisumy.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 1.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 70.29.182.210.in-addr.arpa udp
KR 210.182.29.70:80 colisumy.com tcp
MD 176.123.9.142:14845 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 admaiscont.com.br udp
US 142.4.24.122:443 admaiscont.com.br tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 122.24.4.142.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 254.139.241.8.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
KR 210.182.29.70:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 142.4.24.122:443 admaiscont.com.br tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 209.250.242.222:3003 209.250.242.222 tcp
US 8.8.8.8:53 222.242.250.209.in-addr.arpa udp
KR 210.182.29.70:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 zexeq.com udp
IR 80.210.25.252:80 zexeq.com tcp
US 8.8.8.8:53 252.25.210.80.in-addr.arpa udp
KR 210.182.29.70:80 colisumy.com tcp
IR 80.210.25.252:80 zexeq.com tcp
NL 209.250.242.222:3003 209.250.242.222 tcp
IR 80.210.25.252:80 zexeq.com tcp
IR 80.210.25.252:80 zexeq.com tcp
KR 210.182.29.70:80 colisumy.com tcp
US 8.8.8.8:53 greenbi.net udp
AR 190.224.203.37:80 greenbi.net tcp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 lightyearsaheads.com udp
US 198.54.119.115:443 lightyearsaheads.com tcp
IR 80.210.25.252:80 zexeq.com tcp
US 8.8.8.8:53 115.119.54.198.in-addr.arpa udp
AR 190.224.203.37:80 greenbi.net tcp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
AR 190.224.203.37:80 greenbi.net tcp
NL 209.250.242.222:3003 209.250.242.222 tcp
KR 210.182.29.70:80 colisumy.com tcp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
AR 190.224.203.37:80 greenbi.net tcp
US 142.4.24.122:443 admaiscont.com.br tcp
AR 190.224.203.37:80 greenbi.net tcp
AR 190.224.203.37:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
NL 209.250.242.222:3003 209.250.242.222 tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
AR 190.224.203.37:80 greenbi.net tcp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
AR 190.224.203.37:80 greenbi.net tcp
AR 190.224.203.37:80 greenbi.net tcp
NL 162.0.217.254:443 api.2ip.ua tcp
AR 190.224.203.37:80 greenbi.net tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
KR 210.182.29.70:80 colisumy.com tcp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 240.166.203.116.in-addr.arpa udp
AR 190.224.203.37:80 greenbi.net tcp
US 142.4.24.122:443 admaiscont.com.br tcp
AR 190.224.203.37:80 greenbi.net tcp
AR 190.224.203.37:80 greenbi.net tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 154.25.221.88.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 226.98.244.136.in-addr.arpa udp
KR 210.182.29.70:80 colisumy.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
DE 91.103.253.23:80 host-host-file8.com tcp
US 8.8.8.8:53 23.253.103.91.in-addr.arpa udp
NL 136.244.98.226:33587 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 136.244.98.226:33587 tcp
IR 80.210.25.252:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 136.244.98.226:33587 tcp
NL 136.244.98.226:33587 tcp
US 8.8.8.8:53 colisumy.com udp
KR 211.168.53.110:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
KR 211.168.53.110:80 colisumy.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 177.25.221.88.in-addr.arpa udp
IR 80.210.25.252:80 zexeq.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
IR 80.210.25.252:80 zexeq.com tcp
KR 211.168.53.110:80 colisumy.com tcp
KR 211.168.53.110:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.168.53.110:80 colisumy.com tcp
IR 80.210.25.252:80 zexeq.com tcp
US 8.8.8.8:53 zexeq.com udp
NL 149.154.167.99:443 t.me tcp
PE 190.187.52.42:80 zexeq.com tcp
PE 190.187.52.42:80 zexeq.com tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
DE 116.203.166.240:27015 116.203.166.240 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
KR 211.168.53.110:80 colisumy.com tcp
KR 211.168.53.110:80 colisumy.com tcp
PE 190.187.52.42:80 zexeq.com tcp
PE 190.187.52.42:80 zexeq.com tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
US 8.8.8.8:53 cc86b9d1-c67e-4ec6-ab3d-4d8fcb152356.uuid.mastiakele.xyz udp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.mastiakele.xyz udp
US 74.125.204.127:19302 stun4.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server7.mastiakele.xyz tcp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp
NL 149.154.167.99:443 t.me tcp
DE 116.203.166.240:27015 116.203.166.240 tcp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 186.37.21.104.in-addr.arpa udp

Files

memory/1016-119-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/1016-120-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/1016-121-0x0000000000400000-0x00000000022E8000-memory.dmp

memory/3256-122-0x0000000000E20000-0x0000000000E36000-memory.dmp

memory/1016-123-0x0000000000400000-0x00000000022E8000-memory.dmp

memory/1016-126-0x00000000001F0000-0x00000000001F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

MD5 ae448e12c7d473e2696fc5b215cf32d7
SHA1 12aa5fcc6ef9d0127c4d05893d4dc638d6f768d4
SHA256 8b39ba1de46f2aa1b72f9b2a54297e890cdef8252dcdc67221eb18b46e4d9da6
SHA512 2b5cb99c1f198a121820472fe1774316097c4ec0370e982652038e1cb0af9940c5eddc1aab99291314b5d5b9dcd40332426d63cd752d51812b3e927db8981f88

C:\Users\Admin\AppData\Local\Temp\1DE4.exe

MD5 ae448e12c7d473e2696fc5b215cf32d7
SHA1 12aa5fcc6ef9d0127c4d05893d4dc638d6f768d4
SHA256 8b39ba1de46f2aa1b72f9b2a54297e890cdef8252dcdc67221eb18b46e4d9da6
SHA512 2b5cb99c1f198a121820472fe1774316097c4ec0370e982652038e1cb0af9940c5eddc1aab99291314b5d5b9dcd40332426d63cd752d51812b3e927db8981f88

memory/4248-139-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4248-140-0x00000000001C0000-0x00000000001F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2085.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/4248-147-0x0000000073C50000-0x000000007433E000-memory.dmp

\Users\Admin\AppData\Local\Temp\2085.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/4332-148-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4248-150-0x0000000000850000-0x0000000000856000-memory.dmp

memory/4332-149-0x0000000000D10000-0x0000000000D16000-memory.dmp

memory/4248-152-0x0000000004B20000-0x0000000005126000-memory.dmp

memory/4248-153-0x0000000005130000-0x000000000523A000-memory.dmp

memory/4248-155-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/4248-154-0x0000000002430000-0x0000000002442000-memory.dmp

memory/4248-156-0x0000000002450000-0x000000000248E000-memory.dmp

memory/4248-157-0x0000000005270000-0x00000000052BB000-memory.dmp

memory/4332-158-0x0000000004980000-0x0000000004A7E000-memory.dmp

memory/4332-159-0x0000000004A80000-0x0000000004B65000-memory.dmp

memory/4332-160-0x0000000004A80000-0x0000000004B65000-memory.dmp

memory/4332-162-0x0000000004A80000-0x0000000004B65000-memory.dmp

memory/4332-163-0x0000000004A80000-0x0000000004B65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34E9.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\34E9.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/5072-168-0x0000000003440000-0x00000000034D2000-memory.dmp

memory/5072-169-0x00000000035E0000-0x00000000036FB000-memory.dmp

memory/4368-170-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4368-172-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1BFF.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/4368-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4368-174-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

MD5 c8fc963052bcc152174211528f6faa1b
SHA1 0afba30bd355b1de4bf5c82449f01f82dc8a1bef
SHA256 260378a5afcb119d12b5c4f8467af4a26e84bbd6199b20b87b67a60a99a88823
SHA512 6a8d1b0696390d2a526c4428a5d572d8a7de82c6a2ed302506662e7d81a19b51d1a2c7616505516973fdd43800816f079b730f83b36899c3104810b8444af5b0

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

MD5 c8fc963052bcc152174211528f6faa1b
SHA1 0afba30bd355b1de4bf5c82449f01f82dc8a1bef
SHA256 260378a5afcb119d12b5c4f8467af4a26e84bbd6199b20b87b67a60a99a88823
SHA512 6a8d1b0696390d2a526c4428a5d572d8a7de82c6a2ed302506662e7d81a19b51d1a2c7616505516973fdd43800816f079b730f83b36899c3104810b8444af5b0

memory/4248-179-0x0000000073C50000-0x000000007433E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40F1.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/4248-182-0x00000000053B0000-0x0000000005426000-memory.dmp

memory/4248-183-0x0000000005430000-0x00000000054C2000-memory.dmp

\Users\Admin\AppData\Local\Temp\40F1.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/1128-185-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

memory/4248-187-0x00000000054D0000-0x00000000059CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\449C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/4248-193-0x0000000005CB0000-0x0000000005D16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\449C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/4248-196-0x00000000023C0000-0x00000000023D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48A4.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\48A4.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/432-210-0x00000000040C0000-0x00000000041DB000-memory.dmp

memory/432-209-0x0000000004000000-0x0000000004096000-memory.dmp

memory/3724-211-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3724-214-0x0000000000400000-0x0000000000537000-memory.dmp

memory/832-215-0x0000000003FF0000-0x000000000408B000-memory.dmp

memory/3724-216-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\449C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/3724-218-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-220-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48A4.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/2152-221-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2152-224-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4812-227-0x0000000003FF0000-0x0000000004083000-memory.dmp

C:\Users\Admin\AppData\Local\03d52d47-2751-439d-afe5-c2e5f08f2aec\1BFF.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/3728-231-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3728-232-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3728-233-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 342793b7c2c83f8c313c8af2a4d31700
SHA1 05f6313185dbdd70c0467ce672182e8ae6e64f4d
SHA256 55f7d97695768ab43fd926ec4721dba8ed1e58594edbf5b64d69d216a7ac2c36
SHA512 d16c4dc77dd6623fea431bce6df1318b34572ad94fe8235ddbf3957c6f5c1ea297916e4d8e341b7f96342dd855a746194ac652551a8f82ba9ff8b696ee027712

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 a8cfb50a0e434d61c5950c39939c75ab
SHA1 bed51ce8cf805476ca8763e14a8fb83224734587
SHA256 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67
SHA512 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8d79325b5440a542bc047b8d005c9813
SHA1 c8eb4c287f0dc21735369d43463f69ba4833e57e
SHA256 dbaa80e8a838b95dbc3e5481982d9bdc16e9cde6b477076aeb81a986a01c1e94
SHA512 64e231666e2614f4f25b8771fe6f2f87e9ec0a86b8ec99705092705763e8d5959f5084272937badf311156bd3553eee7d77f83db1b8c8ce18fe0bbc8d1f54033

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 91d59ea2f3257a955e2255f336da59bb
SHA1 f138077c1e604bb60062004fa2a4fb0ebbc6be34
SHA256 d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a
SHA512 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73

memory/4368-238-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34E9.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/3844-243-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3724-242-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3844-241-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\449C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/3844-246-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1128-248-0x0000000004B10000-0x0000000004C0E000-memory.dmp

memory/2152-247-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48A4.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/1128-251-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D35.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

C:\Users\Admin\AppData\Local\Temp\6D35.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/1128-257-0x0000000004C10000-0x0000000004CF5000-memory.dmp

memory/1128-259-0x0000000004C10000-0x0000000004CF5000-memory.dmp

memory/3476-261-0x0000000002500000-0x0000000002598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\449C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/5044-265-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5044-267-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5044-264-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/1128-269-0x0000000004C10000-0x0000000004CF5000-memory.dmp

memory/3728-268-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4388-273-0x0000000001910000-0x0000000001919000-memory.dmp

memory/2804-276-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\48A4.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/64-272-0x0000000003EC0000-0x0000000003F60000-memory.dmp

memory/2804-277-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4388-278-0x0000000000400000-0x00000000018BB000-memory.dmp

memory/2804-279-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4388-280-0x00000000018E0000-0x00000000018F5000-memory.dmp

memory/4864-284-0x0000000003FD0000-0x000000000406D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E1E.exe

MD5 c8fc963052bcc152174211528f6faa1b
SHA1 0afba30bd355b1de4bf5c82449f01f82dc8a1bef
SHA256 260378a5afcb119d12b5c4f8467af4a26e84bbd6199b20b87b67a60a99a88823
SHA512 6a8d1b0696390d2a526c4428a5d572d8a7de82c6a2ed302506662e7d81a19b51d1a2c7616505516973fdd43800816f079b730f83b36899c3104810b8444af5b0

memory/4792-289-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F3C.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

memory/4792-291-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4248-290-0x0000000004A20000-0x0000000004A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E1E.exe

MD5 c8fc963052bcc152174211528f6faa1b
SHA1 0afba30bd355b1de4bf5c82449f01f82dc8a1bef
SHA256 260378a5afcb119d12b5c4f8467af4a26e84bbd6199b20b87b67a60a99a88823
SHA512 6a8d1b0696390d2a526c4428a5d572d8a7de82c6a2ed302506662e7d81a19b51d1a2c7616505516973fdd43800816f079b730f83b36899c3104810b8444af5b0

memory/3844-292-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34E9.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/4792-295-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5044-297-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2804-299-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2804-301-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5044-298-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84E6.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\Local\Temp\84E6.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

memory/3256-305-0x0000000000FF0000-0x0000000001006000-memory.dmp

memory/4248-306-0x00000000062E0000-0x00000000064A2000-memory.dmp

C:\Users\Admin\AppData\Local\03d52d47-2751-439d-afe5-c2e5f08f2aec\1BFF.exe

MD5 6d0723838ff21bd3b04566cf12fea7bf
SHA1 b86d3bdb1c5f0c6e81951b1ab6018215d0de63c8
SHA256 997ebb64734bcd9ca9c19df48d21a59e186af81a8318f8540e2859067be5124f
SHA512 a1606283d691cdf14ece3167ae0f9e10c3ad24a3986a1e9fc15f248d62f0d01afc3ce293e25f8dc09c258fa405e29b7147a3dca8bddc7d4622b818939281b522

memory/4248-316-0x00000000064B0000-0x00000000069DC000-memory.dmp

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 6ab37c6fd8c563197ef79d09241843f1
SHA1 cb9bd05e2fc8cc06999a66b7b2d396ff4b5157e5
SHA256 d4849ec7852d9467f06fde6f25823331dad6bc76e7838d530e990b62286a754f
SHA512 dd1fae67d0f45ba1ec7e56347fdfc2a53f619650892c8a55e7fba80811b6c66d56544b1946a409eaaca06fa9503de20e160360445d959122e5ba3aa85b751cde

C:\SystemID\PersonalID.txt

MD5 dbe3661a216d9e3b599178758fadacb4
SHA1 29fc37cce7bc29551694d17d9eb82d4d470db176
SHA256 134967887ca1c9c78f4760e5761c11c2a8195671abccba36fcf3e76df6fff03b
SHA512 da90c77c47790b3791ee6cee8aa7d431813f2ee0c314001015158a48a117342b990aaac023b36e610cef71755e609cbf1f6932047c3b4ad4df8779544214687f

memory/4388-335-0x0000000000400000-0x00000000018BB000-memory.dmp

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\Temp\542.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\Local\Temp\542.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\Roaming\bgicsaf

MD5 c8fc963052bcc152174211528f6faa1b
SHA1 0afba30bd355b1de4bf5c82449f01f82dc8a1bef
SHA256 260378a5afcb119d12b5c4f8467af4a26e84bbd6199b20b87b67a60a99a88823
SHA512 6a8d1b0696390d2a526c4428a5d572d8a7de82c6a2ed302506662e7d81a19b51d1a2c7616505516973fdd43800816f079b730f83b36899c3104810b8444af5b0

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\bowsakkdestx.txt

MD5 6ab37c6fd8c563197ef79d09241843f1
SHA1 cb9bd05e2fc8cc06999a66b7b2d396ff4b5157e5
SHA256 d4849ec7852d9467f06fde6f25823331dad6bc76e7838d530e990b62286a754f
SHA512 dd1fae67d0f45ba1ec7e56347fdfc2a53f619650892c8a55e7fba80811b6c66d56544b1946a409eaaca06fa9503de20e160360445d959122e5ba3aa85b751cde

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1408-389-0x0000000002520000-0x0000000002620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1178.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1408-390-0x0000000003F80000-0x0000000003FF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1178.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

C:\Users\Admin\AppData\Local\Temp\1178.exe

MD5 0c8972daf5bfd9c451bb35a829a0a76a
SHA1 903243415cc34a7069d4bd8bd6935ffed1c87ae2
SHA256 e70a0a203a7ad5a9b8526cc0615b51bbe5358418e277014847db9b4df774c271
SHA512 f834ace9351af6a32fc452fc29527e97f6a12daeca498380f698f77979da760809cd2a13169ea05172c29a53d2dc4b1659735ef3a65f34df680c3e47b5525aaa

memory/2880-397-0x0000000002490000-0x0000000002590000-memory.dmp

memory/5044-401-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\6d6a95bd-de8a-4b74-a4a0-077eba5ed7a7\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\932e919e-60ad-48c9-b02d-38f6ad67e3e2\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\Temp\1D71.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\Temp\1D71.exe

MD5 e3188cbadba2ec3cb8a0af318914a331
SHA1 08584a8422fc50a687bed0f96c3b89a86fd79287
SHA256 25a5ebb37ae304d0aa09206f4996de6104968cf53a67b1b15feadf470d8893af
SHA512 2dd6be144dd2d843e56ae90d8d6c4ad22b2d0e37d5964e4e5557a42a2d1a0840b9cbd31a9bbf742475c6cacadb8a5d9a330e3547731574e280148b3a8d1c233b

C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build2.exe

MD5 5fff52c407b5b46c10416067dac16d62
SHA1 c2263843ea244e5bd6c403342efaadd0af1c5522
SHA256 f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0
SHA512 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352

C:\Users\Admin\AppData\Local\Temp\1AC0.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

memory/2920-412-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2768-429-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\387ed1a1-54be-4242-8245-7fd916f5b9ff\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/4368-441-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4364-455-0x0000000002580000-0x0000000002680000-memory.dmp

memory/2204-461-0x0000000000C40000-0x0000000001116000-memory.dmp

memory/2804-468-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1504-470-0x00000000008B0000-0x00000000008B6000-memory.dmp

memory/4044-473-0x0000000003FA8000-0x000000000403A000-memory.dmp

memory/808-475-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2204-480-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/4248-481-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/2324-482-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/3860-483-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4792-484-0x0000000000400000-0x0000000000537000-memory.dmp

memory/872-486-0x00007FF6B0850000-0x00007FF6B08BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D35C.exe

MD5 319b7bf4b6c393bcc2e28918cad7a9bb
SHA1 e9cc9d2d2392af42952787f75f55ba7485d28f09
SHA256 fec5e8cb13f8418df2d3c2188c40eb2844084b02bdd9f2a899690b3a7b25986c
SHA512 382055289ae2cb67709937e53bdff76506768aad3fe20de1547e3059756098a4aae67aefffcc11ad3a3bd1bff1880da5af20de6f7dcd64e3d854a4c364b3edc2

C:\Users\Admin\AppData\Local\Temp\FB69.dll

MD5 277516a7152eaecf28213d8bf19cf575
SHA1 987e508af18837d972c5b8d7ed22a2fb17f45028
SHA256 544b1ec6a0a98e5494b1e2b6fb0d634872d03b7075a81f7f9d546f526f1f7b9e
SHA512 fc6a04ffdfcc9a103d4d3d2fefd47ba60163522454cce9b4049fb9e956a9fc4ae176115d99b1873ca1451bec885cb014b2138c520c32e0e3c31d20cad09bde6c

C:\ProgramData\42976825123131602206141461

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Roaming\tgicsaf

MD5 c7240da27683100d22697088ff67d132
SHA1 c44bd310f8094f8e53d268cf3758923e0402cf96
SHA256 48e1e6bde523a8ed7f6bad0ace70ee3c4e197c3900617905468e34ca19a73bce
SHA512 3ffdb8dab624a1a34b948d96692fa7c02859247c90fcba0b945c58f8fdf676d27fd75cc7c7245385cbcdc3254629019f87cba684ea3743f2e47d8f46a600f342

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\73879235468428956043200336

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjliilr0.peu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\ProgramData\vcruntime140.dll

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\freebl3.dll

MD5 550686c0ee48c386dfcb40199bd076ac
SHA1 ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256 edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA512 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

C:\ProgramData\86595251269142933077343617

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Windows\rss\csrss.exe

MD5 7b446339e092b565b9a212cb61fbed65
SHA1 9b64c8199aa3c412485f44987830a770356d67c9
SHA256 36562820d13eea0ccae535cce9e78cc976c4400fe77b48e10ff163456fba0bdf
SHA512 f5be43ed9bc4fe79ac87010833781cb6b4fea09a3ac82f09e44d18020b108b5ddb07e78af6be8c9f5224d2d923b9087dab842a56f98de0b3155a146d92d80e93