Analysis Overview
SHA256
0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54
Threat Level: Known bad
The file 0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54 was found to be: Known bad.
Malicious Activity Summary
Amadey
Djvu Ransomware
Detected Djvu ransomware
SmokeLoader
RedLine
Detect Fabookie payload
Fabookie
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-13 00:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-13 00:35
Reported
2023-09-13 00:38
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Fabookie
RedLine
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1250.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6075.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A0D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\54F8.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\28e02e78-e2df-44d8-bce5-6a5a8bacddc3\\A0D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\A0D.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1250.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\A0D.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\54F8.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5BEF.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5BEF.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5BEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5BEF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1099.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BA4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe
"C:\Users\Admin\AppData\Local\Temp\0829a409d3b657dd3fc05fae77fe10507b5669a3f6a60746d67151fc53bd5b54.exe"
C:\Users\Admin\AppData\Local\Temp\A0D.exe
C:\Users\Admin\AppData\Local\Temp\A0D.exe
C:\Users\Admin\AppData\Local\Temp\BA4.exe
C:\Users\Admin\AppData\Local\Temp\BA4.exe
C:\Users\Admin\AppData\Local\Temp\D8A.exe
C:\Users\Admin\AppData\Local\Temp\D8A.exe
C:\Users\Admin\AppData\Local\Temp\F11.exe
C:\Users\Admin\AppData\Local\Temp\F11.exe
C:\Users\Admin\AppData\Local\Temp\1099.exe
C:\Users\Admin\AppData\Local\Temp\1099.exe
C:\Users\Admin\AppData\Local\Temp\1250.exe
C:\Users\Admin\AppData\Local\Temp\1250.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1667.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1667.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\A0D.exe
C:\Users\Admin\AppData\Local\Temp\A0D.exe
C:\Users\Admin\AppData\Local\Temp\1250.exe
C:\Users\Admin\AppData\Local\Temp\1250.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\28e02e78-e2df-44d8-bce5-6a5a8bacddc3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1250.exe
"C:\Users\Admin\AppData\Local\Temp\1250.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\54F8.exe
C:\Users\Admin\AppData\Local\Temp\54F8.exe
C:\Users\Admin\AppData\Local\Temp\576A.exe
C:\Users\Admin\AppData\Local\Temp\576A.exe
C:\Users\Admin\AppData\Local\Temp\5BEF.exe
C:\Users\Admin\AppData\Local\Temp\5BEF.exe
C:\Users\Admin\AppData\Local\Temp\6075.exe
C:\Users\Admin\AppData\Local\Temp\6075.exe
C:\Users\Admin\AppData\Local\Temp\1250.exe
"C:\Users\Admin\AppData\Local\Temp\1250.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 568
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\A0D.exe
"C:\Users\Admin\AppData\Local\Temp\A0D.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\54F8.exe
C:\Users\Admin\AppData\Local\Temp\54F8.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\54F8.exe
"C:\Users\Admin\AppData\Local\Temp\54F8.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\A0D.exe
"C:\Users\Admin\AppData\Local\Temp\A0D.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 380 -ip 380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 568
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\54F8.exe
"C:\Users\Admin\AppData\Local\Temp\54F8.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3784 -ip 3784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 568
C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MO | 180.94.156.61:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.156.94.180.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| US | 8.8.8.8:53 | 232.175.169.194.in-addr.arpa | udp |
| MO | 180.94.156.61:80 | colisumy.com | tcp |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | 43.25.181.38.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| NL | 194.169.175.232:45450 | tcp | |
| GB | 51.38.95.107:42494 | tcp | |
| US | 8.8.8.8:53 | 107.95.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| US | 8.8.8.8:53 | login-sofi.4dq.com | udp |
| DE | 45.79.249.147:443 | login-sofi.4dq.com | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 147.249.79.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| NL | 194.169.175.232:45450 | tcp | |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | gudintas.at | udp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 70.29.182.210.in-addr.arpa | udp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| US | 95.214.27.254:80 | tcp | |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| KR | 210.182.29.70:80 | gudintas.at | tcp |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/4608-0-0x0000000002220000-0x0000000002235000-memory.dmp
memory/4608-1-0x0000000002110000-0x0000000002119000-memory.dmp
memory/4608-2-0x0000000000400000-0x0000000002081000-memory.dmp
memory/708-3-0x0000000002690000-0x00000000026A6000-memory.dmp
memory/4608-4-0x0000000000400000-0x0000000002081000-memory.dmp
memory/4608-7-0x0000000002220000-0x0000000002235000-memory.dmp
memory/4608-8-0x0000000002110000-0x0000000002119000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A0D.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
C:\Users\Admin\AppData\Local\Temp\A0D.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
C:\Users\Admin\AppData\Local\Temp\BA4.exe
| MD5 | 22daa19ff6bdee095131c478f8e642eb |
| SHA1 | 1c2ddf7319dc5806e18f9098e423016c054655d7 |
| SHA256 | 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861 |
| SHA512 | 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde |
C:\Users\Admin\AppData\Local\Temp\BA4.exe
| MD5 | 22daa19ff6bdee095131c478f8e642eb |
| SHA1 | 1c2ddf7319dc5806e18f9098e423016c054655d7 |
| SHA256 | 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861 |
| SHA512 | 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde |
memory/1932-20-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D8A.exe
| MD5 | 3b49ab3a64388ef5be9ecb6c1bfd7bfc |
| SHA1 | 05a45d6c7733aaadff2556a0116fda034649c8ad |
| SHA256 | b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c |
| SHA512 | 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d |
memory/1932-21-0x00000000008B0000-0x00000000008E0000-memory.dmp
memory/1932-31-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F11.exe
| MD5 | 7980cd6aa2f009db138977c965cd2c1e |
| SHA1 | dbd57e3756c356abd5723ed000503a38518722d8 |
| SHA256 | b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4 |
| SHA512 | 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5 |
C:\Users\Admin\AppData\Local\Temp\D8A.exe
| MD5 | 3b49ab3a64388ef5be9ecb6c1bfd7bfc |
| SHA1 | 05a45d6c7733aaadff2556a0116fda034649c8ad |
| SHA256 | b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c |
| SHA512 | 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d |
C:\Users\Admin\AppData\Local\Temp\1099.exe
| MD5 | 8e80f352faa21ac6bd996e86cd71640a |
| SHA1 | 347e8c111508d0095a05328175c0be5b86677730 |
| SHA256 | eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3 |
| SHA512 | 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038 |
C:\Users\Admin\AppData\Local\Temp\F11.exe
| MD5 | 7980cd6aa2f009db138977c965cd2c1e |
| SHA1 | dbd57e3756c356abd5723ed000503a38518722d8 |
| SHA256 | b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4 |
| SHA512 | 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5 |
C:\Users\Admin\AppData\Local\Temp\1250.exe
| MD5 | 75747bfd55fe1ae1d3cfef6264ec582b |
| SHA1 | 783e5538edcca02d061dd21085097f2d104ea098 |
| SHA256 | abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f |
| SHA512 | 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e |
C:\Users\Admin\AppData\Local\Temp\1099.exe
| MD5 | 8e80f352faa21ac6bd996e86cd71640a |
| SHA1 | 347e8c111508d0095a05328175c0be5b86677730 |
| SHA256 | eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3 |
| SHA512 | 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038 |
memory/1932-43-0x0000000005150000-0x000000000525A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1250.exe
| MD5 | 75747bfd55fe1ae1d3cfef6264ec582b |
| SHA1 | 783e5538edcca02d061dd21085097f2d104ea098 |
| SHA256 | abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f |
| SHA512 | 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e |
memory/1932-44-0x00000000045D0000-0x00000000045E2000-memory.dmp
memory/1932-45-0x0000000002430000-0x0000000002440000-memory.dmp
memory/1932-47-0x0000000005260000-0x000000000529C000-memory.dmp
memory/1932-41-0x0000000004B30000-0x0000000005148000-memory.dmp
memory/1688-49-0x00000000005E0000-0x0000000000610000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1667.dll
| MD5 | ec58238fb3adab49461bce7d58730eca |
| SHA1 | c71c577fb65a59f58d61d4cc05232431e020ed6d |
| SHA256 | 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf |
| SHA512 | 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9 |
memory/1688-48-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1688-55-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1667.dll
| MD5 | ec58238fb3adab49461bce7d58730eca |
| SHA1 | c71c577fb65a59f58d61d4cc05232431e020ed6d |
| SHA256 | 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf |
| SHA512 | 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9 |
memory/5112-57-0x00000000012E0000-0x00000000012E6000-memory.dmp
memory/5112-56-0x0000000010000000-0x000000001021E000-memory.dmp
memory/1688-59-0x0000000004BF0000-0x0000000004C00000-memory.dmp
memory/1200-60-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1200-61-0x0000000075060000-0x0000000075810000-memory.dmp
memory/1200-62-0x0000000004E50000-0x0000000004E60000-memory.dmp
memory/408-63-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1932-64-0x0000000075060000-0x0000000075810000-memory.dmp
memory/408-65-0x0000000075060000-0x0000000075810000-memory.dmp
memory/408-66-0x0000000005420000-0x0000000005430000-memory.dmp
memory/1932-67-0x0000000002430000-0x0000000002440000-memory.dmp
memory/2800-68-0x0000000002220000-0x00000000022B2000-memory.dmp
memory/2800-69-0x0000000003E60000-0x0000000003F7B000-memory.dmp
memory/4580-72-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A0D.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
memory/1688-73-0x0000000075060000-0x0000000075810000-memory.dmp
memory/4580-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1932-75-0x0000000005440000-0x00000000054B6000-memory.dmp
memory/1932-76-0x00000000054C0000-0x0000000005552000-memory.dmp
memory/4580-74-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1932-77-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/1932-78-0x0000000005C60000-0x0000000006204000-memory.dmp
memory/1576-79-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1576-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2680-85-0x0000000004220000-0x000000000433B000-memory.dmp
memory/1576-84-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2680-83-0x0000000004080000-0x0000000004112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1250.exe
| MD5 | 75747bfd55fe1ae1d3cfef6264ec582b |
| SHA1 | 783e5538edcca02d061dd21085097f2d104ea098 |
| SHA256 | abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f |
| SHA512 | 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e |
memory/1932-80-0x0000000006230000-0x0000000006280000-memory.dmp
memory/1688-97-0x0000000006430000-0x00000000065F2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 8cb8f90ec602fd3a3e719cb78d8c7cce |
| SHA1 | cdf764f8683ff175fb19bb0ed9e8765e28033e3b |
| SHA256 | da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651 |
| SHA512 | 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395 |
memory/1688-100-0x0000000006600000-0x0000000006B2C000-memory.dmp
memory/1576-99-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | ffc962751016889e7751bc2b08b2550c |
| SHA1 | fc18402cf47f174ebecf75b7aaa988c35b5e5a39 |
| SHA256 | f8b4b0af84acc283bf283d75a602151880a3bf5d48d2853994c2a18c281cc7a5 |
| SHA512 | 770e627c065674787a77aa5bbb927b36c188c998d72fe1ebd4bebc7b96b27306830526ba575908e69427c175dd435e9cec0b82820fa9e739d84e70d630a83d36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 9622537e51915638708894cb1125d8df |
| SHA1 | 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd |
| SHA256 | 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c |
| SHA512 | 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | ab9da886f3cbfb5f5054861f4fb7d67f |
| SHA1 | ff57fd79dc16b2e49ccd17234005b1cc908d9ef5 |
| SHA256 | b20a4adb728a49fad2a74a97c89907aa063c2b3be412a9cd6fa6f30dbece5202 |
| SHA512 | f8c27e8e9ebe4a77b6a54686a6ca34e2d239cbc03f26ccd56d7abf2ddb1590d6b3f2ee123c36c2e2a6ae2be2d6fca5c572ee2a56e5bd7ba7ddead058c69375ae |
memory/4580-98-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5112-102-0x0000000002D60000-0x0000000002E62000-memory.dmp
memory/5112-103-0x00000000031A0000-0x000000000328A000-memory.dmp
memory/5112-106-0x00000000031A0000-0x000000000328A000-memory.dmp
memory/1576-105-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1250.exe
| MD5 | 75747bfd55fe1ae1d3cfef6264ec582b |
| SHA1 | 783e5538edcca02d061dd21085097f2d104ea098 |
| SHA256 | abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f |
| SHA512 | 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e |
memory/5112-109-0x00000000031A0000-0x000000000328A000-memory.dmp
memory/1688-110-0x0000000004BF0000-0x0000000004C00000-memory.dmp
memory/5112-111-0x00000000031A0000-0x000000000328A000-memory.dmp
memory/1200-112-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54F8.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
C:\Users\Admin\AppData\Local\Temp\54F8.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
C:\Users\Admin\AppData\Local\Temp\54F8.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
C:\Users\Admin\AppData\Local\28e02e78-e2df-44d8-bce5-6a5a8bacddc3\A0D.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
C:\Users\Admin\AppData\Local\Temp\576A.exe
| MD5 | 3b49ab3a64388ef5be9ecb6c1bfd7bfc |
| SHA1 | 05a45d6c7733aaadff2556a0116fda034649c8ad |
| SHA256 | b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c |
| SHA512 | 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d |
memory/1200-122-0x0000000004E50000-0x0000000004E60000-memory.dmp
memory/1688-124-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\576A.exe
| MD5 | 3b49ab3a64388ef5be9ecb6c1bfd7bfc |
| SHA1 | 05a45d6c7733aaadff2556a0116fda034649c8ad |
| SHA256 | b31615e595e902a652c76983fe382837e067e0bceb709e2afd92af743bf4984c |
| SHA512 | 85da7ff6946135936c929ad33f46942cc604cb338c1cba299563df3d002dee73bd6d647a9af7325664c7496ec03fc6ef12b03ea43163e4a7746316d55df1e51d |
C:\Users\Admin\AppData\Local\Temp\5BEF.exe
| MD5 | 94552b061160d163451a975066161383 |
| SHA1 | 22f28f33e1f7d4574e1961170b1cb0211c6a8fc8 |
| SHA256 | e5c0fee1dc9bc3b97fc9f620bf8ea1c6f23cf7d7129fd19e88bf9de662991523 |
| SHA512 | 3293b4ef5cb5a17f732a762630e6a5f686ccab4bc9c693ba7e0d93c19a8efad769759cb92323f2ebfc0821d6cf9269fca84633dce974469b0b9853c02ac2b48e |
C:\Users\Admin\AppData\Local\Temp\5BEF.exe
| MD5 | 94552b061160d163451a975066161383 |
| SHA1 | 22f28f33e1f7d4574e1961170b1cb0211c6a8fc8 |
| SHA256 | e5c0fee1dc9bc3b97fc9f620bf8ea1c6f23cf7d7129fd19e88bf9de662991523 |
| SHA512 | 3293b4ef5cb5a17f732a762630e6a5f686ccab4bc9c693ba7e0d93c19a8efad769759cb92323f2ebfc0821d6cf9269fca84633dce974469b0b9853c02ac2b48e |
memory/4580-128-0x0000000000400000-0x0000000000537000-memory.dmp
memory/408-132-0x0000000075060000-0x0000000075810000-memory.dmp
memory/1200-133-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6075.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\6075.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/408-140-0x0000000005420000-0x0000000005430000-memory.dmp
memory/4908-143-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1250.exe
| MD5 | 75747bfd55fe1ae1d3cfef6264ec582b |
| SHA1 | 783e5538edcca02d061dd21085097f2d104ea098 |
| SHA256 | abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f |
| SHA512 | 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e |
memory/4908-144-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4908-146-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 7f305d024899e4809fb6f4ae00da304c |
| SHA1 | f88a0812d36e0562ede3732ab511f459a09faff8 |
| SHA256 | 8fe1088ad55d05a3c2149648c8c1ce55862e925580308afe4a4ff6cfb089c769 |
| SHA512 | bc40698582400427cd47cf80dcf39202a74148b69ed179483160b4023368d53301fa12fe6d530d9c7cdfe5f78d19ee87a285681f537950334677f8af8dfeb2ae |
memory/408-155-0x0000000075060000-0x0000000075810000-memory.dmp
memory/4612-157-0x0000000075060000-0x0000000075810000-memory.dmp
memory/4580-158-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A0D.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
memory/4612-161-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
memory/1932-178-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
memory/1496-179-0x00007FF69E760000-0x00007FF69E798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000070001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
memory/4856-182-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54F8.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
memory/4856-185-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4856-186-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4792-188-0x00000000020D0000-0x00000000020E5000-memory.dmp
memory/4792-189-0x0000000000400000-0x0000000002081000-memory.dmp
memory/4792-190-0x00000000020F0000-0x00000000020F9000-memory.dmp
memory/4856-194-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54F8.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
memory/4612-198-0x0000000075060000-0x0000000075810000-memory.dmp
memory/1496-202-0x0000000002A60000-0x0000000002BD1000-memory.dmp
memory/4612-201-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/1496-203-0x0000000002BE0000-0x0000000002D11000-memory.dmp
memory/380-208-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A0D.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
memory/380-209-0x0000000000400000-0x0000000000537000-memory.dmp
memory/380-211-0x0000000000400000-0x0000000000537000-memory.dmp
memory/708-212-0x00000000026D0000-0x00000000026E6000-memory.dmp
memory/4792-214-0x0000000000400000-0x0000000002081000-memory.dmp
memory/4792-218-0x00000000020D0000-0x00000000020E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4612-220-0x0000000075060000-0x0000000075810000-memory.dmp
memory/3784-223-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54F8.exe
| MD5 | 49b904e73ee16058ca948bf728febd94 |
| SHA1 | 71e10ccc1f1c5a0d3feeadfb60cdfa1b52981c0b |
| SHA256 | bc87c048051cf764f5607f2e2999f042131fcd8a92ce0e229402eb96dcbdd8ed |
| SHA512 | 89c72986ddc8b9d37aa54549bd4ddf923c6f0b98d03a84b6139afc7628ad3b55b9062832ee26d44149d8a9c4dbe1782429c637b4b42a8732ad7ebe54a35d2c0f |
memory/3784-224-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1496-226-0x0000000002BE0000-0x0000000002D11000-memory.dmp
C:\Users\Admin\AppData\Roaming\afvtvej
| MD5 | 94552b061160d163451a975066161383 |
| SHA1 | 22f28f33e1f7d4574e1961170b1cb0211c6a8fc8 |
| SHA256 | e5c0fee1dc9bc3b97fc9f620bf8ea1c6f23cf7d7129fd19e88bf9de662991523 |
| SHA512 | 3293b4ef5cb5a17f732a762630e6a5f686ccab4bc9c693ba7e0d93c19a8efad769759cb92323f2ebfc0821d6cf9269fca84633dce974469b0b9853c02ac2b48e |
C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2876-247-0x0000000003B40000-0x0000000003B55000-memory.dmp
memory/2876-248-0x0000000003BA0000-0x0000000003BA9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000071001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
memory/3368-251-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3368-252-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3368-258-0x0000000000400000-0x0000000000409000-memory.dmp