Analysis Overview
SHA256
5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547
Threat Level: Known bad
The file 5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
SmokeLoader
Amadey
RedLine
Djvu Ransomware
Stops running service(s)
Downloads MZ/PE file
Modifies file permissions
Deletes itself
Uses the VBS compiler for execution
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 09:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 09:07
Reported
2023-09-10 09:10
Platform
win10-20230831-en
Max time kernel
36s
Max time network
154s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1325.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15C6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16C1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1FBC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1325.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Uses the VBS compiler for execution
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3508 set thread context of 608 | N/A | C:\Users\Admin\AppData\Local\Temp\16C1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2108 set thread context of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\18A7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 536 set thread context of 4596 | N/A | C:\Users\Admin\AppData\Local\Temp\1325.exe | C:\Users\Admin\AppData\Local\Temp\1325.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\18A7.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\16C1.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe
"C:\Users\Admin\AppData\Local\Temp\5b0a948e001b9578721e1750b85a1ad72b01e262cf24f6fee578a57dcb684547.exe"
C:\Users\Admin\AppData\Local\Temp\1325.exe
C:\Users\Admin\AppData\Local\Temp\1325.exe
C:\Users\Admin\AppData\Local\Temp\15C6.exe
C:\Users\Admin\AppData\Local\Temp\15C6.exe
C:\Users\Admin\AppData\Local\Temp\16C1.exe
C:\Users\Admin\AppData\Local\Temp\16C1.exe
C:\Users\Admin\AppData\Local\Temp\18A7.exe
C:\Users\Admin\AppData\Local\Temp\18A7.exe
C:\Users\Admin\AppData\Local\Temp\1FBC.exe
C:\Users\Admin\AppData\Local\Temp\1FBC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 264
C:\Users\Admin\AppData\Local\Temp\1325.exe
C:\Users\Admin\AppData\Local\Temp\1325.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c51cd2fc-f0c3-42dc-885c-439881ce6b85" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1325.exe
"C:\Users\Admin\AppData\Local\Temp\1325.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\3D38.exe
C:\Users\Admin\AppData\Local\Temp\3D38.exe
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4F1B.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4F1B.dll
C:\Users\Admin\AppData\Local\Temp\1325.exe
"C:\Users\Admin\AppData\Local\Temp\1325.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\58E0.exe
C:\Users\Admin\AppData\Local\Temp\58E0.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\669D.exe
C:\Users\Admin\AppData\Local\Temp\669D.exe
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
C:\Users\Admin\AppData\Local\Temp\3D38.exe
C:\Users\Admin\AppData\Local\Temp\3D38.exe
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe"
C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build2.exe
"C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build2.exe"
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build3.exe
"C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build3.exe"
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\58E0.exe
C:\Users\Admin\AppData\Local\Temp\58E0.exe
C:\Users\Admin\AppData\Local\Temp\3D38.exe
"C:\Users\Admin\AppData\Local\Temp\3D38.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AB87.dll
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AB87.dll
C:\Users\Admin\AppData\Local\Temp\B462.exe
C:\Users\Admin\AppData\Local\Temp\B462.exe
C:\Users\Admin\AppData\Local\Temp\C432.exe
C:\Users\Admin\AppData\Local\Temp\C432.exe
C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build2.exe
"C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build2.exe"
C:\Users\Admin\AppData\Local\Temp\58E0.exe
"C:\Users\Admin\AppData\Local\Temp\58E0.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\3D38.exe
"C:\Users\Admin\AppData\Local\Temp\3D38.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\EC6C.exe
C:\Users\Admin\AppData\Local\Temp\EC6C.exe
C:\Users\Admin\AppData\Local\Temp\B462.exe
C:\Users\Admin\AppData\Local\Temp\B462.exe
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
"C:\Users\Admin\AppData\Local\Temp\8EE6.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\58E0.exe
"C:\Users\Admin\AppData\Local\Temp\58E0.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D91.dll
C:\Users\Admin\AppData\Local\Temp\B462.exe
"C:\Users\Admin\AppData\Local\Temp\B462.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3eaab3cf-2a68-4ad2-b5ad-994030e739b0\build2.exe
"C:\Users\Admin\AppData\Local\3eaab3cf-2a68-4ad2-b5ad-994030e739b0\build2.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D91.dll
C:\Users\Admin\AppData\Local\3eaab3cf-2a68-4ad2-b5ad-994030e739b0\build3.exe
"C:\Users\Admin\AppData\Local\3eaab3cf-2a68-4ad2-b5ad-994030e739b0\build3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\EC6C.exe
C:\Users\Admin\AppData\Local\Temp\EC6C.exe
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
"C:\Users\Admin\AppData\Local\Temp\8EE6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\35f93c64-92c7-42a6-9d8e-1776b85796c4\build2.exe
"C:\Users\Admin\AppData\Local\35f93c64-92c7-42a6-9d8e-1776b85796c4\build2.exe"
C:\Users\Admin\AppData\Local\Temp\B462.exe
"C:\Users\Admin\AppData\Local\Temp\B462.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\35f93c64-92c7-42a6-9d8e-1776b85796c4\build3.exe
"C:\Users\Admin\AppData\Local\35f93c64-92c7-42a6-9d8e-1776b85796c4\build3.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\3eaab3cf-2a68-4ad2-b5ad-994030e739b0\build2.exe
"C:\Users\Admin\AppData\Local\3eaab3cf-2a68-4ad2-b5ad-994030e739b0\build2.exe"
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Users\Admin\AppData\Local\35f93c64-92c7-42a6-9d8e-1776b85796c4\build2.exe
"C:\Users\Admin\AppData\Local\35f93c64-92c7-42a6-9d8e-1776b85796c4\build2.exe"
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Users\Admin\AppData\Local\Temp\EC6C.exe
"C:\Users\Admin\AppData\Local\Temp\EC6C.exe" --Admin IsNotAutoStart IsNotTask
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.55.182.186.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| GB | 51.89.253.22:31098 | tcp | |
| GB | 51.89.253.22:31098 | tcp | |
| US | 8.8.8.8:53 | 22.253.89.51.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.27.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amadapi.tuktuk.ug | udp |
| NL | 85.209.3.13:11290 | amadapi.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 13.3.209.85.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| IR | 80.210.25.252:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 252.25.210.80.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| IR | 80.210.25.252:80 | zexeq.com | tcp |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 43.25.181.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| NL | 85.209.3.13:11290 | amadapi.tuktuk.ug | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 85.209.3.13:11290 | amadapi.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 68.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| IR | 80.210.25.252:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| IR | 80.210.25.252:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| DE | 168.119.191.88:9000 | 168.119.191.88 | tcp |
| US | 8.8.8.8:53 | 88.191.119.168.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | colisumy.com | tcp |
Files
memory/3732-0-0x0000000003EF0000-0x0000000003F05000-memory.dmp
memory/3732-1-0x0000000003F10000-0x0000000003F19000-memory.dmp
memory/3732-2-0x0000000000400000-0x000000000240F000-memory.dmp
memory/3240-3-0x0000000000700000-0x0000000000716000-memory.dmp
memory/3732-4-0x0000000000400000-0x000000000240F000-memory.dmp
memory/3732-7-0x0000000003EF0000-0x0000000003F05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1325.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\1325.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\15C6.exe
| MD5 | ef9c0ff70757e5358e68f3ec2beea1af |
| SHA1 | 7e8e4936e58a6e262e01d4d4940f63461bb2b83f |
| SHA256 | 2b6443a5cf1ba59de6908b9904bdc74848791f74d5dc8a83e73fb7aa40d7242d |
| SHA512 | ed178b62a0084ecd9ac266a763ba3a992398f404220a9bf9c7b4a36b6312f4d14f8a54023f6a2b55cee5cad70ed9b064e4c6f9c97515d21f9c139244bfa55850 |
C:\Users\Admin\AppData\Local\Temp\15C6.exe
| MD5 | ef9c0ff70757e5358e68f3ec2beea1af |
| SHA1 | 7e8e4936e58a6e262e01d4d4940f63461bb2b83f |
| SHA256 | 2b6443a5cf1ba59de6908b9904bdc74848791f74d5dc8a83e73fb7aa40d7242d |
| SHA512 | ed178b62a0084ecd9ac266a763ba3a992398f404220a9bf9c7b4a36b6312f4d14f8a54023f6a2b55cee5cad70ed9b064e4c6f9c97515d21f9c139244bfa55850 |
C:\Users\Admin\AppData\Local\Temp\16C1.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
C:\Users\Admin\AppData\Local\Temp\16C1.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
memory/1428-24-0x0000000000AF0000-0x0000000000D42000-memory.dmp
memory/1428-23-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/1428-26-0x00000000054E0000-0x0000000005558000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\18A7.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
memory/1428-30-0x0000000005AD0000-0x0000000005FCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\18A7.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
memory/1428-31-0x0000000005670000-0x0000000005702000-memory.dmp
memory/1428-32-0x0000000005710000-0x0000000005A60000-memory.dmp
memory/1428-33-0x0000000005620000-0x0000000005632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1FBC.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\1FBC.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/608-40-0x0000000000400000-0x0000000000430000-memory.dmp
memory/608-51-0x0000000073370000-0x0000000073A5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/608-53-0x0000000001060000-0x0000000001066000-memory.dmp
memory/2560-54-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/536-55-0x0000000004140000-0x00000000041D1000-memory.dmp
memory/536-56-0x00000000041E0000-0x00000000042FB000-memory.dmp
memory/4596-57-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1325.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
memory/4596-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4596-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/608-61-0x000000000EAF0000-0x000000000F0F6000-memory.dmp
memory/2560-63-0x000000000E3C0000-0x000000000E4CA000-memory.dmp
memory/4596-62-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2560-65-0x0000000008F20000-0x0000000008F30000-memory.dmp
memory/608-66-0x000000000E570000-0x000000000E5AE000-memory.dmp
memory/608-67-0x0000000009050000-0x0000000009060000-memory.dmp
memory/608-64-0x000000000E510000-0x000000000E522000-memory.dmp
memory/2560-68-0x000000000E330000-0x000000000E37B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
C:\Users\Admin\AppData\Local\c51cd2fc-f0c3-42dc-885c-439881ce6b85\1325.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
memory/1428-98-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/608-99-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/4596-100-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1325.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | f707c4065fde59940edf616bd10a68b4 |
| SHA1 | 0b902805eff88e816eda82c40c9b1765372c2677 |
| SHA256 | ba001dd3e8a57915b05555e0daaef06b8adb4122bdbc358fa4abba382b5dd898 |
| SHA512 | bdca1d7b37b83b12993f4b20e812c5f17ee3686fb2ec73500d6bf3185239687e2011ecf9d4561c0f2dba0a126831e135a2021fa50b4d04c75bd861cad473c6aa |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | f707c4065fde59940edf616bd10a68b4 |
| SHA1 | 0b902805eff88e816eda82c40c9b1765372c2677 |
| SHA256 | ba001dd3e8a57915b05555e0daaef06b8adb4122bdbc358fa4abba382b5dd898 |
| SHA512 | bdca1d7b37b83b12993f4b20e812c5f17ee3686fb2ec73500d6bf3185239687e2011ecf9d4561c0f2dba0a126831e135a2021fa50b4d04c75bd861cad473c6aa |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | f707c4065fde59940edf616bd10a68b4 |
| SHA1 | 0b902805eff88e816eda82c40c9b1765372c2677 |
| SHA256 | ba001dd3e8a57915b05555e0daaef06b8adb4122bdbc358fa4abba382b5dd898 |
| SHA512 | bdca1d7b37b83b12993f4b20e812c5f17ee3686fb2ec73500d6bf3185239687e2011ecf9d4561c0f2dba0a126831e135a2021fa50b4d04c75bd861cad473c6aa |
memory/1904-114-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3104-113-0x0000000000D80000-0x0000000000EF1000-memory.dmp
memory/1428-117-0x0000000005640000-0x000000000566A000-memory.dmp
memory/1428-125-0x0000000005640000-0x0000000005663000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3D38.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\3D38.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
memory/1428-137-0x0000000005640000-0x0000000005663000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3D38.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
memory/3104-126-0x0000000000D80000-0x0000000000EF1000-memory.dmp
memory/1428-121-0x0000000005640000-0x0000000005663000-memory.dmp
memory/1428-119-0x00000000055C0000-0x00000000055D0000-memory.dmp
memory/1428-139-0x0000000005640000-0x0000000005663000-memory.dmp
memory/1904-143-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/1428-144-0x0000000005640000-0x0000000005663000-memory.dmp
memory/1904-145-0x0000000005680000-0x0000000005686000-memory.dmp
memory/1428-148-0x0000000005640000-0x0000000005663000-memory.dmp
memory/2560-142-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/1428-150-0x0000000005640000-0x0000000005663000-memory.dmp
memory/1904-152-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/1428-154-0x0000000005640000-0x0000000005663000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
memory/2212-162-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/608-160-0x000000000E910000-0x000000000E976000-memory.dmp
memory/1428-163-0x0000000005640000-0x0000000005663000-memory.dmp
memory/1428-165-0x0000000005640000-0x0000000005663000-memory.dmp
memory/2560-159-0x000000000E5E0000-0x000000000E656000-memory.dmp
memory/1428-170-0x0000000005640000-0x0000000005663000-memory.dmp
memory/2212-171-0x00007FFEFEEC0000-0x00007FFEFEF6E000-memory.dmp
memory/2560-168-0x0000000008F20000-0x0000000008F30000-memory.dmp
memory/1428-176-0x0000000005640000-0x0000000005663000-memory.dmp
memory/608-177-0x0000000009050000-0x0000000009060000-memory.dmp
memory/2212-179-0x00007FFEFDB30000-0x00007FFEFDD79000-memory.dmp
memory/2212-175-0x00007FFEFEEC0000-0x00007FFEFEF6E000-memory.dmp
memory/608-158-0x000000000E890000-0x000000000E906000-memory.dmp
memory/1428-180-0x0000000005640000-0x0000000005663000-memory.dmp
memory/2212-183-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/2212-185-0x00007FFE80030000-0x00007FFE80031000-memory.dmp
memory/1428-184-0x0000000005640000-0x0000000005663000-memory.dmp
memory/2212-181-0x00007FFE80000000-0x00007FFE80002000-memory.dmp
memory/1428-157-0x0000000005640000-0x0000000005663000-memory.dmp
memory/1428-187-0x0000000005640000-0x0000000005663000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
memory/1428-197-0x0000000005640000-0x0000000005663000-memory.dmp
memory/1980-204-0x00000000024A0000-0x00000000024A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4F1B.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
memory/1428-209-0x0000000005640000-0x0000000005663000-memory.dmp
memory/2212-205-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/3816-210-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1428-203-0x0000000005640000-0x0000000005663000-memory.dmp
memory/2212-202-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/2212-199-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/1980-201-0x0000000002440000-0x0000000002455000-memory.dmp
memory/2212-195-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/2212-212-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/1428-218-0x0000000005640000-0x0000000005663000-memory.dmp
memory/532-219-0x00007FF6CB460000-0x00007FF6CBE72000-memory.dmp
memory/1428-224-0x0000000005640000-0x0000000005663000-memory.dmp
\Users\Admin\AppData\Local\Temp\4F1B.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
memory/532-228-0x00007FF6CB460000-0x00007FF6CBE72000-memory.dmp
memory/2212-236-0x00007FFF012A0000-0x00007FFF0147B000-memory.dmp
memory/1428-240-0x00000000055C0000-0x00000000055D0000-memory.dmp
memory/664-245-0x00000000007B0000-0x00000000007B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1325.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\58E0.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
memory/2212-254-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/1904-259-0x0000000073370000-0x0000000073A5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\58E0.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
memory/532-232-0x000002877F0C0000-0x000002877F101000-memory.dmp
memory/3816-222-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2212-217-0x00000000008C0000-0x0000000001128000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
memory/536-264-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1904-269-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/1428-276-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 78724fd5de931eb917b1b7780ffe8b6e |
| SHA1 | 35c07e6a8c691074391d777542f1456e6bf77779 |
| SHA256 | 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7 |
| SHA512 | 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24 |
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 78724fd5de931eb917b1b7780ffe8b6e |
| SHA1 | 35c07e6a8c691074391d777542f1456e6bf77779 |
| SHA256 | 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7 |
| SHA512 | 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24 |
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 78724fd5de931eb917b1b7780ffe8b6e |
| SHA1 | 35c07e6a8c691074391d777542f1456e6bf77779 |
| SHA256 | 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7 |
| SHA512 | 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24 |
C:\Users\Admin\AppData\Local\Temp\669D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\669D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | ae5be677e505aec1d2ae6ac82539b2e8 |
| SHA1 | 8b6d31dd6097a32b2f71c134da59f5c6c0cd5d99 |
| SHA256 | 24239d4a210aa645caf5443aa0fabb214776179114e92cbb612ace0a26e3d09e |
| SHA512 | fe526b2b092ff099f3f8f57717913ddbaabc7c26b3b6b8b206185aa5aba71e3ebf3f1e5d5f2eded0cc2fd4f7b428178800dad61b59e7aa9ce75c431e6a1801e8 |
memory/3816-334-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | ee3a3132af64586e0e1e63b380eca341 |
| SHA1 | 2970b8ed84e542958ad1aa26c14dce3d7142d490 |
| SHA256 | 4de407b01fb515fca40f66d9a11262bd1caecc0b1ef3080f1b00207090dfab13 |
| SHA512 | ad52d542f05311a67a2f55dfeeb814bb7cc438524f4f6192e5b6f05caa3a3de8527b1beb0ce6c8d7c164d78d68de9a92506dff741fd65a2f301be22f713a3aa3 |
C:\Users\Admin\AppData\Local\Temp\3D38.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | b48c37414206b33557ce1230461e53ed |
| SHA1 | af289afa0c9ba9044e0db7f77dea94c81f52d3b1 |
| SHA256 | 5497d30f00ca1b434c2736cfc2d86fe8e552f533a52d04c97b3f115c19345504 |
| SHA512 | 74f906a24d12d45bf8f7c45ee1aaeead764d99f22d7852de4893a123742ec0ec35d9e43c1aaf965d8185cba434cc789e82a52d36071acc766896447d57b44ce0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | b1106bbe653510e848dfa6f49af18a23 |
| SHA1 | 87b8a3367adac7ab0d9277ef9e8ea30c1ab923e9 |
| SHA256 | ea4ab5ec549d6676995e0ca33677c6001d19fe37b49970c6862f283f0d966cd4 |
| SHA512 | 645f645fda65f39ffc6a4124e002413637d188f51f5d48d3d968d8dc48b1c4b23e9bb7a94284e2cda41aadfcf0c60803ca776cbdc25da2b74650f2e8fe9a8f29 |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | f707c4065fde59940edf616bd10a68b4 |
| SHA1 | 0b902805eff88e816eda82c40c9b1765372c2677 |
| SHA256 | ba001dd3e8a57915b05555e0daaef06b8adb4122bdbc358fa4abba382b5dd898 |
| SHA512 | bdca1d7b37b83b12993f4b20e812c5f17ee3686fb2ec73500d6bf3185239687e2011ecf9d4561c0f2dba0a126831e135a2021fa50b4d04c75bd861cad473c6aa |
memory/2212-303-0x00007FFEFEEC0000-0x00007FFEFEF6E000-memory.dmp
memory/1428-306-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/2212-298-0x00000000008C0000-0x0000000001128000-memory.dmp
memory/1428-285-0x0000000006450000-0x00000000064EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
| MD5 | d27a1e32e78580ea15a4cf5119bc2907 |
| SHA1 | ffe9ae4c1622c95eca2eab429b99361d4d7a29fe |
| SHA256 | fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5 |
| SHA512 | bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de |
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
| MD5 | d27a1e32e78580ea15a4cf5119bc2907 |
| SHA1 | ffe9ae4c1622c95eca2eab429b99361d4d7a29fe |
| SHA256 | fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5 |
| SHA512 | bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de |
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
| MD5 | d27a1e32e78580ea15a4cf5119bc2907 |
| SHA1 | ffe9ae4c1622c95eca2eab429b99361d4d7a29fe |
| SHA256 | fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5 |
| SHA512 | bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | f707c4065fde59940edf616bd10a68b4 |
| SHA1 | 0b902805eff88e816eda82c40c9b1765372c2677 |
| SHA256 | ba001dd3e8a57915b05555e0daaef06b8adb4122bdbc358fa4abba382b5dd898 |
| SHA512 | bdca1d7b37b83b12993f4b20e812c5f17ee3686fb2ec73500d6bf3185239687e2011ecf9d4561c0f2dba0a126831e135a2021fa50b4d04c75bd861cad473c6aa |
C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build2.exe
| MD5 | e43099bbc23b6340d4585fa2335f3b28 |
| SHA1 | a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7 |
| SHA256 | fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255 |
| SHA512 | a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\16115f40-551c-49a2-ac56-d9dd3962bae0\build2.exe
| MD5 | e43099bbc23b6340d4585fa2335f3b28 |
| SHA1 | a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7 |
| SHA256 | fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255 |
| SHA512 | a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4 |
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
C:\Users\Admin\AppData\Local\Temp\8EE6.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
C:\Users\Admin\AppData\Local\Temp\58E0.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Local\Temp\3D38.exe
| MD5 | 201b48e8431a7b6189aff6579937bb03 |
| SHA1 | 0421bf1f828ce88ee80e8701d2d219286803ccd2 |
| SHA256 | d324b029ad7df777f804e4e314152c85d32a1f7cf0df8755ad17403bc2d94ba5 |
| SHA512 | 18f0f926ac31458184c397061c8808b102a46c32c0b7bff7a60bc5f0ab598b2438b1fae7705b6bc87f1a2d43cf536e43be3b9ce6330d04e264d17bc284479c3b |
C:\Users\Admin\AppData\Local\Temp\AB87.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 9f3632f5955f753e38eb22eb7ac341fd |
| SHA1 | 2bec41a0e848122e6a5208f33598c7df76419fd5 |
| SHA256 | 8abc4fe2aa91864f6b1f872aa74399f94746403795c04d32530a6ed946e7aa37 |
| SHA512 | 35b51b996f3a52e08c3e0f31e393d81e34a7476beab78a9d57661951e76eefe40d1c6ebbbc1b32c44805b093010ab0f5128e52aa1879df178f8ea84346f1bda5 |
\Users\Admin\AppData\Local\Temp\AB87.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
C:\Users\Admin\AppData\Local\Temp\B462.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Local\Temp\B462.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 2c52bde19340ac2c5397f89b66de7d55 |
| SHA1 | afd2935236f771f40d6fb953872d863d1f960cf4 |
| SHA256 | 88b92dde97ae798c8e39026256c3e8ee58388d3bf260b68440f68bb3b509b67a |
| SHA512 | 68b531ff0c00a5299fc48e65bdab438aee841640ffcdac92fdc47e13e4af500832a09c624428be8f878cf530fe73e6545d71ddb2ca8677192bd19a9fca969c37 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\3eaab3cf-2a68-4ad2-b5ad-994030e739b0\build2.exe
| MD5 | e43099bbc23b6340d4585fa2335f3b28 |
| SHA1 | a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7 |
| SHA256 | fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255 |
| SHA512 | a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0kyu1grz.j3x.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\ProgramData\22266025725784153097415171
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |