Analysis Overview
SHA256
5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c
Threat Level: Known bad
The file 5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Djvu Ransomware
RedLine
Vidar
Suspicious use of NtCreateUserProcessOtherParentProcess
Detected Djvu ransomware
Detect Fabookie payload
Fabookie
Glupteba
Glupteba payload
Amadey
Drops file in Drivers directory
Stops running service(s)
Downloads MZ/PE file
Deletes itself
Modifies file permissions
Themida packer
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Delays execution with timeout.exe
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-12 04:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-12 04:47
Reported
2023-08-12 04:52
Platform
win7-20230712-en
Max time kernel
67s
Max time network
303s
Command Line
Signatures
Amadey
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Fabookie
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
SmokeLoader
Vidar
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4FF8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4FF8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4FF8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2993.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\latestplayer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56BD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\72db7180-e9d2-49ac-ae7c-ea1e6c44eb35\\EA11.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2752 set thread context of 524 | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | C:\Users\Admin\AppData\Local\Temp\EA11.exe |
| PID 3036 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\EA11.exe | C:\Users\Admin\AppData\Local\Temp\EA11.exe |
| PID 2620 set thread context of 988 | N/A | C:\Users\Admin\AppData\Local\Temp\2993.exe | C:\Users\Admin\AppData\Local\Temp\2993.exe |
| PID 2548 set thread context of 2960 | N/A | C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe | C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe |
| PID 2844 set thread context of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\56BD.exe | C:\Users\Admin\AppData\Local\Temp\56BD.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\491.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cli.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\EA11.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EB98.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe
"C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe"
C:\Users\Admin\AppData\Local\Temp\EA11.exe
C:\Users\Admin\AppData\Local\Temp\EA11.exe
C:\Users\Admin\AppData\Local\Temp\EB98.exe
C:\Users\Admin\AppData\Local\Temp\EB98.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F0F6.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F0F6.dll
C:\Users\Admin\AppData\Local\Temp\EA11.exe
C:\Users\Admin\AppData\Local\Temp\EA11.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\72db7180-e9d2-49ac-ae7c-ea1e6c44eb35" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\EA11.exe
"C:\Users\Admin\AppData\Local\Temp\EA11.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\2993.exe
C:\Users\Admin\AppData\Local\Temp\2993.exe
C:\Users\Admin\AppData\Local\Temp\EA11.exe
"C:\Users\Admin\AppData\Local\Temp\EA11.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4FF8.exe
C:\Users\Admin\AppData\Local\Temp\4FF8.exe
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"
C:\Users\Admin\AppData\Local\Temp\2993.exe
C:\Users\Admin\AppData\Local\Temp\2993.exe
C:\Users\Admin\AppData\Local\Temp\56BD.exe
C:\Users\Admin\AppData\Local\Temp\56BD.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
"C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
"C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\61D5.exe
C:\Users\Admin\AppData\Local\Temp\61D5.exe
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build3.exe
"C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build3.exe"
C:\Users\Admin\AppData\Local\Temp\56BD.exe
C:\Users\Admin\AppData\Local\Temp\56BD.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {948E5E25-F9E5-4998-8DC0-AC5AC6B183A5} S-1-5-21-1024678951-1535676557-2778719785-1000:KDGGTDCU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\78C0.exe
C:\Users\Admin\AppData\Local\Temp\78C0.exe
C:\Users\Admin\AppData\Local\Temp\2993.exe
"C:\Users\Admin\AppData\Local\Temp\2993.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7FB3.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7FB3.dll
C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\56BD.exe
"C:\Users\Admin\AppData\Local\Temp\56BD.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\61D5.exe
C:\Users\Admin\AppData\Local\Temp\61D5.exe
C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\C55B.exe
C:\Users\Admin\AppData\Local\Temp\C55B.exe
C:\Users\Admin\AppData\Local\Temp\C675.exe
C:\Users\Admin\AppData\Local\Temp\C675.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CE23.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\CE23.dll
C:\Users\Admin\AppData\Local\Temp\CF7B.exe
C:\Users\Admin\AppData\Local\Temp\CF7B.exe
C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\E0BB.exe
C:\Users\Admin\AppData\Local\Temp\E0BB.exe
C:\Users\Admin\AppData\Local\Temp\61D5.exe
"C:\Users\Admin\AppData\Local\Temp\61D5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\491.exe
C:\Users\Admin\AppData\Local\Temp\491.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 544
C:\Users\Admin\AppData\Local\Temp\2993.exe
"C:\Users\Admin\AppData\Local\Temp\2993.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\78C0.exe
C:\Users\Admin\AppData\Local\Temp\78C0.exe
C:\Users\Admin\AppData\Local\Temp\61D5.exe
"C:\Users\Admin\AppData\Local\Temp\61D5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\fwsgjac
C:\Users\Admin\AppData\Roaming\fwsgjac
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\f5ccab22-8525-4ab7-ad4a-3ea03fdcd8a1\build2.exe
"C:\Users\Admin\AppData\Local\f5ccab22-8525-4ab7-ad4a-3ea03fdcd8a1\build2.exe"
C:\Users\Admin\AppData\Local\f5ccab22-8525-4ab7-ad4a-3ea03fdcd8a1\build3.exe
"C:\Users\Admin\AppData\Local\f5ccab22-8525-4ab7-ad4a-3ea03fdcd8a1\build3.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\hdsgjac
C:\Users\Admin\AppData\Roaming\hdsgjac
C:\Users\Admin\AppData\Local\f5ccab22-8525-4ab7-ad4a-3ea03fdcd8a1\build2.exe
"C:\Users\Admin\AppData\Local\f5ccab22-8525-4ab7-ad4a-3ea03fdcd8a1\build2.exe"
C:\Users\Admin\AppData\Local\Temp\56BD.exe
"C:\Users\Admin\AppData\Local\Temp\56BD.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\CF7B.exe
C:\Users\Admin\AppData\Local\Temp\CF7B.exe
C:\Users\Admin\AppData\Local\Temp\E0BB.exe
C:\Users\Admin\AppData\Local\Temp\E0BB.exe
C:\Users\Admin\AppData\Local\Temp\78C0.exe
"C:\Users\Admin\AppData\Local\Temp\78C0.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\E0BB.exe
"C:\Users\Admin\AppData\Local\Temp\E0BB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0fc76b97-7b10-413f-b738-c178adb1ea7b\build2.exe
"C:\Users\Admin\AppData\Local\0fc76b97-7b10-413f-b738-c178adb1ea7b\build2.exe"
C:\Users\Admin\AppData\Local\Temp\CF7B.exe
"C:\Users\Admin\AppData\Local\Temp\CF7B.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0fc76b97-7b10-413f-b738-c178adb1ea7b\build3.exe
"C:\Users\Admin\AppData\Local\0fc76b97-7b10-413f-b738-c178adb1ea7b\build3.exe"
C:\Users\Admin\AppData\Local\0fc76b97-7b10-413f-b738-c178adb1ea7b\build2.exe
"C:\Users\Admin\AppData\Local\0fc76b97-7b10-413f-b738-c178adb1ea7b\build2.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\4e909d41-825d-442f-8b25-2ed7c373d9ef\build2.exe
"C:\Users\Admin\AppData\Local\4e909d41-825d-442f-8b25-2ed7c373d9ef\build2.exe"
C:\Users\Admin\AppData\Local\4e909d41-825d-442f-8b25-2ed7c373d9ef\build2.exe
"C:\Users\Admin\AppData\Local\4e909d41-825d-442f-8b25-2ed7c373d9ef\build2.exe"
C:\Users\Admin\AppData\Local\4e909d41-825d-442f-8b25-2ed7c373d9ef\build3.exe
"C:\Users\Admin\AppData\Local\4e909d41-825d-442f-8b25-2ed7c373d9ef\build3.exe"
C:\Users\Admin\AppData\Local\Temp\78C0.exe
"C:\Users\Admin\AppData\Local\Temp\78C0.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\CF7B.exe
"C:\Users\Admin\AppData\Local\Temp\CF7B.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\a1c70069-10e2-4e74-874e-09f662bd6f40\build2.exe
"C:\Users\Admin\AppData\Local\a1c70069-10e2-4e74-874e-09f662bd6f40\build2.exe"
C:\Users\Admin\AppData\Local\a1c70069-10e2-4e74-874e-09f662bd6f40\build2.exe
"C:\Users\Admin\AppData\Local\a1c70069-10e2-4e74-874e-09f662bd6f40\build2.exe"
C:\Users\Admin\AppData\Local\a1c70069-10e2-4e74-874e-09f662bd6f40\build3.exe
"C:\Users\Admin\AppData\Local\a1c70069-10e2-4e74-874e-09f662bd6f40\build3.exe"
C:\Users\Admin\AppData\Local\Temp\E0BB.exe
"C:\Users\Admin\AppData\Local\Temp\E0BB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\4bee9693-85cc-4fb8-a258-9e05a060f6f6\build2.exe
"C:\Users\Admin\AppData\Local\4bee9693-85cc-4fb8-a258-9e05a060f6f6\build2.exe"
C:\Users\Admin\AppData\Local\4bee9693-85cc-4fb8-a258-9e05a060f6f6\build2.exe
"C:\Users\Admin\AppData\Local\4bee9693-85cc-4fb8-a258-9e05a060f6f6\build2.exe"
C:\Users\Admin\AppData\Local\4bee9693-85cc-4fb8-a258-9e05a060f6f6\build3.exe
"C:\Users\Admin\AppData\Local\4bee9693-85cc-4fb8-a258-9e05a060f6f6\build3.exe"
C:\Users\Admin\AppData\Local\3bfa7c75-d54c-4767-bba2-c0d60d445afb\build2.exe
"C:\Users\Admin\AppData\Local\3bfa7c75-d54c-4767-bba2-c0d60d445afb\build2.exe"
C:\Users\Admin\AppData\Local\3bfa7c75-d54c-4767-bba2-c0d60d445afb\build2.exe
"C:\Users\Admin\AppData\Local\3bfa7c75-d54c-4767-bba2-c0d60d445afb\build2.exe"
C:\Users\Admin\AppData\Local\3bfa7c75-d54c-4767-bba2-c0d60d445afb\build3.exe
"C:\Users\Admin\AppData\Local\3bfa7c75-d54c-4767-bba2-c0d60d445afb\build3.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\cli.exe
"C:\Users\Admin\AppData\Local\Temp\cli.exe"
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230812045219.log C:\Windows\Logs\CBS\CbsPersist_20230812045219.cab
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=59731 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataUBGN6" --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUBGN6" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUBGN6\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataUBGN6" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6899758,0x7fef6899768,0x7fef6899778
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 108
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=912 --field-trial-handle=1076,i,13715399774396599499,5652458473456974156,131072 --disable-features=PaintHolding /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1208 --field-trial-handle=1076,i,13715399774396599499,5652458473456974156,131072 --disable-features=PaintHolding /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MX | 189.232.25.209:80 | colisumy.com | tcp |
| MD | 176.123.9.142:14845 | tcp | |
| MX | 189.232.25.209:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | admaiscont.com.br | udp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| MX | 189.232.25.209:80 | colisumy.com | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | us.imgjeoigaa.com | udp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| HK | 103.100.211.218:80 | us.imgjeoigaa.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 194.169.175.233:3003 | 194.169.175.233 | tcp |
| MX | 189.232.25.209:80 | colisumy.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| DE | 91.103.253.23:80 | host-host-file8.com | tcp |
| PL | 51.83.170.21:19447 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| MX | 189.232.25.209:80 | colisumy.com | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| PL | 51.83.170.21:19447 | tcp | |
| FI | 95.217.28.234:80 | 95.217.28.234 | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| RO | 109.98.58.98:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| RO | 109.98.58.98:80 | colisumy.com | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| RO | 109.98.58.98:80 | colisumy.com | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| RO | 109.98.58.98:80 | colisumy.com | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| RO | 109.98.58.98:80 | colisumy.com | tcp |
| FI | 95.217.28.234:80 | 95.217.28.234 | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| FI | 95.217.28.234:80 | 95.217.28.234 | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.70:80 | apps.identrust.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| FI | 95.217.28.234:80 | 95.217.28.234 | tcp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:80 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| FI | 95.217.28.234:80 | 95.217.28.234 | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 23.222.49.98:443 | steamcommunity.com | tcp |
| FI | 95.217.28.234:80 | 95.217.28.234 | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
Files
memory/2896-53-0x00000000002A0000-0x00000000002B5000-memory.dmp
memory/2896-54-0x00000000002C0000-0x00000000002C9000-memory.dmp
memory/2896-55-0x0000000000400000-0x00000000018BC000-memory.dmp
memory/1212-56-0x0000000002950000-0x0000000002966000-memory.dmp
memory/2896-57-0x0000000000400000-0x00000000018BC000-memory.dmp
memory/2896-60-0x00000000002C0000-0x00000000002C9000-memory.dmp
memory/2896-61-0x00000000002A0000-0x00000000002B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\EB98.exe
| MD5 | 17f7648488eccf1bc15957c21184095e |
| SHA1 | 50355744481f0785ce1e5e526b551c76df14cfcc |
| SHA256 | cb477afcbd198374ce7202b93ae88cb3df31b284c7741f9c463a74c41e2a529a |
| SHA512 | d4aca3b92e1e0e2d6a10dd648a116486202a6af4251237e94cc3f44454cc33c56bb16adfed8ed9a9064a3d6db8c1ab3e08563ebf6cc0b0637836aba1ff6e44dc |
C:\Users\Admin\AppData\Local\Temp\EB98.exe
| MD5 | 17f7648488eccf1bc15957c21184095e |
| SHA1 | 50355744481f0785ce1e5e526b551c76df14cfcc |
| SHA256 | cb477afcbd198374ce7202b93ae88cb3df31b284c7741f9c463a74c41e2a529a |
| SHA512 | d4aca3b92e1e0e2d6a10dd648a116486202a6af4251237e94cc3f44454cc33c56bb16adfed8ed9a9064a3d6db8c1ab3e08563ebf6cc0b0637836aba1ff6e44dc |
memory/2996-77-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2996-78-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2996-82-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2996-83-0x00000000004E0000-0x00000000004E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F0F6.dll
| MD5 | d16e1a094cd60ee92e872bd1e36e7bc4 |
| SHA1 | 2b9ca29faee9bf02d7de06e935a2488cb25b0a10 |
| SHA256 | 1b71e557a515845a84f8270963139dbbd5ec3585abebc38ef009e9d87a0cdcaa |
| SHA512 | 08e397fd67486167396fce5ff63a04789260b55990186caf9d54ec21c58e4009a9608a40a1d9987e92ab4c674782d2f907c3e2570a2f402cb0e182854702562f |
memory/2768-87-0x0000000001F30000-0x0000000002192000-memory.dmp
\Users\Admin\AppData\Local\Temp\F0F6.dll
| MD5 | d16e1a094cd60ee92e872bd1e36e7bc4 |
| SHA1 | 2b9ca29faee9bf02d7de06e935a2488cb25b0a10 |
| SHA256 | 1b71e557a515845a84f8270963139dbbd5ec3585abebc38ef009e9d87a0cdcaa |
| SHA512 | 08e397fd67486167396fce5ff63a04789260b55990186caf9d54ec21c58e4009a9608a40a1d9987e92ab4c674782d2f907c3e2570a2f402cb0e182854702562f |
memory/2996-88-0x00000000046F0000-0x0000000004730000-memory.dmp
memory/2768-89-0x0000000001F30000-0x0000000002192000-memory.dmp
memory/2768-90-0x0000000000140000-0x0000000000146000-memory.dmp
memory/2752-92-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2752-93-0x0000000001940000-0x0000000001A5B000-memory.dmp
memory/524-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/524-98-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/2752-101-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/524-102-0x0000000000400000-0x0000000000537000-memory.dmp
memory/524-103-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab89A.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
memory/2768-120-0x00000000024F0000-0x00000000025EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarA71.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
memory/2768-139-0x00000000025F0000-0x00000000026D2000-memory.dmp
C:\Users\Admin\AppData\Local\72db7180-e9d2-49ac-ae7c-ea1e6c44eb35\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/2768-142-0x00000000025F0000-0x00000000026D2000-memory.dmp
memory/2768-144-0x00000000025F0000-0x00000000026D2000-memory.dmp
memory/2996-143-0x0000000074470000-0x0000000074B5E000-memory.dmp
\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/524-147-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/2996-149-0x00000000046F0000-0x0000000004730000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2993.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/1828-174-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | a8cfb50a0e434d61c5950c39939c75ab |
| SHA1 | bed51ce8cf805476ca8763e14a8fb83224734587 |
| SHA256 | 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67 |
| SHA512 | 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 94634bddc8d66650f3a2bba20e61bb8d |
| SHA1 | e48a51e423964150d9ae333679f5b8af3c25f5d0 |
| SHA256 | 85c0016d684a15b9e2a3f0a86a059e6693b125fed03b8c89d2a3af187610f5ba |
| SHA512 | c3e0e3d14d7b5ce6b9ceb41c99eb4dc3cb4c64ddb98f1975c63516b8d84cb35367a9f9d12c9e1d6a6cd161182711cbfb863801e4f66d787f99c423411ac06f6a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 91d59ea2f3257a955e2255f336da59bb |
| SHA1 | f138077c1e604bb60062004fa2a4fb0ebbc6be34 |
| SHA256 | d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a |
| SHA512 | 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae1cde5b703361aa49f9f10762d62203 |
| SHA1 | 21bc27b0855b6e8448140e916dd53678ad6302a1 |
| SHA256 | 9bf60935149b7fb36ccdfd7fbd8bba4d7e48cb890a25df4878f5e576e9918012 |
| SHA512 | 427bf86715ce3faf01cb9ca379f6c13049475ef042bd1982ba359943dd3b210b82630ddf867ad73710d949041e3532d3c1bb473fdbc90895480ed7944220f9da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 6efd3e50ec6b52d88b00bad64b6b9207 |
| SHA1 | 61a37212f0670d29c48a170b062ef532130f6373 |
| SHA256 | 669b8310f57055250afbc7ceed4feecd3a6c4fbe9e48eadabdabb9fc4eba1e46 |
| SHA512 | a57ec3b5664688859731425cde7bad464edae64c6223f205df6e6ee8a89626930508dd5a4a5c81ae9d7a8e5e246f9a1464b5acbece76d395f601376ce651f71f |
memory/1828-251-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1828-252-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4FF8.exe
| MD5 | 00f2d53d4e13ead70fb44c3a7c251675 |
| SHA1 | 5933e3de281fb95625099ef9a788b3cddf48c96a |
| SHA256 | 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7 |
| SHA512 | 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a |
memory/2372-266-0x00000000013E0000-0x000000000149E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4FF8.exe
| MD5 | 00f2d53d4e13ead70fb44c3a7c251675 |
| SHA1 | 5933e3de281fb95625099ef9a788b3cddf48c96a |
| SHA256 | 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7 |
| SHA512 | 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a |
memory/1828-271-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2372-272-0x0000000074470000-0x0000000074B5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 9c41471456337de6ded08b8c1ea8902d |
| SHA1 | 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba |
| SHA256 | d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b |
| SHA512 | 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc |
\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 9c41471456337de6ded08b8c1ea8902d |
| SHA1 | 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba |
| SHA256 | d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b |
| SHA512 | 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc |
\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 9c41471456337de6ded08b8c1ea8902d |
| SHA1 | 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba |
| SHA256 | d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b |
| SHA512 | 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc |
memory/860-281-0x00000000FF830000-0x00000000FF89A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 9c41471456337de6ded08b8c1ea8902d |
| SHA1 | 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba |
| SHA256 | d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b |
| SHA512 | 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc |
memory/1828-285-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\latestplayer.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1828-287-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1828-288-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2372-298-0x0000000074470000-0x0000000074B5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2993.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
\Users\Admin\AppData\Local\Temp\2993.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\2993.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/988-317-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
memory/2960-334-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2548-333-0x0000000002760000-0x0000000002860000-memory.dmp
memory/2960-337-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2548-335-0x0000000000220000-0x0000000000298000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61D5.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1828-348-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1828-351-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2844-367-0x0000000001B00000-0x0000000001C1B000-memory.dmp
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\faacf8cb-ee19-4c75-96a1-50cc62baf585\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/2844-365-0x00000000002F0000-0x0000000000382000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/1396-368-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1396-371-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1396-372-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/2960-373-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2960-381-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\78C0.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/860-385-0x0000000002EA0000-0x0000000002FD0000-memory.dmp
memory/860-384-0x0000000002D30000-0x0000000002EA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\2993.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/988-402-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\2993.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
\Users\Admin\AppData\Local\Temp\2993.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe
| MD5 | a76e515e1150c903070a1eb1b2d216c0 |
| SHA1 | e747dbe088744a6de47ffcc9072404bfa60545ad |
| SHA256 | a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50 |
| SHA512 | 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30 |
C:\Users\Admin\AppData\Local\Temp\7FB3.dll
| MD5 | 7533fc995dfdb0530daded7c953e9789 |
| SHA1 | 6d3cef576d480ba5e126d0f4fa43484857230a24 |
| SHA256 | 0a7841f5c344e06c75bdb80e774b448b8fc34978b900440ea12f6bb90270523d |
| SHA512 | e96f04137354f9a57f14edf0addcda4ad65b3e8109cffd8c5083e2687a6f189e5a422c588975c412c943290a089de02e6552fd0e48c7370f32a7430836994634 |
\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe
| MD5 | a76e515e1150c903070a1eb1b2d216c0 |
| SHA1 | e747dbe088744a6de47ffcc9072404bfa60545ad |
| SHA256 | a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50 |
| SHA512 | 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30 |
C:\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe
| MD5 | a76e515e1150c903070a1eb1b2d216c0 |
| SHA1 | e747dbe088744a6de47ffcc9072404bfa60545ad |
| SHA256 | a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50 |
| SHA512 | 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30 |
\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe
| MD5 | a76e515e1150c903070a1eb1b2d216c0 |
| SHA1 | e747dbe088744a6de47ffcc9072404bfa60545ad |
| SHA256 | a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50 |
| SHA512 | 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30 |
\Users\Admin\AppData\Local\Temp\7FB3.dll
| MD5 | 7533fc995dfdb0530daded7c953e9789 |
| SHA1 | 6d3cef576d480ba5e126d0f4fa43484857230a24 |
| SHA256 | 0a7841f5c344e06c75bdb80e774b448b8fc34978b900440ea12f6bb90270523d |
| SHA512 | e96f04137354f9a57f14edf0addcda4ad65b3e8109cffd8c5083e2687a6f189e5a422c588975c412c943290a089de02e6552fd0e48c7370f32a7430836994634 |
\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/1396-433-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61D5.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
\Users\Admin\AppData\Local\Temp\61D5.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/2960-434-0x0000000000400000-0x000000000048C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61D5.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/1740-449-0x0000000000410000-0x0000000000490000-memory.dmp
memory/2272-454-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1592-455-0x0000000000220000-0x0000000000235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C675.exe
| MD5 | 38484b1d577ecf98fed9e4eab2ada142 |
| SHA1 | ece6dc7f8b098151067d66edbbf10a7730bc725b |
| SHA256 | bea60a6d436d1d750f83f0df89dce0367822b76b3c67acfd95ff038870930789 |
| SHA512 | 3bfbed508703dd92e37871b1d4f6475592c17cc9346c3fbd9b1bc3963e2feb0508c364b199ad88ee3a6e7b4c935ef02a0febf98b559be25c93ccefa9fcfc7d9a |
C:\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
\Users\Admin\AppData\Local\Temp\1000013001\toolspub2.exe
| MD5 | a76e515e1150c903070a1eb1b2d216c0 |
| SHA1 | e747dbe088744a6de47ffcc9072404bfa60545ad |
| SHA256 | a3b9b231eedc6701cd76d624ed7dbfab8614e8a07088512b5e6ef3aa44235f50 |
| SHA512 | 9ecd639b13a60f920d60e1472fa056f4422bd3eb3e8310ed328e5ac361c00dfff657f7d04b54c9c746da9387044c32473904768535b5f4b6def96a93ae9a6a30 |
memory/1592-457-0x0000000000240000-0x0000000000249000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000014001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b2e91cdd0e1c97efec540f2f60472d94 |
| SHA1 | 719d6ebb5c0098733ed7acfb99909afe3d9468e2 |
| SHA256 | f2d0f2dac71c7ee35134c60db2f50514005e58832b2dedc388080c71dad6f411 |
| SHA512 | 9b8585366912b132e4cf5dec0d0f92718fea4797d38dc61d7e2d979759afc52d064bb6dd6a0b90be32b3575855a7f0b58507e138e94d2c0ed9ad8514b84c4e3a |
memory/2032-524-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1300-526-0x00000000000C0000-0x00000000000C6000-memory.dmp
memory/860-528-0x0000000002EA0000-0x0000000002FD0000-memory.dmp
memory/2032-550-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2996-548-0x0000000074470000-0x0000000074B5E000-memory.dmp
memory/2272-553-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\491.exe
| MD5 | 00f2d53d4e13ead70fb44c3a7c251675 |
| SHA1 | 5933e3de281fb95625099ef9a788b3cddf48c96a |
| SHA256 | 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7 |
| SHA512 | 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a |
memory/684-566-0x0000000000CE0000-0x0000000000D9E000-memory.dmp
memory/684-567-0x0000000073430000-0x0000000073B1E000-memory.dmp
memory/2244-573-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1172-585-0x0000000003380000-0x00000000033B8000-memory.dmp
memory/1172-595-0x00000000003A0000-0x00000000003C9000-memory.dmp
memory/1172-597-0x0000000003040000-0x000000000307F000-memory.dmp
memory/1172-599-0x0000000003470000-0x00000000034A4000-memory.dmp
memory/1172-604-0x0000000000400000-0x00000000018D1000-memory.dmp
memory/1172-606-0x0000000073430000-0x0000000073B1E000-memory.dmp
memory/1172-607-0x0000000005D50000-0x0000000005D90000-memory.dmp
memory/1172-609-0x00000000034D0000-0x00000000034D6000-memory.dmp
memory/1172-608-0x0000000005D50000-0x0000000005D90000-memory.dmp
memory/1172-611-0x0000000005D50000-0x0000000005D90000-memory.dmp
memory/2724-612-0x0000000000400000-0x0000000000537000-memory.dmp
memory/684-613-0x0000000073430000-0x0000000073B1E000-memory.dmp
memory/1172-616-0x0000000005D50000-0x0000000005D90000-memory.dmp
memory/1364-658-0x0000000002522000-0x0000000002564000-memory.dmp
memory/2724-692-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2496-757-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2488-761-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2404-787-0x0000000002512000-0x0000000002554000-memory.dmp
memory/2256-844-0x0000000000292000-0x00000000002D4000-memory.dmp
memory/3024-867-0x0000000000400000-0x000000000048C000-memory.dmp
memory/2276-913-0x00000000027C2000-0x0000000002804000-memory.dmp
memory/2576-942-0x00000000039A0000-0x000000000428B000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\02701932404153614222469268
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Windows\Temp\setup.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\55671588033485279006663660
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-12 04:47
Reported
2023-08-12 04:52
Platform
win10-20230703-en
Max time kernel
263s
Max time network
303s
Command Line
Signatures
Amadey
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Fabookie
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5088 created 3224 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 5088 created 3224 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 5088 created 3224 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 5088 created 3224 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 5088 created 3224 | N/A | C:\Windows\Temp\setup.exe | C:\Windows\Explorer.EXE |
| PID 1532 created 3224 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1532 created 3224 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1532 created 3224 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1532 created 3224 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1532 created 3224 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
| PID 1532 created 3224 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Windows\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dd62e542-db90-4c91-949b-98957eb6d785\\52B.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\52B.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppLaunch = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\Temp\setup.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\91CC.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\cli.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\hvbbbcg |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eibbbcg | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\818E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\eibbbcg | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\720.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\43B5.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe
"C:\Users\Admin\AppData\Local\Temp\5a0e96cab36bc183d9306c307738e9d0c01deb69c2e1660e269d12c4c560e11c.exe"
C:\Users\Admin\AppData\Local\Temp\52B.exe
C:\Users\Admin\AppData\Local\Temp\52B.exe
C:\Users\Admin\AppData\Local\Temp\720.exe
C:\Users\Admin\AppData\Local\Temp\720.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B38.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\B38.dll
C:\Users\Admin\AppData\Local\Temp\1B56.exe
C:\Users\Admin\AppData\Local\Temp\1B56.exe
C:\Users\Admin\AppData\Local\Temp\52B.exe
C:\Users\Admin\AppData\Local\Temp\52B.exe
C:\Users\Admin\AppData\Local\Temp\26B1.exe
C:\Users\Admin\AppData\Local\Temp\26B1.exe
C:\Users\Admin\AppData\Local\Temp\2CEC.exe
C:\Users\Admin\AppData\Local\Temp\2CEC.exe
C:\Users\Admin\AppData\Local\Temp\301A.exe
C:\Users\Admin\AppData\Local\Temp\301A.exe
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
"C:\Users\Admin\AppData\Local\Temp\latestplayer.exe"
C:\Users\Admin\AppData\Local\Temp\3480.exe
C:\Users\Admin\AppData\Local\Temp\3480.exe
C:\Users\Admin\AppData\Local\Temp\3953.exe
C:\Users\Admin\AppData\Local\Temp\3953.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\dd62e542-db90-4c91-949b-98957eb6d785" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3EF1.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3EF1.dll
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\43B5.exe
C:\Users\Admin\AppData\Local\Temp\43B5.exe
C:\Users\Admin\AppData\Local\Temp\482B.exe
C:\Users\Admin\AppData\Local\Temp\482B.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\502B.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\502B.dll
C:\Users\Admin\AppData\Local\Temp\1B56.exe
C:\Users\Admin\AppData\Local\Temp\1B56.exe
C:\Users\Admin\AppData\Local\Temp\5F20.exe
C:\Users\Admin\AppData\Local\Temp\5F20.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\7161.exe
C:\Users\Admin\AppData\Local\Temp\7161.exe
C:\Users\Admin\AppData\Local\Temp\1B56.exe
"C:\Users\Admin\AppData\Local\Temp\1B56.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\818E.exe
C:\Users\Admin\AppData\Local\Temp\818E.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\91CC.exe
C:\Users\Admin\AppData\Local\Temp\91CC.exe
C:\Users\Admin\AppData\Local\Temp\52B.exe
"C:\Users\Admin\AppData\Local\Temp\52B.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\301A.exe
C:\Users\Admin\AppData\Local\Temp\301A.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 788
C:\Users\Admin\AppData\Local\Temp\3480.exe
C:\Users\Admin\AppData\Local\Temp\3480.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\3953.exe
C:\Users\Admin\AppData\Local\Temp\3953.exe
C:\Users\Admin\AppData\Local\Temp\301A.exe
"C:\Users\Admin\AppData\Local\Temp\301A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3480.exe
"C:\Users\Admin\AppData\Local\Temp\3480.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\3953.exe
"C:\Users\Admin\AppData\Local\Temp\3953.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\5F20.exe
C:\Users\Admin\AppData\Local\Temp\5F20.exe
C:\Users\Admin\AppData\Local\Temp\7161.exe
C:\Users\Admin\AppData\Local\Temp\7161.exe
C:\Users\Admin\AppData\Local\Temp\1B56.exe
"C:\Users\Admin\AppData\Local\Temp\1B56.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\52B.exe
"C:\Users\Admin\AppData\Local\Temp\52B.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5F20.exe
"C:\Users\Admin\AppData\Local\Temp\5F20.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\574210db-ff6b-4a1e-8a24-aca20a6e4b11\build2.exe
"C:\Users\Admin\AppData\Local\574210db-ff6b-4a1e-8a24-aca20a6e4b11\build2.exe"
C:\Users\Admin\AppData\Local\Temp\301A.exe
"C:\Users\Admin\AppData\Local\Temp\301A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\7161.exe
"C:\Users\Admin\AppData\Local\Temp\7161.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\574210db-ff6b-4a1e-8a24-aca20a6e4b11\build3.exe
"C:\Users\Admin\AppData\Local\574210db-ff6b-4a1e-8a24-aca20a6e4b11\build3.exe"
C:\Users\Admin\AppData\Local\574210db-ff6b-4a1e-8a24-aca20a6e4b11\build2.exe
"C:\Users\Admin\AppData\Local\574210db-ff6b-4a1e-8a24-aca20a6e4b11\build2.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\3480.exe
"C:\Users\Admin\AppData\Local\Temp\3480.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build2.exe
"C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build2.exe"
C:\Users\Admin\AppData\Local\Temp\3953.exe
"C:\Users\Admin\AppData\Local\Temp\3953.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build2.exe
"C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build2.exe"
C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build3.exe
"C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build3.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\hvbbbcg
C:\Users\Admin\AppData\Roaming\hvbbbcg
C:\Users\Admin\AppData\Roaming\eibbbcg
C:\Users\Admin\AppData\Roaming\eibbbcg
C:\Users\Admin\AppData\Local\Temp\5F20.exe
"C:\Users\Admin\AppData\Local\Temp\5F20.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\c766bd06-e5ea-46c4-a87a-6f33314cf764\build2.exe
"C:\Users\Admin\AppData\Local\c766bd06-e5ea-46c4-a87a-6f33314cf764\build2.exe"
C:\Users\Admin\AppData\Local\c766bd06-e5ea-46c4-a87a-6f33314cf764\build2.exe
"C:\Users\Admin\AppData\Local\c766bd06-e5ea-46c4-a87a-6f33314cf764\build2.exe"
C:\Users\Admin\AppData\Local\fa3fff9f-baea-405f-94a3-dbb5085cdfe4\build2.exe
"C:\Users\Admin\AppData\Local\fa3fff9f-baea-405f-94a3-dbb5085cdfe4\build2.exe"
C:\Users\Admin\AppData\Local\c766bd06-e5ea-46c4-a87a-6f33314cf764\build3.exe
"C:\Users\Admin\AppData\Local\c766bd06-e5ea-46c4-a87a-6f33314cf764\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\fa3fff9f-baea-405f-94a3-dbb5085cdfe4\build3.exe
"C:\Users\Admin\AppData\Local\fa3fff9f-baea-405f-94a3-dbb5085cdfe4\build3.exe"
C:\Users\Admin\AppData\Local\fa3fff9f-baea-405f-94a3-dbb5085cdfe4\build2.exe
"C:\Users\Admin\AppData\Local\fa3fff9f-baea-405f-94a3-dbb5085cdfe4\build2.exe"
C:\Users\Admin\AppData\Local\Temp\7161.exe
"C:\Users\Admin\AppData\Local\Temp\7161.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0eac4080-75a0-4a1e-96c5-9d465f01ed7d\build2.exe
"C:\Users\Admin\AppData\Local\0eac4080-75a0-4a1e-96c5-9d465f01ed7d\build2.exe"
C:\Users\Admin\AppData\Local\0eac4080-75a0-4a1e-96c5-9d465f01ed7d\build2.exe
"C:\Users\Admin\AppData\Local\0eac4080-75a0-4a1e-96c5-9d465f01ed7d\build2.exe"
C:\Users\Admin\AppData\Local\0eac4080-75a0-4a1e-96c5-9d465f01ed7d\build3.exe
"C:\Users\Admin\AppData\Local\0eac4080-75a0-4a1e-96c5-9d465f01ed7d\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\74ab17ea-c1ec-41fd-ad3f-af03b6aaa1ec\build2.exe
"C:\Users\Admin\AppData\Local\74ab17ea-c1ec-41fd-ad3f-af03b6aaa1ec\build2.exe"
C:\Users\Admin\AppData\Local\c06c3ffb-3369-4e95-82b0-dd520db1a157\build2.exe
"C:\Users\Admin\AppData\Local\c06c3ffb-3369-4e95-82b0-dd520db1a157\build2.exe"
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Users\Admin\AppData\Local\74ab17ea-c1ec-41fd-ad3f-af03b6aaa1ec\build2.exe
"C:\Users\Admin\AppData\Local\74ab17ea-c1ec-41fd-ad3f-af03b6aaa1ec\build2.exe"
C:\Users\Admin\AppData\Local\Temp\cli.exe
"C:\Users\Admin\AppData\Local\Temp\cli.exe"
C:\Users\Admin\AppData\Local\74ab17ea-c1ec-41fd-ad3f-af03b6aaa1ec\build3.exe
"C:\Users\Admin\AppData\Local\74ab17ea-c1ec-41fd-ad3f-af03b6aaa1ec\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\c06c3ffb-3369-4e95-82b0-dd520db1a157\build2.exe
"C:\Users\Admin\AppData\Local\c06c3ffb-3369-4e95-82b0-dd520db1a157\build2.exe"
C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
C:\Users\Admin\AppData\Local\c06c3ffb-3369-4e95-82b0-dd520db1a157\build3.exe
"C:\Users\Admin\AppData\Local\c06c3ffb-3369-4e95-82b0-dd520db1a157\build3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 288
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\574210db-ff6b-4a1e-8a24-aca20a6e4b11\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\cc.exe
"C:\Users\Admin\AppData\Local\Temp\cc.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=19781 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ8964" --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ8964" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ8964\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ8964" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff835c89758,0x7ff835c89768,0x7ff835c89778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1204 --field-trial-handle=1348,i,4992161621892726172,6797740733212006519,131072 --disable-features=PaintHolding /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1544 --field-trial-handle=1348,i,4992161621892726172,6797740733212006519,131072 --disable-features=PaintHolding /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\fa3fff9f-baea-405f-94a3-dbb5085cdfe4\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\0eac4080-75a0-4a1e-96c5-9d465f01ed7d\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 480
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c766bd06-e5ea-46c4-a87a-6f33314cf764\build2.exe" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\74ab17ea-c1ec-41fd-ad3f-af03b6aaa1ec\build2.exe" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process <#ffhrannykzixg#> powershell <#ffhrannykzixg#> -Verb <#ffhrannykzixg#> runAs" -WindowStyle hidden -Argument 'Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:SystemDrive -ExclusionExtension .exe, .dll -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c06c3ffb-3369-4e95-82b0-dd520db1a157\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden Add-MpPreference -ExclusionPath "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe" -Force
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 10:26 /f /tn MicrosoftEdgeTask_MTA1 /tr "C:\ProgramData\sY2NsQjNsETOsATOsIDOsUWOsIWOsMDOsU2NsUWO\MTA1.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc daily /st 10:26 /f /tn "AppLaunch" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.124.119.201.in-addr.arpa | udp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | admaiscont.com.br | udp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| US | 8.8.8.8:53 | 122.24.4.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us.imgjeoigaa.com | udp |
| HK | 103.100.211.218:80 | us.imgjeoigaa.com | tcp |
| US | 8.8.8.8:53 | 218.211.100.103.in-addr.arpa | udp |
| NL | 194.169.175.233:3003 | 194.169.175.233 | tcp |
| US | 8.8.8.8:53 | 233.175.169.194.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| US | 142.4.24.122:443 | admaiscont.com.br | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | greenbi.net | udp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 163.247.114.200.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| PL | 51.83.170.21:19447 | tcp | |
| US | 8.8.8.8:53 | 21.170.83.51.in-addr.arpa | udp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| PL | 51.83.170.21:19447 | tcp | |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 159.86.170.181.in-addr.arpa | udp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 240.166.203.116.in-addr.arpa | udp |
| MX | 201.119.124.228:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| AR | 181.170.86.159:80 | zexeq.com | tcp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| KR | 211.171.233.126:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 80.121.18.2.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:80 | www.microsoft.com | tcp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 126.233.171.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.1.85.104.in-addr.arpa | udp |
| RU | 185.159.129.168:80 | tcp | |
| AR | 200.114.247.163:80 | greenbi.net | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| RU | 185.149.146.118:80 | tcp | |
| RU | 77.91.77.144:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:80 | pastebin.com | tcp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| RU | 46.29.235.84:80 | 46.29.235.84 | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.235.29.46.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.166.240:27015 | 116.203.166.240 | tcp |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
| US | 8.8.8.8:53 | 217.192.94.141.in-addr.arpa | udp |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| N/A | 127.0.0.1:19781 | tcp | |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
Files
memory/4876-117-0x00000000018E0000-0x00000000018F5000-memory.dmp
memory/4876-118-0x0000000001900000-0x0000000001909000-memory.dmp
memory/4876-119-0x0000000000400000-0x00000000018BC000-memory.dmp
memory/3224-120-0x0000000001320000-0x0000000001336000-memory.dmp
memory/4876-121-0x0000000000400000-0x00000000018BC000-memory.dmp
memory/4876-124-0x0000000001900000-0x0000000001909000-memory.dmp
memory/4876-125-0x00000000018E0000-0x00000000018F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\52B.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\52B.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\720.exe
| MD5 | 17f7648488eccf1bc15957c21184095e |
| SHA1 | 50355744481f0785ce1e5e526b551c76df14cfcc |
| SHA256 | cb477afcbd198374ce7202b93ae88cb3df31b284c7741f9c463a74c41e2a529a |
| SHA512 | d4aca3b92e1e0e2d6a10dd648a116486202a6af4251237e94cc3f44454cc33c56bb16adfed8ed9a9064a3d6db8c1ab3e08563ebf6cc0b0637836aba1ff6e44dc |
C:\Users\Admin\AppData\Local\Temp\720.exe
| MD5 | 17f7648488eccf1bc15957c21184095e |
| SHA1 | 50355744481f0785ce1e5e526b551c76df14cfcc |
| SHA256 | cb477afcbd198374ce7202b93ae88cb3df31b284c7741f9c463a74c41e2a529a |
| SHA512 | d4aca3b92e1e0e2d6a10dd648a116486202a6af4251237e94cc3f44454cc33c56bb16adfed8ed9a9064a3d6db8c1ab3e08563ebf6cc0b0637836aba1ff6e44dc |
memory/4312-138-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4312-139-0x00000000001C0000-0x00000000001F0000-memory.dmp
memory/4312-143-0x0000000074070000-0x000000007475E000-memory.dmp
memory/4312-145-0x00000000009F0000-0x00000000009F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B38.dll
| MD5 | d16e1a094cd60ee92e872bd1e36e7bc4 |
| SHA1 | 2b9ca29faee9bf02d7de06e935a2488cb25b0a10 |
| SHA256 | 1b71e557a515845a84f8270963139dbbd5ec3585abebc38ef009e9d87a0cdcaa |
| SHA512 | 08e397fd67486167396fce5ff63a04789260b55990186caf9d54ec21c58e4009a9608a40a1d9987e92ab4c674782d2f907c3e2570a2f402cb0e182854702562f |
\Users\Admin\AppData\Local\Temp\B38.dll
| MD5 | d16e1a094cd60ee92e872bd1e36e7bc4 |
| SHA1 | 2b9ca29faee9bf02d7de06e935a2488cb25b0a10 |
| SHA256 | 1b71e557a515845a84f8270963139dbbd5ec3585abebc38ef009e9d87a0cdcaa |
| SHA512 | 08e397fd67486167396fce5ff63a04789260b55990186caf9d54ec21c58e4009a9608a40a1d9987e92ab4c674782d2f907c3e2570a2f402cb0e182854702562f |
memory/4768-148-0x0000000000400000-0x0000000000662000-memory.dmp
memory/4768-149-0x0000000000F30000-0x0000000000F36000-memory.dmp
memory/4312-151-0x0000000004B90000-0x0000000005196000-memory.dmp
memory/4312-152-0x00000000051A0000-0x00000000052AA000-memory.dmp
memory/4312-153-0x0000000002620000-0x0000000002632000-memory.dmp
memory/4312-154-0x0000000004B80000-0x0000000004B90000-memory.dmp
memory/4312-155-0x0000000004AA0000-0x0000000004ADE000-memory.dmp
memory/4312-156-0x00000000052B0000-0x00000000052FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B56.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\1B56.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/4768-161-0x0000000004D00000-0x0000000004DFB000-memory.dmp
memory/4768-162-0x0000000004E00000-0x0000000004EE2000-memory.dmp
memory/4768-165-0x0000000004E00000-0x0000000004EE2000-memory.dmp
memory/4300-166-0x0000000003450000-0x00000000034E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\52B.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/4316-172-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4316-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4316-169-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4768-168-0x0000000004E00000-0x0000000004EE2000-memory.dmp
memory/4300-167-0x00000000036C0000-0x00000000037DB000-memory.dmp
memory/4316-173-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\26B1.exe
| MD5 | 581876e8354366944e7314e953d4b4a3 |
| SHA1 | 4927ec7bc78cd810aa16577df1811da59339f495 |
| SHA256 | 298225300bdb1f35642cd100929640e49155d3a2a7caacc0ddabadbd1480378c |
| SHA512 | 232b5137aa18c097619307993b2b5db9304ff20ab18d2f25051003874057b07c02eb2d20e44c804f278cec39a61a7c219ba7f5ba5df583ac07db5b5f35e35764 |
C:\Users\Admin\AppData\Local\Temp\26B1.exe
| MD5 | 581876e8354366944e7314e953d4b4a3 |
| SHA1 | 4927ec7bc78cd810aa16577df1811da59339f495 |
| SHA256 | 298225300bdb1f35642cd100929640e49155d3a2a7caacc0ddabadbd1480378c |
| SHA512 | 232b5137aa18c097619307993b2b5db9304ff20ab18d2f25051003874057b07c02eb2d20e44c804f278cec39a61a7c219ba7f5ba5df583ac07db5b5f35e35764 |
memory/4312-178-0x0000000074070000-0x000000007475E000-memory.dmp
memory/4312-179-0x00000000053B0000-0x0000000005426000-memory.dmp
memory/4312-180-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/4312-183-0x00000000054D0000-0x00000000059CE000-memory.dmp
memory/4312-184-0x0000000005A10000-0x0000000005A76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2CEC.exe
| MD5 | 00f2d53d4e13ead70fb44c3a7c251675 |
| SHA1 | 5933e3de281fb95625099ef9a788b3cddf48c96a |
| SHA256 | 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7 |
| SHA512 | 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a |
memory/4796-189-0x0000000000240000-0x00000000002FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2CEC.exe
| MD5 | 00f2d53d4e13ead70fb44c3a7c251675 |
| SHA1 | 5933e3de281fb95625099ef9a788b3cddf48c96a |
| SHA256 | 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7 |
| SHA512 | 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a |
memory/4796-191-0x0000000074070000-0x000000007475E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\301A.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\301A.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 9c41471456337de6ded08b8c1ea8902d |
| SHA1 | 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba |
| SHA256 | d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b |
| SHA512 | 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc |
memory/4312-204-0x0000000004B80000-0x0000000004B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\latestplayer.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2204-207-0x00007FF72E0F0000-0x00007FF72E15A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 9c41471456337de6ded08b8c1ea8902d |
| SHA1 | 2fac2ac9cc8f3ccc6ba1fb3ee85758d9b2ac8eba |
| SHA256 | d4e3a6ec539bb0645ff32de20144d8af9c4e143cb592d9432bbf12ff846ee79b |
| SHA512 | 4284ba92f234000d6b78ac5bb6679d04670eec27001d165314adb30d82cb6c4bb6224fc3da777fc41f26b81664ebb2cff502cb55caf3465240a29d1fbf931efc |
memory/4796-213-0x0000000074070000-0x000000007475E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3480.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\3480.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\dd62e542-db90-4c91-949b-98957eb6d785\52B.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\3953.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\3953.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\3953.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4312-231-0x0000000006100000-0x00000000062C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3EF1.dll
| MD5 | 7533fc995dfdb0530daded7c953e9789 |
| SHA1 | 6d3cef576d480ba5e126d0f4fa43484857230a24 |
| SHA256 | 0a7841f5c344e06c75bdb80e774b448b8fc34978b900440ea12f6bb90270523d |
| SHA512 | e96f04137354f9a57f14edf0addcda4ad65b3e8109cffd8c5083e2687a6f189e5a422c588975c412c943290a089de02e6552fd0e48c7370f32a7430836994634 |
memory/4312-233-0x00000000062D0000-0x00000000067FC000-memory.dmp
\Users\Admin\AppData\Local\Temp\3EF1.dll
| MD5 | 7533fc995dfdb0530daded7c953e9789 |
| SHA1 | 6d3cef576d480ba5e126d0f4fa43484857230a24 |
| SHA256 | 0a7841f5c344e06c75bdb80e774b448b8fc34978b900440ea12f6bb90270523d |
| SHA512 | e96f04137354f9a57f14edf0addcda4ad65b3e8109cffd8c5083e2687a6f189e5a422c588975c412c943290a089de02e6552fd0e48c7370f32a7430836994634 |
C:\Users\Admin\AppData\Local\Temp\43B5.exe
| MD5 | 38484b1d577ecf98fed9e4eab2ada142 |
| SHA1 | ece6dc7f8b098151067d66edbbf10a7730bc725b |
| SHA256 | bea60a6d436d1d750f83f0df89dce0367822b76b3c67acfd95ff038870930789 |
| SHA512 | 3bfbed508703dd92e37871b1d4f6475592c17cc9346c3fbd9b1bc3963e2feb0508c364b199ad88ee3a6e7b4c935ef02a0febf98b559be25c93ccefa9fcfc7d9a |
C:\Users\Admin\AppData\Local\Temp\43B5.exe
| MD5 | 38484b1d577ecf98fed9e4eab2ada142 |
| SHA1 | ece6dc7f8b098151067d66edbbf10a7730bc725b |
| SHA256 | bea60a6d436d1d750f83f0df89dce0367822b76b3c67acfd95ff038870930789 |
| SHA512 | 3bfbed508703dd92e37871b1d4f6475592c17cc9346c3fbd9b1bc3963e2feb0508c364b199ad88ee3a6e7b4c935ef02a0febf98b559be25c93ccefa9fcfc7d9a |
memory/3484-238-0x00000000044E0000-0x0000000004743000-memory.dmp
\Users\Admin\AppData\Local\Temp\3EF1.dll
| MD5 | 7533fc995dfdb0530daded7c953e9789 |
| SHA1 | 6d3cef576d480ba5e126d0f4fa43484857230a24 |
| SHA256 | 0a7841f5c344e06c75bdb80e774b448b8fc34978b900440ea12f6bb90270523d |
| SHA512 | e96f04137354f9a57f14edf0addcda4ad65b3e8109cffd8c5083e2687a6f189e5a422c588975c412c943290a089de02e6552fd0e48c7370f32a7430836994634 |
memory/3484-241-0x00000000044E0000-0x0000000004743000-memory.dmp
memory/3484-242-0x0000000000840000-0x0000000000846000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\482B.exe
| MD5 | 38484b1d577ecf98fed9e4eab2ada142 |
| SHA1 | ece6dc7f8b098151067d66edbbf10a7730bc725b |
| SHA256 | bea60a6d436d1d750f83f0df89dce0367822b76b3c67acfd95ff038870930789 |
| SHA512 | 3bfbed508703dd92e37871b1d4f6475592c17cc9346c3fbd9b1bc3963e2feb0508c364b199ad88ee3a6e7b4c935ef02a0febf98b559be25c93ccefa9fcfc7d9a |
C:\Users\Admin\AppData\Local\Temp\482B.exe
| MD5 | 38484b1d577ecf98fed9e4eab2ada142 |
| SHA1 | ece6dc7f8b098151067d66edbbf10a7730bc725b |
| SHA256 | bea60a6d436d1d750f83f0df89dce0367822b76b3c67acfd95ff038870930789 |
| SHA512 | 3bfbed508703dd92e37871b1d4f6475592c17cc9346c3fbd9b1bc3963e2feb0508c364b199ad88ee3a6e7b4c935ef02a0febf98b559be25c93ccefa9fcfc7d9a |
memory/4316-248-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4312-252-0x0000000006A40000-0x0000000006A90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\502B.dll
| MD5 | 7533fc995dfdb0530daded7c953e9789 |
| SHA1 | 6d3cef576d480ba5e126d0f4fa43484857230a24 |
| SHA256 | 0a7841f5c344e06c75bdb80e774b448b8fc34978b900440ea12f6bb90270523d |
| SHA512 | e96f04137354f9a57f14edf0addcda4ad65b3e8109cffd8c5083e2687a6f189e5a422c588975c412c943290a089de02e6552fd0e48c7370f32a7430836994634 |
\Users\Admin\AppData\Local\Temp\502B.dll
| MD5 | 7533fc995dfdb0530daded7c953e9789 |
| SHA1 | 6d3cef576d480ba5e126d0f4fa43484857230a24 |
| SHA256 | 0a7841f5c344e06c75bdb80e774b448b8fc34978b900440ea12f6bb90270523d |
| SHA512 | e96f04137354f9a57f14edf0addcda4ad65b3e8109cffd8c5083e2687a6f189e5a422c588975c412c943290a089de02e6552fd0e48c7370f32a7430836994634 |
memory/2204-257-0x0000000003020000-0x0000000003190000-memory.dmp
memory/1300-259-0x0000000000400000-0x0000000000663000-memory.dmp
memory/1300-260-0x0000000000F30000-0x0000000000F36000-memory.dmp
memory/2204-258-0x0000000003190000-0x00000000032C0000-memory.dmp
memory/4100-264-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4100-267-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4100-268-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F20.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\5F20.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\1B56.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | a8cfb50a0e434d61c5950c39939c75ab |
| SHA1 | bed51ce8cf805476ca8763e14a8fb83224734587 |
| SHA256 | 418a1bfd833d82ff4c82f9326971c97b57d048413b142dd3268e4192b09f4b67 |
| SHA512 | 4b2dc5c0cf7e3557cd1f9c6e7898915f789c0c45a0573f4ef8775ad473411a0a1c383199a80f9c830f9dd37a65531212cea0cedb60964e4a75fd9dff92171b61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 03b8e0c649e1b159f81c8e9a756307a9 |
| SHA1 | 9a5aef33f617e0a3f110f58b8cf16439a919e191 |
| SHA256 | e941e84a25b95067e9c6964f1d6573453431c7c1923c18b17e6769b56c20a919 |
| SHA512 | 74588427da3b02ae1c581e4ee2c8178617183dfa2a9d89e769cbfa01505d19dc9fdddc8b2081fe0919f03c6b56a3a8be37493fb10d371609f7f3bb3fbfb1e790 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 91d59ea2f3257a955e2255f336da59bb |
| SHA1 | f138077c1e604bb60062004fa2a4fb0ebbc6be34 |
| SHA256 | d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a |
| SHA512 | 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 8ca6201274773ebf601a0ed91864908c |
| SHA1 | bdd700cfd7ad8e92042c94e691781e576c01e2b5 |
| SHA256 | 06bcbc2011ba55c0066c8656272a55a99df3308cd35ee5ff660553a98138e773 |
| SHA512 | a451fcf767e85d4915a11f90b5bc0230cc9516e9dd51f61e99d30715a19b5aa50462cf6e18ae0218c8d161afd698b9fb647bacd6fd8517b667e94f2c344f8951 |
C:\Users\Admin\AppData\Local\Temp\7161.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\7161.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/2600-284-0x00000000018E0000-0x00000000018F5000-memory.dmp
C:\Users\Admin\AppData\Local\dd62e542-db90-4c91-949b-98957eb6d785\52B.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/2600-285-0x0000000001940000-0x0000000001949000-memory.dmp
memory/2600-287-0x0000000000400000-0x00000000018BD000-memory.dmp
memory/4100-288-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B56.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
memory/2204-295-0x0000000003190000-0x00000000032C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\818E.exe
| MD5 | 581876e8354366944e7314e953d4b4a3 |
| SHA1 | 4927ec7bc78cd810aa16577df1811da59339f495 |
| SHA256 | 298225300bdb1f35642cd100929640e49155d3a2a7caacc0ddabadbd1480378c |
| SHA512 | 232b5137aa18c097619307993b2b5db9304ff20ab18d2f25051003874057b07c02eb2d20e44c804f278cec39a61a7c219ba7f5ba5df583ac07db5b5f35e35764 |
C:\Users\Admin\AppData\Local\Temp\818E.exe
| MD5 | 581876e8354366944e7314e953d4b4a3 |
| SHA1 | 4927ec7bc78cd810aa16577df1811da59339f495 |
| SHA256 | 298225300bdb1f35642cd100929640e49155d3a2a7caacc0ddabadbd1480378c |
| SHA512 | 232b5137aa18c097619307993b2b5db9304ff20ab18d2f25051003874057b07c02eb2d20e44c804f278cec39a61a7c219ba7f5ba5df583ac07db5b5f35e35764 |
memory/3224-296-0x0000000003420000-0x0000000003436000-memory.dmp
memory/2600-299-0x0000000000400000-0x00000000018BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91CC.exe
| MD5 | 00f2d53d4e13ead70fb44c3a7c251675 |
| SHA1 | 5933e3de281fb95625099ef9a788b3cddf48c96a |
| SHA256 | 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7 |
| SHA512 | 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a |
C:\Users\Admin\AppData\Local\Temp\91CC.exe
| MD5 | 00f2d53d4e13ead70fb44c3a7c251675 |
| SHA1 | 5933e3de281fb95625099ef9a788b3cddf48c96a |
| SHA256 | 6000f428bfd3149bfcab76cbfa53385e71d2c99539b78d2b5e671d4721d6c2c7 |
| SHA512 | 9915af42f02ff5964de413a4c0ae94cb4ba29daf3d9219c1ad529d7240120652fd91677813e4a96966c32eaf8ecd2604aa92363ad0be4b7144de1cba1c59ec7a |
memory/4316-305-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4308-306-0x0000000074070000-0x000000007475E000-memory.dmp
memory/3776-308-0x0000000003690000-0x00000000037AB000-memory.dmp
memory/4316-307-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3776-311-0x00000000034B0000-0x0000000003542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\52B.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1012-313-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1012-315-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\301A.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/1012-319-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4312-320-0x0000000074070000-0x000000007475E000-memory.dmp
memory/1012-321-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3480.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/4852-324-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4852-326-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4852-327-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4308-328-0x0000000074070000-0x000000007475E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3953.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/1872-331-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1872-332-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1012-334-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1872-333-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\301A.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/5068-335-0x0000000003510000-0x000000000354F000-memory.dmp
memory/5068-339-0x00000000036D0000-0x0000000003708000-memory.dmp
memory/5068-340-0x0000000000400000-0x00000000018D1000-memory.dmp
memory/5068-342-0x0000000005EC0000-0x0000000005ED0000-memory.dmp
C:\Users\Admin\AppData\Roaming\eibbbcg
| MD5 | 581876e8354366944e7314e953d4b4a3 |
| SHA1 | 4927ec7bc78cd810aa16577df1811da59339f495 |
| SHA256 | 298225300bdb1f35642cd100929640e49155d3a2a7caacc0ddabadbd1480378c |
| SHA512 | 232b5137aa18c097619307993b2b5db9304ff20ab18d2f25051003874057b07c02eb2d20e44c804f278cec39a61a7c219ba7f5ba5df583ac07db5b5f35e35764 |
memory/5068-346-0x0000000005EC0000-0x0000000005ED0000-memory.dmp
memory/5068-341-0x00000000038F0000-0x0000000003924000-memory.dmp
memory/5068-348-0x0000000074070000-0x000000007475E000-memory.dmp
memory/5068-350-0x0000000005EC0000-0x0000000005ED0000-memory.dmp
memory/5068-349-0x0000000003730000-0x0000000003736000-memory.dmp
memory/5068-347-0x0000000003380000-0x00000000033A9000-memory.dmp
memory/5068-351-0x0000000005EC0000-0x0000000005ED0000-memory.dmp
memory/3384-352-0x0000000001990000-0x00000000019CF000-memory.dmp
memory/4852-353-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5068-354-0x000000000C1B0000-0x000000000C1FB000-memory.dmp
memory/3384-355-0x0000000000400000-0x00000000018D1000-memory.dmp
memory/3384-358-0x0000000003B50000-0x0000000003B84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3480.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
memory/3384-361-0x0000000000400000-0x00000000018D1000-memory.dmp
memory/1872-362-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3384-363-0x00000000060A0000-0x00000000060B0000-memory.dmp
memory/1872-367-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3953.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\5F20.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\Temp\7161.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\1B56.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\52B.exe
| MD5 | f179c96ffad1eb6f684d940824a28829 |
| SHA1 | 181804a985b5dc4640ad73a5074bb54a1cf7ab86 |
| SHA256 | 3fb65a1640e5f265b2c67b26d0abd2d0c0d0aad1b933485574c2310f44d00c35 |
| SHA512 | aeb0cbdd969ec57d25aa3e09edea92a3021e1e062762daf3133d66606701b58b7ca66a76229e3cdd77c78ad81838f149319fa5eead38cb5e7b0a2e7c157cd32e |
C:\Users\Admin\AppData\Local\Temp\5F20.exe
| MD5 | 01071204224ce74dcd3ff25e679643e6 |
| SHA1 | 607e1c0105423dedca930feaa2e00f6a7a30ae16 |
| SHA256 | 8a62e6c8f108bda0af9e621b1ce8403c154243ea7ba6284d72b1cdf34957e508 |
| SHA512 | 4081eb37cc4890c4aec98fa771ba2c7812d3efdaa1520c10014cc902893d5bc11f96ce543ce81b4a2f95921f93c97037bdee91da70d33183442feb3c1b431adc |
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | e3c640eced72a28f10eac99da233d9fd |
| SHA1 | 1d7678afc24a59de1da0bf74126baf3b8540b5b0 |
| SHA256 | 87de9c0701eab8d410954dc4d3e7e6013ca6a0c8a514969418a12c21135f133e |
| SHA512 | bcb94b7ba487784d343961b24107ea17a82f200961505927ef385caeb0684fbbe1a3482b7d0af7f3766b9ec2c4d6236341b50541cf7b1217acdc0a8b5b37e3d7 |
C:\SystemID\PersonalID.txt
| MD5 | 324770a7653f940b6e66d90455f6e1a8 |
| SHA1 | 5b9edb85029710a458f7a77f474721307d2fb738 |
| SHA256 | 9dda9cd8e2b81a8d0d46e39f4495130246582b673b7ddddef4ebecfeeb6bbc30 |
| SHA512 | 48ae3a8b8a45881285ff6117edd0ca42fe2b06b0d868b2d535f82a9c26157d3c434535d91b7a9f33cf3c627bc49e469bf997077edcfff6b83e4d7e30cf9dea23 |
C:\Users\Admin\AppData\Local\3899c8c8-05ea-44e0-97a2-54a68ff44ffc\build2.exe
| MD5 | 5fff52c407b5b46c10416067dac16d62 |
| SHA1 | c2263843ea244e5bd6c403342efaadd0af1c5522 |
| SHA256 | f57210d90101da3bc77c55f813ba64f35dbb6d0db50f71467f18816486b9d6d0 |
| SHA512 | 37a041b7844f19d022adb5ab00e3d3705a8fd605ddc8ce5fe3354f36626a0aa055226b01d0b19bdd5e083d3e25fbf451369975dd54f6acf7ef9bb1d6b15d6352 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\Google\Chrome\User DataJ8964\Default\Network\Cookies
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\42003366795806006903210042
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fs1a2rr3.42q.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bc202c47461acbe8bef80e143eb3a364 |
| SHA1 | 0ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634 |
| SHA256 | df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb |
| SHA512 | 3bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08 |
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\32300636022522781867333621
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |