Analysis Overview
SHA256
0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0
Threat Level: Known bad
The file 0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0 was found to be: Known bad.
Malicious Activity Summary
Amadey
SmokeLoader
Djvu Ransomware
Detected Djvu ransomware
RedLine
Stops running service(s)
Downloads MZ/PE file
Deletes itself
Modifies file permissions
Executes dropped EXE
Uses the VBS compiler for execution
Looks up external IP address via web service
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 16:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 16:47
Reported
2023-09-10 16:50
Platform
win10-20230703-en
Max time kernel
33s
Max time network
154s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EC25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EE97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EFB1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F262.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EC25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5EB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Uses the VBS compiler for execution
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3816 set thread context of 1864 | N/A | C:\Users\Admin\AppData\Local\Temp\EFB1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3116 set thread context of 4384 | N/A | C:\Users\Admin\AppData\Local\Temp\EC25.exe | C:\Users\Admin\AppData\Local\Temp\EC25.exe |
| PID 4572 set thread context of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\F262.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\EFB1.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\F262.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe
"C:\Users\Admin\AppData\Local\Temp\0f68806b946c05c83477b3d93ed9c27b4b3018ef099a03de5824248631996ae0.exe"
C:\Users\Admin\AppData\Local\Temp\EC25.exe
C:\Users\Admin\AppData\Local\Temp\EC25.exe
C:\Users\Admin\AppData\Local\Temp\EE97.exe
C:\Users\Admin\AppData\Local\Temp\EE97.exe
C:\Users\Admin\AppData\Local\Temp\EFB1.exe
C:\Users\Admin\AppData\Local\Temp\EFB1.exe
C:\Users\Admin\AppData\Local\Temp\F262.exe
C:\Users\Admin\AppData\Local\Temp\F262.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\EC25.exe
C:\Users\Admin\AppData\Local\Temp\EC25.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 300
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 284
C:\Users\Admin\AppData\Local\Temp\5EB.exe
C:\Users\Admin\AppData\Local\Temp\5EB.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7eb32eda-136d-4d00-b49d-5f36314ad198" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\F42.exe
C:\Users\Admin\AppData\Local\Temp\F42.exe
C:\Users\Admin\AppData\Local\Temp\EC25.exe
"C:\Users\Admin\AppData\Local\Temp\EC25.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\14C2.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\14C2.dll
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
C:\Users\Admin\AppData\Local\Temp\2BF5.exe
C:\Users\Admin\AppData\Local\Temp\2BF5.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\F42.exe
C:\Users\Admin\AppData\Local\Temp\F42.exe
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\EC25.exe
"C:\Users\Admin\AppData\Local\Temp\EC25.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
C:\Users\Admin\AppData\Local\Temp\F42.exe
"C:\Users\Admin\AppData\Local\Temp\F42.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5941.dll
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5941.dll
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe"
C:\Users\Admin\AppData\Local\Temp\6538.exe
C:\Users\Admin\AppData\Local\Temp\6538.exe
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
"C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\7343.exe
C:\Users\Admin\AppData\Local\Temp\7343.exe
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
"C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build2.exe
"C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build2.exe"
C:\Users\Admin\AppData\Local\Temp\8D92.exe
C:\Users\Admin\AppData\Local\Temp\8D92.exe
C:\Users\Admin\AppData\Local\Temp\F42.exe
"C:\Users\Admin\AppData\Local\Temp\F42.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6538.exe
C:\Users\Admin\AppData\Local\Temp\6538.exe
C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build3.exe
"C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build3.exe"
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
"C:\Users\Admin\AppData\Local\Temp\1BB8.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9B30.dll
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9B30.dll
C:\Users\Admin\AppData\Local\Temp\A795.exe
C:\Users\Admin\AppData\Local\Temp\A795.exe
C:\Users\Admin\AppData\Local\Temp\AF66.exe
C:\Users\Admin\AppData\Local\Temp\AF66.exe
C:\Users\Admin\AppData\Local\Temp\8D92.exe
C:\Users\Admin\AppData\Local\Temp\8D92.exe
C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build2.exe
"C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build2.exe"
C:\Users\Admin\AppData\Local\Temp\BAC1.exe
C:\Users\Admin\AppData\Local\Temp\BAC1.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\C60D.exe
C:\Users\Admin\AppData\Local\Temp\C60D.exe
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
"C:\Users\Admin\AppData\Local\Temp\1BB8.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\A795.exe
C:\Users\Admin\AppData\Local\Temp\A795.exe
C:\Users\Admin\AppData\Local\Temp\AF66.exe
C:\Users\Admin\AppData\Local\Temp\AF66.exe
C:\Users\Admin\AppData\Local\Temp\DCD2.exe
C:\Users\Admin\AppData\Local\Temp\DCD2.exe
C:\Users\Admin\AppData\Local\Temp\BAC1.exe
C:\Users\Admin\AppData\Local\Temp\BAC1.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E752.dll
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
"C:\Users\Admin\AppData\Local\Temp\3FCC.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E752.dll
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
C:\Users\Admin\AppData\Local\Temp\DCD2.exe
C:\Users\Admin\AppData\Local\Temp\DCD2.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\6538.exe
"C:\Users\Admin\AppData\Local\Temp\6538.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
"C:\Users\Admin\AppData\Local\Temp\3FCC.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
C:\Users\Admin\AppData\Local\Temp\6538.exe
"C:\Users\Admin\AppData\Local\Temp\6538.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\05363877-bd58-4438-adca-be4955a961f8\build2.exe
"C:\Users\Admin\AppData\Local\05363877-bd58-4438-adca-be4955a961f8\build2.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\05363877-bd58-4438-adca-be4955a961f8\build2.exe
"C:\Users\Admin\AppData\Local\05363877-bd58-4438-adca-be4955a961f8\build2.exe"
C:\Users\Admin\AppData\Local\05363877-bd58-4438-adca-be4955a961f8\build3.exe
"C:\Users\Admin\AppData\Local\05363877-bd58-4438-adca-be4955a961f8\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Users\Admin\AppData\Local\Temp\8D92.exe
"C:\Users\Admin\AppData\Local\Temp\8D92.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Users\Admin\AppData\Local\Temp\A795.exe
"C:\Users\Admin\AppData\Local\Temp\A795.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\8D92.exe
"C:\Users\Admin\AppData\Local\Temp\8D92.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\12c702fb-4a7a-4991-930d-0a952c6407ae\build2.exe
"C:\Users\Admin\AppData\Local\12c702fb-4a7a-4991-930d-0a952c6407ae\build2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\Temp\AF66.exe
"C:\Users\Admin\AppData\Local\Temp\AF66.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\BAC1.exe
"C:\Users\Admin\AppData\Local\Temp\BAC1.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build2.exe" & exit
C:\Users\Admin\AppData\Local\12c702fb-4a7a-4991-930d-0a952c6407ae\build3.exe
"C:\Users\Admin\AppData\Local\12c702fb-4a7a-4991-930d-0a952c6407ae\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.25.210.80.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| GB | 51.89.253.22:31098 | tcp | |
| GB | 51.89.253.22:31098 | tcp | |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| US | 8.8.8.8:53 | 254.27.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amadapi.tuktuk.ug | udp |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| NL | 85.209.3.13:11290 | amadapi.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 13.3.209.85.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 38.181.25.43:3325 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 38.181.25.43:3325 | tcp | |
| NL | 85.209.3.13:11290 | amadapi.tuktuk.ug | tcp |
| GB | 51.89.253.22:31098 | tcp | |
| GB | 51.89.253.22:31098 | tcp | |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 251.39.40.211.in-addr.arpa | udp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| NL | 85.209.3.13:11290 | amadapi.tuktuk.ug | tcp |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 38.181.25.43:3325 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| GB | 51.89.253.22:31098 | tcp | |
| GB | 51.89.253.22:31098 | tcp | |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| US | 38.181.25.43:3325 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| FI | 77.91.68.238:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 38.181.25.43:3325 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| DE | 168.119.191.88:9000 | 168.119.191.88 | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 88.191.119.168.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 38.181.25.43:3325 | tcp | |
| GB | 51.89.253.22:31098 | tcp | |
| GB | 51.89.253.22:31098 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| IR | 80.210.25.252:80 | colisumy.com | tcp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 38.181.25.43:3325 | tcp |
Files
memory/356-0-0x0000000002560000-0x0000000002575000-memory.dmp
memory/356-1-0x0000000002540000-0x0000000002549000-memory.dmp
memory/356-2-0x0000000000400000-0x0000000002409000-memory.dmp
memory/3292-3-0x0000000001060000-0x0000000001076000-memory.dmp
memory/356-4-0x0000000000400000-0x0000000002409000-memory.dmp
memory/356-7-0x0000000002560000-0x0000000002575000-memory.dmp
memory/356-8-0x0000000002540000-0x0000000002549000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC25.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\EC25.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\EE97.exe
| MD5 | ef9c0ff70757e5358e68f3ec2beea1af |
| SHA1 | 7e8e4936e58a6e262e01d4d4940f63461bb2b83f |
| SHA256 | 2b6443a5cf1ba59de6908b9904bdc74848791f74d5dc8a83e73fb7aa40d7242d |
| SHA512 | ed178b62a0084ecd9ac266a763ba3a992398f404220a9bf9c7b4a36b6312f4d14f8a54023f6a2b55cee5cad70ed9b064e4c6f9c97515d21f9c139244bfa55850 |
C:\Users\Admin\AppData\Local\Temp\EE97.exe
| MD5 | ef9c0ff70757e5358e68f3ec2beea1af |
| SHA1 | 7e8e4936e58a6e262e01d4d4940f63461bb2b83f |
| SHA256 | 2b6443a5cf1ba59de6908b9904bdc74848791f74d5dc8a83e73fb7aa40d7242d |
| SHA512 | ed178b62a0084ecd9ac266a763ba3a992398f404220a9bf9c7b4a36b6312f4d14f8a54023f6a2b55cee5cad70ed9b064e4c6f9c97515d21f9c139244bfa55850 |
C:\Users\Admin\AppData\Local\Temp\EFB1.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
C:\Users\Admin\AppData\Local\Temp\EFB1.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
memory/3140-24-0x0000000000160000-0x00000000003B2000-memory.dmp
memory/3140-25-0x00000000735C0000-0x0000000073CAE000-memory.dmp
memory/3140-26-0x0000000004BA0000-0x0000000004C18000-memory.dmp
memory/3140-27-0x0000000005120000-0x000000000561E000-memory.dmp
memory/3140-28-0x0000000004CC0000-0x0000000004D52000-memory.dmp
memory/3140-31-0x0000000004D60000-0x00000000050B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F262.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
memory/3140-34-0x0000000004C90000-0x0000000004CA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F262.exe
| MD5 | 4d323c42adbee24322f08205a8bc2ea1 |
| SHA1 | aefc450137522cd7b328cc5ef4a965c2f669c0ca |
| SHA256 | 34a601b201a2d537dc63a50e37b9454c57aa60093608cc3e3752c686022cb75a |
| SHA512 | f55fffb8b3d3c8d52d4b0af5c4adbc34df2fa6c43aa41b8bd398b9c77ae80a7c597d2c4ceb13f2a549a0a0244ba99f980c0e849e803374719fbebd10296532ee |
memory/1864-35-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3116-40-0x00000000041A0000-0x00000000042BB000-memory.dmp
memory/3116-38-0x0000000004000000-0x0000000004092000-memory.dmp
memory/1864-41-0x00000000735C0000-0x0000000073CAE000-memory.dmp
memory/4384-45-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC25.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
memory/1864-43-0x0000000005650000-0x0000000005656000-memory.dmp
memory/4384-42-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4384-47-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4384-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4980-52-0x00000000735C0000-0x0000000073CAE000-memory.dmp
memory/4980-53-0x00000000095A0000-0x0000000009BA6000-memory.dmp
memory/4980-54-0x00000000090A0000-0x00000000091AA000-memory.dmp
memory/4980-55-0x0000000008F00000-0x0000000008F12000-memory.dmp
memory/4980-56-0x0000000008F80000-0x0000000008F90000-memory.dmp
memory/1864-57-0x0000000009660000-0x000000000969E000-memory.dmp
memory/1864-58-0x00000000096F0000-0x0000000009700000-memory.dmp
memory/4980-59-0x0000000008F30000-0x0000000008F7B000-memory.dmp
memory/3140-60-0x00000000735C0000-0x0000000073CAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5EB.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\5EB.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\7eb32eda-136d-4d00-b49d-5f36314ad198\EC25.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\F42.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\F42.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\F42.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\EC25.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
memory/4384-94-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
memory/3140-107-0x0000000005620000-0x000000000564A000-memory.dmp
memory/1864-108-0x00000000735C0000-0x0000000073CAE000-memory.dmp
memory/3140-110-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/3140-111-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-114-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-112-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-116-0x0000000005620000-0x0000000005643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\14C2.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
memory/3140-119-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-121-0x0000000005620000-0x0000000005643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 056326e85b21ea545d541807e4ccb12c |
| SHA1 | 46151745169296404444671ec9fffa5d92806132 |
| SHA256 | 1d032bff72de616686d39895a680225e47b66930dbe2953432bd82e8b6fd5624 |
| SHA512 | 81999110a5d1f49874cdd8ae31445395f155ff2ae17aae51ede2e2f01dcc1d979306e5780645e1e9d2abff5cab04ce1f7fb30cff94c1484483eeb55b868e2c01 |
memory/3140-129-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-131-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-133-0x0000000005620000-0x0000000005643000-memory.dmp
\Users\Admin\AppData\Local\Temp\14C2.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
memory/3140-141-0x0000000005620000-0x0000000005643000-memory.dmp
memory/840-144-0x00000000032A0000-0x00000000032A6000-memory.dmp
memory/2268-152-0x0000000004780000-0x00000000047B0000-memory.dmp
memory/1932-150-0x0000000000050000-0x00000000001AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
memory/3140-151-0x0000000005620000-0x0000000005643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 056326e85b21ea545d541807e4ccb12c |
| SHA1 | 46151745169296404444671ec9fffa5d92806132 |
| SHA256 | 1d032bff72de616686d39895a680225e47b66930dbe2953432bd82e8b6fd5624 |
| SHA512 | 81999110a5d1f49874cdd8ae31445395f155ff2ae17aae51ede2e2f01dcc1d979306e5780645e1e9d2abff5cab04ce1f7fb30cff94c1484483eeb55b868e2c01 |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 056326e85b21ea545d541807e4ccb12c |
| SHA1 | 46151745169296404444671ec9fffa5d92806132 |
| SHA256 | 1d032bff72de616686d39895a680225e47b66930dbe2953432bd82e8b6fd5624 |
| SHA512 | 81999110a5d1f49874cdd8ae31445395f155ff2ae17aae51ede2e2f01dcc1d979306e5780645e1e9d2abff5cab04ce1f7fb30cff94c1484483eeb55b868e2c01 |
memory/840-136-0x0000000010000000-0x0000000010213000-memory.dmp
memory/4980-139-0x00000000735C0000-0x0000000073CAE000-memory.dmp
memory/3140-155-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-159-0x0000000005620000-0x0000000005643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
memory/3140-174-0x0000000005620000-0x0000000005643000-memory.dmp
memory/1932-176-0x0000000000050000-0x00000000001AC000-memory.dmp
memory/3140-180-0x0000000005620000-0x0000000005643000-memory.dmp
memory/2268-184-0x0000000008C80000-0x0000000008C86000-memory.dmp
memory/3140-185-0x0000000005620000-0x0000000005643000-memory.dmp
memory/1016-186-0x0000000001080000-0x00000000018E8000-memory.dmp
memory/2268-182-0x00000000735C0000-0x0000000073CAE000-memory.dmp
memory/3140-188-0x0000000005620000-0x0000000005643000-memory.dmp
memory/1016-191-0x00007FFF12FE0000-0x00007FFF1308E000-memory.dmp
memory/1016-193-0x00007FFF11350000-0x00007FFF11599000-memory.dmp
memory/3140-190-0x0000000005620000-0x0000000005643000-memory.dmp
memory/1864-178-0x00000000096F0000-0x0000000009700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
memory/4980-171-0x0000000008F80000-0x0000000008F90000-memory.dmp
memory/3140-168-0x0000000005620000-0x0000000005643000-memory.dmp
memory/3140-194-0x0000000005620000-0x0000000005643000-memory.dmp
memory/1016-195-0x00007FFF00030000-0x00007FFF00031000-memory.dmp
memory/3140-198-0x0000000005620000-0x0000000005643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2BF5.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2268-206-0x0000000008CC0000-0x0000000008CD0000-memory.dmp
memory/3140-207-0x0000000005620000-0x0000000005643000-memory.dmp
memory/1016-209-0x0000000001080000-0x00000000018E8000-memory.dmp
memory/3140-210-0x0000000005620000-0x0000000005643000-memory.dmp
memory/1016-205-0x0000000001080000-0x00000000018E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2BF5.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1016-197-0x00007FFF12FE0000-0x00007FFF1308E000-memory.dmp
memory/1016-201-0x00007FFF00000000-0x00007FFF00002000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
memory/3140-233-0x0000000004B90000-0x0000000004BA0000-memory.dmp
memory/3140-234-0x0000000005650000-0x0000000005651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
memory/3140-237-0x0000000005AC0000-0x0000000005B5C000-memory.dmp
memory/1016-239-0x0000000001080000-0x00000000018E8000-memory.dmp
memory/324-244-0x0000000002510000-0x0000000002519000-memory.dmp
memory/3140-251-0x00000000735C0000-0x0000000073CAE000-memory.dmp
memory/324-248-0x0000000002530000-0x0000000002545000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F42.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
memory/1016-241-0x00007FFF14E30000-0x00007FFF1500B000-memory.dmp
memory/208-254-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4612-255-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4244-259-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000062001\toolspub2.exe
| MD5 | b18bb9552c7b72fc4a7a31fbe2dd3c6f |
| SHA1 | fe8acedb9a6781f40ca676e6cfcdd7b1f53b5b29 |
| SHA256 | e0c0dad38a7b96cd4bd4049a100b4c483b5f6cdf8d44c005f6039d294debfec8 |
| SHA512 | 8325ee8b0232052bb7467bcab2d7a3d4f9e0bd403e7d5bf88ab2acf3d1b6382234f4de5bf6e55fc79963117e10abe95574afd1a5b35eeee4b206ac9f8e5faab4 |
memory/2268-263-0x00000000735C0000-0x0000000073CAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
memory/1016-275-0x00007FFF12FE0000-0x00007FFF1308E000-memory.dmp
memory/1016-282-0x00007FFF11350000-0x00007FFF11599000-memory.dmp
memory/4216-283-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1700-287-0x00007FF7F6AD0000-0x00007FF7F74E2000-memory.dmp
memory/208-291-0x0000000009150000-0x0000000009160000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 78724fd5de931eb917b1b7780ffe8b6e |
| SHA1 | 35c07e6a8c691074391d777542f1456e6bf77779 |
| SHA256 | 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7 |
| SHA512 | 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24 |
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 78724fd5de931eb917b1b7780ffe8b6e |
| SHA1 | 35c07e6a8c691074391d777542f1456e6bf77779 |
| SHA256 | 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7 |
| SHA512 | 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24 |
C:\Users\Admin\AppData\Local\Temp\1000063001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 78724fd5de931eb917b1b7780ffe8b6e |
| SHA1 | 35c07e6a8c691074391d777542f1456e6bf77779 |
| SHA256 | 27026282d2170cd2dc30551e302b4615e8a66ba719333fd1b02d2259603bacc7 |
| SHA512 | 3b474205c444d0c62a6df2fdc8a440dbafbb8813d6bcf8d036f4a90b4694e7d6d38c56c7ce8aa4a45aec827227169f5887e526b826bbb9ae5e18dd6b4a215d24 |
memory/1016-274-0x0000000001080000-0x00000000018E8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 044996fc7318be7859d86bde9121c316 |
| SHA1 | 36f3130bfae55c1bbe1fb861aa2da38fc36988cc |
| SHA256 | 88255269a6e61a1c92417ef6f5cc2352caadc49a74e6e7944290015be09da38f |
| SHA512 | 46d06ec14b072da8136056dc3771b1120e0c033e79265539252461893f08ffd65e081a4aff1c281b5af24a04442e468da7014380561429e9b00a55e3a1d55af3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 8cb8f90ec602fd3a3e719cb78d8c7cce |
| SHA1 | cdf764f8683ff175fb19bb0ed9e8765e28033e3b |
| SHA256 | da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651 |
| SHA512 | 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 4c75b60cdc40db62d44e775b48e97b75 |
| SHA1 | e67679604df5b958431fd53b47ae9849e9508fb7 |
| SHA256 | b65c9e035614e8d07bdccb7933c3fb2f07ee8e9caff228d81f5ccc584bc871ee |
| SHA512 | c329cc6204ba0d76ef89a00e7a05a0c67df0cd022ad29442f05328dc76c0de068d40eb9e2c304bba42f43c66d7e28b470a01c43139472fa858690e09b670d88f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | b48c37414206b33557ce1230461e53ed |
| SHA1 | af289afa0c9ba9044e0db7f77dea94c81f52d3b1 |
| SHA256 | 5497d30f00ca1b434c2736cfc2d86fe8e552f533a52d04c97b3f115c19345504 |
| SHA512 | 74f906a24d12d45bf8f7c45ee1aaeead764d99f22d7852de4893a123742ec0ec35d9e43c1aaf965d8185cba434cc789e82a52d36071acc766896447d57b44ce0 |
C:\Users\Admin\AppData\Local\Temp\1BB8.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 056326e85b21ea545d541807e4ccb12c |
| SHA1 | 46151745169296404444671ec9fffa5d92806132 |
| SHA256 | 1d032bff72de616686d39895a680225e47b66930dbe2953432bd82e8b6fd5624 |
| SHA512 | 81999110a5d1f49874cdd8ae31445395f155ff2ae17aae51ede2e2f01dcc1d979306e5780645e1e9d2abff5cab04ce1f7fb30cff94c1484483eeb55b868e2c01 |
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
C:\Users\Admin\AppData\Local\Temp\EC25.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
memory/208-261-0x00000000052B0000-0x00000000052B6000-memory.dmp
memory/208-257-0x00000000735C0000-0x0000000073CAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F42.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
C:\Users\Admin\AppData\Local\Temp\5941.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
| MD5 | d27a1e32e78580ea15a4cf5119bc2907 |
| SHA1 | ffe9ae4c1622c95eca2eab429b99361d4d7a29fe |
| SHA256 | fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5 |
| SHA512 | bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de |
\Users\Admin\AppData\Local\Temp\5941.dll
| MD5 | 38aa055d1dfe3e422306f799801f93db |
| SHA1 | af7199552eff0434bfa54deeaca286b30e49029c |
| SHA256 | 9b73fdfdf80448f915c6d885bfe67f0907c442bc10959f09ac16121f2c3accdc |
| SHA512 | 3c6602b25a7a69bbd543dd7db51f49a1af573228c6aef5ba954a1f364c29513484945993086a2fb2907606407c868d01c6c910b0d0b99b374e77534418dfcbde |
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
| MD5 | d27a1e32e78580ea15a4cf5119bc2907 |
| SHA1 | ffe9ae4c1622c95eca2eab429b99361d4d7a29fe |
| SHA256 | fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5 |
| SHA512 | bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de |
C:\Users\Admin\AppData\Local\Temp\1000064001\aafg31.exe
| MD5 | d27a1e32e78580ea15a4cf5119bc2907 |
| SHA1 | ffe9ae4c1622c95eca2eab429b99361d4d7a29fe |
| SHA256 | fc1e3944f18236351bd996c56eb16c45df332a974a8fb5844999d08908f9efc5 |
| SHA512 | bfe39afdebe901f842e58b1e1ccf7fcff091f449471c9fc279b4ca4d47ce7bd9e100a10d8f4f0bd93a4f1bfbe2cf84c6279ba3bcc9240ecc1e4816db108686de |
C:\Users\Admin\AppData\Local\Temp\6538.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Local\Temp\6538.exe
| MD5 | 4bcdc2cfdf2a2b4040f82d3572be478a |
| SHA1 | 36af6e3e180b56287fa447a3b8809c711d77a869 |
| SHA256 | b19662b4e7ecb6a17d56c17fc85b217958403de0f57433bb0665320a4b0f0276 |
| SHA512 | 8c0546e1987252a7da05bf1b4b82b014815ef4c47e2191b6ec4faebce5defba1b5082cadffd4b5caad201257b95f32d8040169dc1727cd7b6e385ff046786722 |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 056326e85b21ea545d541807e4ccb12c |
| SHA1 | 46151745169296404444671ec9fffa5d92806132 |
| SHA256 | 1d032bff72de616686d39895a680225e47b66930dbe2953432bd82e8b6fd5624 |
| SHA512 | 81999110a5d1f49874cdd8ae31445395f155ff2ae17aae51ede2e2f01dcc1d979306e5780645e1e9d2abff5cab04ce1f7fb30cff94c1484483eeb55b868e2c01 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 8719dae71b8c9083156d7578a161395d |
| SHA1 | 108acd2720b97d786955d7c924fa2e938b71d401 |
| SHA256 | 52a135816ef2ae8d01283c7f16548ea7ed0f49315146084ef5feaf8d07e57d00 |
| SHA512 | 2a0f86adb2a6c1f13d6ea7840ae6d0b323bdd49eb201ac215acb71e063295cd7039908b345466e84d6ee4777721861cb91b87ec9002fe25fb675636f5ebfe660 |
C:\Users\Admin\AppData\Local\Temp\7343.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
| MD5 | 3f821e69fe1b38097b29ac284016858a |
| SHA1 | 3995cad76f1313243e5c8abce901876638575341 |
| SHA256 | 203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08 |
| SHA512 | 704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7 |
C:\Users\Admin\AppData\Local\Temp\7343.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
| MD5 | 07f52cda25a10e6415a09e2ab5c10424 |
| SHA1 | 8bfd738a7d2ecced62d381921a2bfb46bbf00dfe |
| SHA256 | b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff |
| SHA512 | 9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65 |
C:\Users\Admin\AppData\Local\Temp\3FCC.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build2.exe
| MD5 | e43099bbc23b6340d4585fa2335f3b28 |
| SHA1 | a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7 |
| SHA256 | fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255 |
| SHA512 | a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4 |
C:\Users\Admin\AppData\Local\480c20de-abb5-4f77-a2d9-e397ecca8a63\build2.exe
| MD5 | e43099bbc23b6340d4585fa2335f3b28 |
| SHA1 | a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7 |
| SHA256 | fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255 |
| SHA512 | a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4 |
C:\Users\Admin\AppData\Local\Temp\8D92.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Local\Temp\8D92.exe
| MD5 | 2a64053844f57a51b2b4de5a29bef9f0 |
| SHA1 | 257693e819ebba57c76fd1c74bbadc7d376b3629 |
| SHA256 | 179a7e257dd75ff992cee1fe6feb99c26fed8d9835d915b3fd793db205645a61 |
| SHA512 | 53935c0452157abd940b71c0d3dcc8a382d21924f03ecc75377fede96e1f79f45ebbc0d956d03ec32215d75c9a155f6b74f4eddf4519294ee5c5ddc0873ba4af |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\Temp\BAC1.exe
| MD5 | b0475c2ee7b9c7f2ed5a8d6d8a8c4b5d |
| SHA1 | 18845f37a2ffa83d62eed48f608019b1200f5ee2 |
| SHA256 | a1bd0fa8ada1da0181b8d108ca72a41795b55060613e0182f2cbbc592f857f46 |
| SHA512 | 6b860b7e7ed3f2e459e825df5e4c7d2e571c1b6dd922d8b57aeda1842463f66742e7365687ec45bc348efdde27441960f04e42b94e796fa80ef9383a7ad0cc47 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ec5y041.1j0.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\05363877-bd58-4438-adca-be4955a961f8\build2.exe
| MD5 | e43099bbc23b6340d4585fa2335f3b28 |
| SHA1 | a9c28a77eff114229d3b50f4b6e6e5a0e1fb30c7 |
| SHA256 | fc5336b039a9cc8e14d515f338c90a5a404249adab200032324c65f055904255 |
| SHA512 | a31df980c95ab55bad1925eed3a68460f689c63ccc33ea458876aaf3aa16ad8b1272247f806a8ce93c2c8461ad4806a309cf623cbf9f6f9829d9b9db1d3ee3e4 |