Analysis Overview
SHA256
14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2
Threat Level: Known bad
The file 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
SmokeLoader
Glupteba
Glupteba payload
Vidar
Djvu Ransomware
Detected Djvu ransomware
Amadey
Modifies Windows Firewall
Downloads MZ/PE file
Checks computer location settings
Modifies file permissions
Deletes itself
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Checks processor information in registry
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 15:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 15:00
Reported
2023-10-16 08:25
Platform
win10v2004-20230915-en
Max time kernel
104s
Max time network
161s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B276.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB30.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B276.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8A1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0B0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b0b041b5-151e-4842-8ddf-144d10745f40\\A8DD.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4668 set thread context of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | C:\Users\Admin\AppData\Local\Temp\A8DD.exe |
| PID 4848 set thread context of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\AB30.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1404 set thread context of 4484 | N/A | C:\Users\Admin\AppData\Local\Temp\A8DD.exe | C:\Users\Admin\AppData\Local\Temp\A8DD.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\AB30.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\A8DD.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\B8A1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\B8A1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\B8A1.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8A1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe"
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
C:\Users\Admin\AppData\Local\Temp\AB30.exe
C:\Users\Admin\AppData\Local\Temp\AB30.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AF48.dll
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\B276.exe
C:\Users\Admin\AppData\Local\Temp\B276.exe
C:\Users\Admin\AppData\Local\Temp\B8A1.exe
C:\Users\Admin\AppData\Local\Temp\B8A1.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AF48.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4848 -ip 4848
C:\Users\Admin\AppData\Local\Temp\C0B0.exe
C:\Users\Admin\AppData\Local\Temp\C0B0.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 148
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b0b041b5-151e-4842-8ddf-144d10745f40" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
"C:\Users\Admin\AppData\Local\Temp\A8DD.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
"C:\Users\Admin\AppData\Local\Temp\A8DD.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4484 -ip 4484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 568
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\C0B0.exe
"C:\Users\Admin\AppData\Local\Temp\C0B0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 147.209.33.14.in-addr.arpa | udp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| FR | 146.59.161.13:39199 | tcp | |
| US | 8.8.8.8:53 | 13.161.59.146.in-addr.arpa | udp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| KR | 14.33.209.147:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/1376-1-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/1376-2-0x00000000022F0000-0x00000000022FB000-memory.dmp
memory/1376-3-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/1376-4-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/1376-5-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/1376-6-0x00000000022F0000-0x00000000022FB000-memory.dmp
memory/3188-7-0x0000000002C00000-0x0000000002C16000-memory.dmp
memory/1376-9-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
C:\Users\Admin\AppData\Local\Temp\AB30.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\AB30.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/4668-26-0x00000000048D0000-0x000000000496D000-memory.dmp
memory/4668-27-0x0000000004A60000-0x0000000004B7B000-memory.dmp
memory/868-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/868-31-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/768-32-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B276.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\B276.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/868-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AF48.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
C:\Users\Admin\AppData\Local\Temp\B8A1.exe
| MD5 | e9fb654e3c0663dafa388c2983682485 |
| SHA1 | 155aefc6c6f3127e1a7bd39da961e4806ef67bf5 |
| SHA256 | 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630 |
| SHA512 | 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4 |
C:\Users\Admin\AppData\Local\Temp\B8A1.exe
| MD5 | e9fb654e3c0663dafa388c2983682485 |
| SHA1 | 155aefc6c6f3127e1a7bd39da961e4806ef67bf5 |
| SHA256 | 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630 |
| SHA512 | 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4 |
memory/868-45-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C0B0.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\C0B0.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\AF48.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
memory/4384-53-0x0000000004CD0000-0x00000000050D2000-memory.dmp
memory/2384-56-0x0000000000B20000-0x0000000000B2C000-memory.dmp
memory/4384-55-0x00000000050E0000-0x00000000059CB000-memory.dmp
memory/408-57-0x0000000000920000-0x000000000092B000-memory.dmp
memory/2384-60-0x0000000000B20000-0x0000000000B2C000-memory.dmp
memory/408-58-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/2384-59-0x0000000000B30000-0x0000000000B31000-memory.dmp
memory/4384-61-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/408-62-0x0000000000AD0000-0x0000000000BD0000-memory.dmp
memory/768-63-0x0000000074380000-0x0000000074B30000-memory.dmp
memory/568-64-0x0000000010000000-0x00000000101E5000-memory.dmp
memory/568-66-0x0000000000A20000-0x0000000000A26000-memory.dmp
memory/2632-68-0x0000000001400000-0x000000000146B000-memory.dmp
memory/3188-69-0x0000000002B80000-0x0000000002B96000-memory.dmp
memory/408-71-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/2632-73-0x0000000001400000-0x000000000146B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2632-107-0x0000000001400000-0x000000000146B000-memory.dmp
memory/4384-106-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\b0b041b5-151e-4842-8ddf-144d10745f40\A8DD.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/768-113-0x0000000007890000-0x0000000007E34000-memory.dmp
memory/4384-114-0x0000000004CD0000-0x00000000050D2000-memory.dmp
memory/4384-115-0x00000000050E0000-0x00000000059CB000-memory.dmp
memory/768-116-0x00000000073C0000-0x0000000007452000-memory.dmp
memory/4384-117-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/768-118-0x0000000074380000-0x0000000074B30000-memory.dmp
memory/868-120-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/1404-123-0x0000000004870000-0x000000000490A000-memory.dmp
memory/4484-127-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4484-129-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4484-126-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A8DD.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/4384-131-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/768-134-0x0000000007340000-0x0000000007350000-memory.dmp
memory/568-135-0x00000000024B0000-0x00000000025D3000-memory.dmp
memory/568-136-0x00000000025E0000-0x00000000026E8000-memory.dmp
memory/768-137-0x0000000007570000-0x000000000757A000-memory.dmp
memory/1840-138-0x0000000074380000-0x0000000074B30000-memory.dmp
memory/1840-139-0x00000000028A0000-0x00000000028B0000-memory.dmp
memory/1840-140-0x00000000028F0000-0x0000000002926000-memory.dmp
memory/1840-141-0x0000000005060000-0x0000000005688000-memory.dmp
memory/568-142-0x00000000025E0000-0x00000000026E8000-memory.dmp
memory/1840-143-0x0000000004D80000-0x0000000004DA2000-memory.dmp
memory/1840-145-0x0000000004E20000-0x0000000004E86000-memory.dmp
memory/1840-147-0x0000000004E90000-0x0000000004EF6000-memory.dmp
memory/568-146-0x00000000025E0000-0x00000000026E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fymkaiu1.qvq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/568-153-0x00000000025E0000-0x00000000026E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1840-159-0x0000000005830000-0x0000000005B84000-memory.dmp
memory/1840-160-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
memory/1840-162-0x0000000005F00000-0x0000000005F4C000-memory.dmp
memory/768-163-0x0000000008460000-0x0000000008A78000-memory.dmp
memory/4384-161-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\fefbjwb
| MD5 | e9fb654e3c0663dafa388c2983682485 |
| SHA1 | 155aefc6c6f3127e1a7bd39da961e4806ef67bf5 |
| SHA256 | 416583add0ae54eb87b382e7257fb5e88060304a0130f194678213a901675630 |
| SHA512 | 254bc282c752de00abea74025dae3ee26748ff9c95e8d6eb9e0e4370e44a084e51f44a44f7a0b85941d7e0e82cd2ef98fbaedf7d9392b54c1da83b2c6a452cb4 |
memory/768-167-0x0000000007340000-0x0000000007350000-memory.dmp
memory/1840-168-0x0000000074380000-0x0000000074B30000-memory.dmp
memory/768-169-0x0000000007630000-0x000000000773A000-memory.dmp
memory/768-170-0x0000000004E60000-0x0000000004E72000-memory.dmp
memory/768-171-0x0000000007840000-0x000000000787C000-memory.dmp
memory/1840-172-0x00000000028A0000-0x00000000028B0000-memory.dmp
memory/1840-173-0x00000000063A0000-0x00000000063E4000-memory.dmp
memory/1840-174-0x00000000028A0000-0x00000000028B0000-memory.dmp
memory/1840-175-0x00000000028A0000-0x00000000028B0000-memory.dmp
memory/1840-176-0x0000000006FB0000-0x0000000007026000-memory.dmp
memory/1840-178-0x00000000078E0000-0x0000000007F5A000-memory.dmp
memory/1840-179-0x0000000006430000-0x000000000644A000-memory.dmp
memory/4384-177-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1840-180-0x000000007F990000-0x000000007F9A0000-memory.dmp
memory/1840-181-0x0000000007410000-0x0000000007442000-memory.dmp
memory/1840-182-0x0000000073C40000-0x0000000073C8C000-memory.dmp
memory/1840-183-0x000000006C7E0000-0x000000006CB34000-memory.dmp
memory/1840-193-0x00000000073F0000-0x000000000740E000-memory.dmp
memory/1840-194-0x0000000007450000-0x00000000074F3000-memory.dmp
memory/1840-195-0x0000000007560000-0x000000000756A000-memory.dmp
memory/1840-196-0x0000000007620000-0x00000000076B6000-memory.dmp
memory/1840-197-0x0000000007290000-0x00000000072A1000-memory.dmp
memory/1840-198-0x00000000028A0000-0x00000000028B0000-memory.dmp
memory/1840-199-0x00000000075C0000-0x00000000075CE000-memory.dmp
memory/1840-200-0x00000000075D0000-0x00000000075E4000-memory.dmp
memory/4384-203-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C0B0.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/4384-243-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/5040-246-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 72f19202f2d0fe062806684328eed6b7 |
| SHA1 | e7653d34519452c4b25c1608a1c45b0ad55af899 |
| SHA256 | ec94770c4bb38fb683136067017148ee18cacb38cabd3b35282aeede47b79781 |
| SHA512 | e8f075cf48699734aaac51116dc35407e6cf6bda75f4d68b9e82af4f2994c2228a88e2a481b425f37d3c4cfb8bd14fde466363714f6f1ea026beb8b9dd613c57 |
memory/5040-268-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d7b75005eca87bff4a93056db1f26266 |
| SHA1 | fcab32d7f3abc6657df902ffd64709c65dbe37f4 |
| SHA256 | 23e4d5dadada1d37cd7dbbb6d561a59f40f3f292686aea8687a7ac73c6c9169e |
| SHA512 | 448822121aa295bfb4d724675833190abc5fe379384211963e0c863f27a60adffa424bad470e20e0ac4e6ff626c2a478c61dcaf5f04cf283b021f640c9dab855 |
memory/5040-312-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 79515db67b044d138393047377e762fc |
| SHA1 | 06d834dd5ab84c7d525b11f8bd5ac546940dc8b6 |
| SHA256 | 12d5cad068cb8d8e26d288a68659ed9e93fc1e47739570aad243133705a6b273 |
| SHA512 | 45a00b218b32e7fc43d87246ecafc13720313581aed10c26fea10e178c652c98d77ea71c374fef0376f0cc089f91c34c66e7f51298794907eaa936bd3c8a4839 |
memory/5040-349-0x0000000000400000-0x0000000002FB8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 15:00
Reported
2023-10-16 08:21
Platform
win7-20230831-en
Max time kernel
148s
Max time network
125s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DB16.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4574c3bc-b872-4083-95a7-86a7027d5bc5\\D0F5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2700 set thread context of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | C:\Users\Admin\AppData\Local\Temp\D0F5.exe |
| PID 2672 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\D25D.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1548 set thread context of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\D0F5.exe | C:\Users\Admin\AppData\Local\Temp\D0F5.exe |
| PID 2704 set thread context of 2588 | N/A | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe |
| PID 2272 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe |
| PID 2248 set thread context of 308 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20231016082002.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\D25D.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hgtdrtc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hgtdrtc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hgtdrtc | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hgtdrtc | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E4E7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2_JC.exe"
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
C:\Users\Admin\AppData\Local\Temp\D25D.exe
C:\Users\Admin\AppData\Local\Temp\D25D.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D74E.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D74E.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\DB16.exe
C:\Users\Admin\AppData\Local\Temp\DB16.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 92
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4574c3bc-b872-4083-95a7-86a7027d5bc5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\E4E7.exe
C:\Users\Admin\AppData\Local\Temp\E4E7.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
"C:\Users\Admin\AppData\Local\Temp\D0F5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
"C:\Users\Admin\AppData\Local\Temp\D0F5.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\taskeng.exe
taskeng.exe {8E4EFDAA-F698-4F15-82ED-C10751F89533} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\hgtdrtc
C:\Users\Admin\AppData\Roaming\hgtdrtc
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016082002.log C:\Windows\Logs\CBS\CbsPersist_20231016082002.cab
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe"
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe"
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe"
C:\Users\Admin\AppData\Local\Temp\E4E7.exe
"C:\Users\Admin\AppData\Local\Temp\E4E7.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
"C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.168.53.110:80 | colisumy.com | tcp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| FR | 146.59.161.13:39199 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 128.140.102.206:80 | 128.140.102.206 | tcp |
Files
memory/2016-1-0x00000000006D0000-0x00000000007D0000-memory.dmp
memory/2016-2-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/2016-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1248-4-0x0000000002AB0000-0x0000000002AC6000-memory.dmp
memory/2016-6-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/2700-20-0x0000000004380000-0x0000000004411000-memory.dmp
memory/2700-21-0x0000000004380000-0x0000000004411000-memory.dmp
\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
C:\Users\Admin\AppData\Local\Temp\D25D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/2700-26-0x0000000004420000-0x000000000453B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D25D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/2948-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2948-33-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/2700-36-0x0000000004380000-0x0000000004411000-memory.dmp
memory/2948-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2948-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D74E.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
\Users\Admin\AppData\Local\Temp\D74E.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
memory/2308-42-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2308-43-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2488-46-0x00000000001E0000-0x00000000001E6000-memory.dmp
memory/2488-45-0x0000000010000000-0x00000000101E5000-memory.dmp
memory/2308-51-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2308-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DB16.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2308-47-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2308-44-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DB16.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2308-59-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2308-61-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Local\Temp\D25D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
\Users\Admin\AppData\Local\Temp\D25D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
\Users\Admin\AppData\Local\Temp\D25D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\E4E7.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\E4E7.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2188-93-0x0000000004910000-0x0000000004D08000-memory.dmp
C:\Users\Admin\AppData\Local\4574c3bc-b872-4083-95a7-86a7027d5bc5\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/2832-96-0x0000000000370000-0x00000000003DB000-memory.dmp
memory/1816-101-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1816-97-0x0000000000060000-0x000000000006C000-memory.dmp
\Users\Admin\AppData\Local\Temp\D25D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/2832-112-0x0000000000370000-0x00000000003DB000-memory.dmp
\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/2948-116-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1548-118-0x0000000000310000-0x00000000003A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/1548-123-0x0000000000310000-0x00000000003A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D0F5.exe
| MD5 | b2c45459a0713d87615afcd993544e4f |
| SHA1 | 3d6065263779f06698a7c031da4d13e1ce46cfe0 |
| SHA256 | 5688b2eaa7d5775f61c6b8bfe504e4073358268aef70d962b577a989ef1c3120 |
| SHA512 | ebe27e8fdd636f4d5e4306fb587cfcd3e2049c1a92ed6f25d8b72a5c99923080f316ff0c0ea4a5d665a30d47a1fa2e9d75b5ca2164a1f94a83b6bd0ab57984ed |
memory/2308-127-0x0000000072B40000-0x000000007322E000-memory.dmp
memory/2188-128-0x0000000004D10000-0x00000000055FB000-memory.dmp
memory/2188-129-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2308-130-0x0000000007320000-0x0000000007360000-memory.dmp
memory/1952-131-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2188-132-0x0000000004910000-0x0000000004D08000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 978b57edca72d998532efdd3ff63cae5 |
| SHA1 | fbc4dd007f1a0c2d025907dbeaf634e62f3673c3 |
| SHA256 | c63a024200990ca9d1e1402db37ae00e11e66d99e5f34ca84b25afb2c2006faa |
| SHA512 | bc036f32c60c6188d14f9dac397e39f84a0bbcfaab0fc8f4e0306f5a8205b1ac1b6aeceb7769b2024299bec315b4b33d1e435d4fd181ce30c3f5206a292110d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 639acdaace58c43d0f7bd1e39500f3e9 |
| SHA1 | 5cbd8726f735229378f02c46f21a999f97ecadcd |
| SHA256 | f656a4d01e8098ee56f6ea78e9946b617e1da0958eb882898efb5dc42759aad0 |
| SHA512 | 7cf8ec1c20a0ca4ac806968170516e1aaabdfb2c5b31cb42405911592283ef18108b404cde5e1d9205b66d27aaf535464923b4486086d7570078d9eb86665bde |
C:\Users\Admin\AppData\Local\Temp\CabFC49.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9167d197c1a352fbd579b3437d0be8f6 |
| SHA1 | 42e51ce9cc8e23dbcd984aaa1c8868bdd1574fa0 |
| SHA256 | d5d601dcc3d75a4cbaffaf9f283a9bb5ddb5393f1a96e8a3e9c2edd4828243b4 |
| SHA512 | 92473a1a4cdd26b7395a8b11450bfab5f70ec713f044f3b3f0f937bfa810bf1705889a9bd9bc07913d80ebe5fb9d17f04bd1744c3741c87714f825ab757e4bd1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 04d39672c3b92d23894a2ca962c1f4f0 |
| SHA1 | 69b9a70f3d511a4036cf022f74b147af0e28ab17 |
| SHA256 | fa8ebdeb713966cef4ec1bff3d12c3739ff1bf8eae86f85f0725aeea67fcad4b |
| SHA512 | bd88a445eddd9a7af00bfe2f1d59072c6ab15d6435637e9a6fdb740637684b9fe70982089fce3204a3bbc7948655912fa60e83a37820d9aabac4a11552d24b50 |
memory/2488-145-0x0000000002360000-0x0000000002483000-memory.dmp
memory/2488-147-0x0000000002490000-0x0000000002598000-memory.dmp
memory/2488-146-0x0000000010000000-0x00000000101E5000-memory.dmp
memory/2488-148-0x0000000002490000-0x0000000002598000-memory.dmp
memory/2488-150-0x0000000002490000-0x0000000002598000-memory.dmp
memory/2488-151-0x0000000002490000-0x0000000002598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E4E7.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1952-153-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-154-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\hgtdrtc
| MD5 | ce4397978685f0b61fcd99b96a1740f0 |
| SHA1 | 4b54c7ba5a43f81765407609675f300947704fae |
| SHA256 | 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2 |
| SHA512 | 989d27f43a690bde54007eb64a7311e973b76d785ced33c237ab33f044b04c8f53f4fe14b43769177d4437f7d8c057d9140189bfd5ff30a26618b217ec91bb01 |
C:\Users\Admin\AppData\Roaming\hgtdrtc
| MD5 | ce4397978685f0b61fcd99b96a1740f0 |
| SHA1 | 4b54c7ba5a43f81765407609675f300947704fae |
| SHA256 | 14fbf0fe77ba40524b71257012c5175320c5b19c8e1871b03ed0cf24994efeb2 |
| SHA512 | 989d27f43a690bde54007eb64a7311e973b76d785ced33c237ab33f044b04c8f53f4fe14b43769177d4437f7d8c057d9140189bfd5ff30a26618b217ec91bb01 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2188-159-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1952-165-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-163-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-166-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-167-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2308-171-0x0000000072B40000-0x000000007322E000-memory.dmp
\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/2188-180-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2308-181-0x0000000007320000-0x0000000007360000-memory.dmp
memory/2868-182-0x0000000000630000-0x0000000000730000-memory.dmp
memory/2868-183-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2868-184-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/1952-185-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2868-222-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1952-198-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2588-225-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2704-208-0x0000000000220000-0x0000000000271000-memory.dmp
memory/2588-207-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2704-206-0x0000000002494000-0x00000000024C3000-memory.dmp
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/2588-203-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1248-201-0x0000000003A90000-0x0000000003AA6000-memory.dmp
memory/2588-200-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2188-190-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
C:\Users\Admin\AppData\Local\Temp\E4E7.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1472-227-0x00000000049F0000-0x0000000004DE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar562C.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2188-229-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1472-236-0x00000000049F0000-0x0000000004DE8000-memory.dmp
memory/1472-237-0x0000000004DF0000-0x00000000056DB000-memory.dmp
memory/1472-238-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2588-288-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2588-318-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2588-350-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1472-351-0x00000000049F0000-0x0000000004DE8000-memory.dmp
memory/2272-359-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2272-356-0x0000000000980000-0x0000000000A80000-memory.dmp
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\80cc6076-da93-48b3-9ed6-a8ae4902ed46\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1472-370-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2624-373-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2308-467-0x0000000072B40000-0x000000007322E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2248-658-0x00000000002F0000-0x00000000003F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/308-665-0x0000000000400000-0x0000000000406000-memory.dmp