Analysis Overview
SHA256
ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
Threat Level: Known bad
The file e6f506f57365deb1b24b84eafbd9271f.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Ammyy Admin
FlawedAmmyy RAT
Detect rhadamanthys stealer shellcode
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
AmmyyAdmin payload
Phobos
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (81) files with added filename extension
Renames multiple (67) files with added filename extension
Deletes backup catalog
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Drops startup file
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook profiles
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Interacts with shadow copies
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious use of UnmapMainImage
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-13 03:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-13 03:54
Reported
2023-10-18 03:22
Platform
win7-20230831-en
Max time kernel
141s
Max time network
181s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
FlawedAmmyy RAT
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3068 created 1240 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Windows\Explorer.EXE |
Deletes shadow copies
Renames multiple (81) files with added filename extension
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\33AE.exe | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\362E.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\33AE = "C:\\Users\\Admin\\AppData\\Local\\33AE.exe" | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\33AE = "C:\\Users\\Admin\\AppData\\Local\\33AE.exe" | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2180306848-1874213455-4093218721-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2180306848-1874213455-4093218721-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1760 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe |
| PID 996 set thread context of 592 | N/A | C:\Users\Admin\AppData\Local\Microsoft\-cV].exe | C:\Users\Admin\AppData\Local\Microsoft\-cV].exe |
| PID 856 set thread context of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | C:\Users\Admin\AppData\Local\Temp\33AE.exe |
| PID 2116 set thread context of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | C:\Users\Admin\AppData\Local\Temp\33AE.exe |
| PID 2660 set thread context of 2676 | N/A | C:\Users\Admin\AppData\Local\Temp\362E.exe | C:\Users\Admin\AppData\Local\Temp\362E.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_ja_4.4.0.v20140623020002.jar.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\va.txt | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spc.txt | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Mendoza.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties.id[61E71460-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\-cV].exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\-cV].exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\-cV].exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\-cV].exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\362E.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\33AE.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
"C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe"
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\-cV].exe
"C:\Users\Admin\AppData\Local\Microsoft\-cV].exe"
C:\Users\Admin\AppData\Local\Microsoft\-cV].exe
C:\Users\Admin\AppData\Local\Microsoft\-cV].exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
"C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe"
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Users\Admin\AppData\Local\Temp\362E.exe
C:\Users\Admin\AppData\Local\Temp\362E.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
"C:\Users\Admin\AppData\Local\Temp\33AE.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Users\Admin\AppData\Local\Temp\33AE.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe -debug
C:\Users\Admin\AppData\Local\Temp\362E.exe
"C:\Users\Admin\AppData\Local\Temp\362E.exe"
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\7E44.tmp\aa_nts.dll",run
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | servermlogs27.xyz | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | zamned17.xyz | udp |
| DE | 5.182.207.92:80 | zamned17.xyz | tcp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp | |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | www.ammyy.com | udp |
| DE | 136.243.18.118:80 | www.ammyy.com | tcp |
| DE | 136.243.18.118:443 | www.ammyy.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
Files
memory/1760-0-0x00000000013C0000-0x000000000143C000-memory.dmp
memory/1760-1-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/1760-2-0x0000000000D10000-0x0000000000D88000-memory.dmp
memory/1760-3-0x0000000000D90000-0x0000000000DD0000-memory.dmp
memory/1760-4-0x0000000001140000-0x00000000011A8000-memory.dmp
memory/1760-5-0x0000000000670000-0x00000000006BC000-memory.dmp
memory/3068-6-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-7-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-8-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-9-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3068-12-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1760-14-0x0000000074A90000-0x000000007517E000-memory.dmp
memory/3068-15-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-16-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-17-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/3068-18-0x0000000000CB0000-0x00000000010B0000-memory.dmp
memory/3068-20-0x0000000000CB0000-0x00000000010B0000-memory.dmp
memory/3068-21-0x0000000000CB0000-0x00000000010B0000-memory.dmp
memory/2676-22-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2676-23-0x0000000000060000-0x0000000000063000-memory.dmp
memory/3068-25-0x0000000000200000-0x0000000000236000-memory.dmp
memory/3068-24-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-33-0x0000000000CB0000-0x00000000010B0000-memory.dmp
memory/3068-32-0x0000000000CB0000-0x00000000010B0000-memory.dmp
memory/3068-31-0x0000000000200000-0x0000000000236000-memory.dmp
memory/3068-34-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3068-35-0x0000000000CB0000-0x00000000010B0000-memory.dmp
memory/2676-37-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/2676-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-48-0x0000000077890000-0x0000000077A39000-memory.dmp
memory/2676-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2676-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\-cV].exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
memory/996-58-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/996-57-0x0000000000EF0000-0x0000000000F58000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\-cV].exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
memory/996-60-0x0000000000280000-0x00000000002C4000-memory.dmp
memory/2676-62-0x0000000077890000-0x0000000077A39000-memory.dmp
memory/996-63-0x0000000004910000-0x0000000004950000-memory.dmp
memory/996-61-0x0000000000350000-0x0000000000382000-memory.dmp
memory/592-64-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1568-68-0x0000000001390000-0x00000000013D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/1568-70-0x0000000000530000-0x000000000056E000-memory.dmp
memory/592-69-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1568-72-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1568-75-0x0000000000570000-0x000000000059C000-memory.dmp
memory/1568-74-0x0000000001300000-0x0000000001340000-memory.dmp
memory/592-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/592-77-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\-cV].exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
memory/996-79-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/592-80-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\dNeGvT(%8p.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/1568-91-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2676-92-0x00000000002A0000-0x00000000002A2000-memory.dmp
memory/2676-93-0x0000000077890000-0x0000000077A39000-memory.dmp
memory/1240-94-0x0000000002A10000-0x0000000002A26000-memory.dmp
memory/592-95-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/856-109-0x0000000001340000-0x000000000138E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/856-111-0x0000000000A70000-0x0000000000AB6000-memory.dmp
memory/856-110-0x0000000074220000-0x000000007490E000-memory.dmp
memory/856-113-0x0000000000AB0000-0x0000000000AE4000-memory.dmp
memory/856-112-0x0000000000540000-0x0000000000580000-memory.dmp
\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/3040-115-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-117-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-119-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-121-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-123-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-125-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-128-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3040-130-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\362E.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Users\Admin\AppData\Local\Temp\362E.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/2660-139-0x0000000000C40000-0x0000000000CBC000-memory.dmp
memory/856-138-0x0000000074220000-0x000000007490E000-memory.dmp
memory/3040-137-0x0000000000400000-0x0000000000413000-memory.dmp
memory/3040-141-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2660-140-0x0000000074220000-0x000000007490E000-memory.dmp
memory/2660-142-0x0000000004B60000-0x0000000004BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/2660-144-0x0000000000AB0000-0x0000000000AF2000-memory.dmp
memory/2132-148-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2132-147-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2116-149-0x0000000001290000-0x00000000012D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/2132-164-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2132-162-0x0000000000160000-0x00000000001E0000-memory.dmp
memory/2116-146-0x0000000074220000-0x000000007490E000-memory.dmp
\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
C:\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/2116-184-0x0000000074220000-0x000000007490E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/768-188-0x00000000000E0000-0x00000000000EC000-memory.dmp
memory/768-187-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/624-190-0x00000000000D0000-0x00000000000D4000-memory.dmp
memory/624-191-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/2304-194-0x00000000000C0000-0x00000000000CB000-memory.dmp
memory/2660-193-0x0000000074220000-0x000000007490E000-memory.dmp
memory/1068-196-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/1068-198-0x0000000000080000-0x000000000008B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\33AE.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/2660-200-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1508-205-0x0000000000401000-0x000000000040A000-memory.dmp
memory/2336-208-0x0000000000070000-0x0000000000079000-memory.dmp
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[61E71460-3483].[[email protected]].8base
| MD5 | 443cfcb16d4b15371f2836b88b98104a |
| SHA1 | 98e1904c3f240863e828b1cd859b52f159bbb7bb |
| SHA256 | 94142d8117d10b94fb16c67b5469932215f011b906319ed133e1e7f858116173 |
| SHA512 | 2d0a43daaca9ffbc6baa4a8a982234b5dd50fc155cb430b37bbf0608bb5ceebfb481054f7db4795752eb4c6d5be32eeb7891bcf52d8858fdbddafa652bb00265 |
C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\7E44.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
\Users\Admin\AppData\Local\Temp\362E.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Users\Admin\AppData\Local\Temp\Cab4C9C.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar50A5.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\Local\Temp\362E.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Users\Admin\AppData\Local\Temp\7E44.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
C:\Users\Admin\AppData\Local\Temp\7E44.tmp\aa_nts.msg
| MD5 | 3f05819f995b4dafa1b5d55ce8d1f411 |
| SHA1 | 404449b79a16bfc4f64f2fd55cd73d5d27a85d71 |
| SHA256 | 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0 |
| SHA512 | 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026 |
\Users\Admin\AppData\Local\Temp\7E44.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
\Users\Admin\AppData\Local\Temp\7E44.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
\Users\Admin\AppData\Local\Temp\7E44.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
\Users\Admin\AppData\Local\Temp\7E44.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-13 03:54
Reported
2023-10-18 03:22
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
164s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
FlawedAmmyy RAT
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 956 created 2496 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Windows\Explorer.EXE |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (67) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2030.tmp\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\A256.exe | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A256 = "C:\\Users\\Admin\\AppData\\Local\\A256.exe" | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A256 = "C:\\Users\\Admin\\AppData\\Local\\A256.exe" | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2030.tmp\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4236 set thread context of 956 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe |
| PID 3004 set thread context of 3488 | N/A | C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe | C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe |
| PID 4772 set thread context of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\A256.exe | C:\Users\Admin\AppData\Local\Temp\A256.exe |
| PID 4620 set thread context of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\A256.exe | C:\Users\Admin\AppData\Local\Temp\A256.exe |
| PID 2536 set thread context of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\A3DD.exe | C:\Users\Admin\AppData\Local\Temp\A3DD.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-explorer.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\en-US\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadco.dll | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\co.txt.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\ClosePush.pptx.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301 | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\msxactps.dll | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado60.tlb | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\org-openide-filesystems.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadds.dll | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\pl.txt.id[F38805D8-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A3DD.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A256.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2030.tmp\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
"C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe"
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
"C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe"
C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe
"C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe"
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe
C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe
C:\Users\Admin\AppData\Local\Temp\A256.exe
C:\Users\Admin\AppData\Local\Temp\A256.exe
C:\Users\Admin\AppData\Local\Temp\A3DD.exe
C:\Users\Admin\AppData\Local\Temp\A3DD.exe
C:\Users\Admin\AppData\Local\Temp\A256.exe
C:\Users\Admin\AppData\Local\Temp\A256.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\A256.exe
"C:\Users\Admin\AppData\Local\Temp\A256.exe"
C:\Users\Admin\AppData\Local\Temp\A256.exe
C:\Users\Admin\AppData\Local\Temp\A256.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\A3DD.exe
"C:\Users\Admin\AppData\Local\Temp\A3DD.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\2030.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\2030.tmp\svchost.exe -debug
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\2030.tmp\aa_nts.dll",run
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | 61.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | servermlogs27.xyz | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | 120.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zamned17.xyz | udp |
| DE | 5.182.207.92:80 | zamned17.xyz | tcp |
| US | 8.8.8.8:53 | 92.207.182.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp | |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ammyy.com | udp |
| DE | 136.243.18.118:80 | www.ammyy.com | tcp |
| DE | 136.243.18.118:443 | www.ammyy.com | tcp |
| US | 8.8.8.8:53 | 118.18.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/4236-0-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/4236-1-0x0000000000080000-0x00000000000FC000-memory.dmp
memory/4236-2-0x00000000050A0000-0x0000000005644000-memory.dmp
memory/4236-3-0x0000000004AF0000-0x0000000004B68000-memory.dmp
memory/4236-4-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
memory/4236-5-0x0000000004B70000-0x0000000004BD8000-memory.dmp
memory/4236-6-0x0000000004BF0000-0x0000000004C3C000-memory.dmp
memory/956-7-0x0000000000400000-0x0000000000473000-memory.dmp
memory/956-10-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4236-12-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/956-11-0x0000000000400000-0x0000000000473000-memory.dmp
memory/956-13-0x00000000028C0000-0x00000000028C7000-memory.dmp
memory/956-14-0x0000000002A00000-0x0000000002E00000-memory.dmp
memory/956-15-0x0000000002A00000-0x0000000002E00000-memory.dmp
memory/956-16-0x0000000002A00000-0x0000000002E00000-memory.dmp
memory/956-17-0x0000000002A00000-0x0000000002E00000-memory.dmp
memory/4056-18-0x0000015AA5A90000-0x0000015AA5A93000-memory.dmp
memory/956-19-0x0000000003800000-0x0000000003836000-memory.dmp
memory/956-25-0x0000000000400000-0x0000000000473000-memory.dmp
memory/956-26-0x0000000003800000-0x0000000003836000-memory.dmp
memory/956-27-0x0000000002A00000-0x0000000002E00000-memory.dmp
memory/956-28-0x0000000000400000-0x0000000000473000-memory.dmp
memory/956-29-0x0000000002A00000-0x0000000002E00000-memory.dmp
memory/4056-30-0x0000015AA5A90000-0x0000015AA5A93000-memory.dmp
memory/4056-31-0x0000015AA7B40000-0x0000015AA7B47000-memory.dmp
memory/4056-32-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-33-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-34-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-35-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-36-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-38-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-40-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-41-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-42-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-43-0x00007FFB6FFD0000-0x00007FFB701C5000-memory.dmp
memory/4056-44-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-45-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-46-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-47-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
memory/4056-48-0x00007FF489E30000-0x00007FF489F5F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/4056-52-0x00007FFB6FFD0000-0x00007FFB701C5000-memory.dmp
memory/2004-53-0x0000000000FB0000-0x0000000000FF0000-memory.dmp
memory/2004-54-0x00000000057A0000-0x00000000057DE000-memory.dmp
memory/2004-57-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/2004-55-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/3004-60-0x00000000000F0000-0x0000000000158000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
memory/2004-61-0x0000000005880000-0x00000000058AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
memory/3004-63-0x0000000004910000-0x0000000004954000-memory.dmp
memory/3004-62-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/3004-64-0x0000000004A00000-0x0000000004A32000-memory.dmp
memory/3004-65-0x0000000004960000-0x0000000004970000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/2004-77-0x00000000747A0000-0x0000000074F50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\MjOQuy.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/3488-78-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\zUwM(c2.exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
memory/3488-81-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3004-82-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/4056-83-0x0000015AA7B40000-0x0000015AA7B45000-memory.dmp
memory/4056-84-0x00007FFB6FFD0000-0x00007FFB701C5000-memory.dmp
memory/2496-85-0x0000000002970000-0x0000000002986000-memory.dmp
memory/3488-86-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A256.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
C:\Users\Admin\AppData\Local\Temp\A256.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/4772-99-0x0000000000940000-0x000000000098E000-memory.dmp
memory/4772-100-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/4772-101-0x0000000002D10000-0x0000000002D56000-memory.dmp
memory/4772-104-0x0000000005460000-0x0000000005470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A3DD.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
memory/4772-106-0x00000000051C0000-0x00000000051F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A3DD.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
memory/2536-108-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/2536-109-0x0000000000B90000-0x0000000000C0C000-memory.dmp
memory/2536-110-0x00000000049D0000-0x0000000004A62000-memory.dmp
memory/920-111-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A256.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/4772-115-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/2536-117-0x0000000004B10000-0x0000000004BAC000-memory.dmp
memory/920-118-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-119-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A256.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A256.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
memory/912-122-0x0000000001000000-0x000000000106B000-memory.dmp
memory/4620-123-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/912-124-0x0000000001000000-0x000000000106B000-memory.dmp
memory/4620-125-0x00000000052E0000-0x00000000052F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A256.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/4620-130-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/3872-131-0x0000000000400000-0x0000000000413000-memory.dmp
memory/1364-135-0x0000000001030000-0x0000000001037000-memory.dmp
memory/1364-136-0x0000000001020000-0x000000000102C000-memory.dmp
memory/1364-137-0x0000000001020000-0x000000000102C000-memory.dmp
memory/2536-159-0x00000000059A0000-0x00000000059E2000-memory.dmp
memory/2100-161-0x0000000000410000-0x0000000000419000-memory.dmp
memory/2100-160-0x0000000000420000-0x0000000000424000-memory.dmp
memory/2536-162-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/2100-163-0x0000000000410000-0x0000000000419000-memory.dmp
memory/912-164-0x0000000001000000-0x000000000106B000-memory.dmp
memory/4212-166-0x0000000000EF0000-0x0000000000EFA000-memory.dmp
memory/4212-165-0x0000000000EE0000-0x0000000000EEB000-memory.dmp
memory/4212-167-0x0000000000EE0000-0x0000000000EEB000-memory.dmp
memory/2536-168-0x0000000005C60000-0x0000000005C6A000-memory.dmp
memory/2992-170-0x0000000000420000-0x000000000042B000-memory.dmp
memory/2992-171-0x0000000000430000-0x0000000000437000-memory.dmp
memory/3732-174-0x00000000001E0000-0x00000000001EF000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\A256.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/920-184-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-186-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-188-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-190-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-205-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-219-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-194-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-200-0x0000000000400000-0x0000000000413000-memory.dmp
memory/920-191-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[F38805D8-3483].[[email protected]].8base
| MD5 | b23aa718b4618fc69edb9c45bb852c6f |
| SHA1 | 156bdc89ae040841c1500051fb845880bcc4a55e |
| SHA256 | 2e4ee9d5a173ee8ad32ab3efe167b8652a7b382048f1c36be850a50b0e7d09c9 |
| SHA512 | 477e721f5c7c69869044137671ad218374c5e1d55f6fbd260606d7b1d75cdec4c7008931ea48d3d11fde504b6ae30c98c09ce9744d424c494e62e99f4bc9ec64 |
C:\Users\Admin\AppData\Local\Temp\2030.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\2030.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\A3DD.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Users\Admin\AppData\Local\Temp\2030.tmp\aa_nts.dll
| MD5 | 18c734460f0a3b0520b1ecbd08ea2daf |
| SHA1 | 0dc9422e67dd2fc4e14c9234f695e91408e45f9a |
| SHA256 | 3a4f0a3b59537f9f0fdb3f7fb5b177d24417701b03dad2ca7f7326cc8cb49043 |
| SHA512 | 66a0bbef44cd321d7c32189676861cd3acf853128abcd4f0eef55ab9bb9737828bc1f50352c79f8167916e405dd1b40478c4d8ca40d58756253591e9e2444665 |
C:\Users\Admin\AppData\Local\Temp\2030.tmp\aa_nts.dll
| MD5 | 795bb04084380b8ebafd54dda6d61f06 |
| SHA1 | 2c66cfecb7236c2cfe845020b048d0354aa3d202 |
| SHA256 | 13baa40f61680a7cbfc82486d9aebb531a9097fec36595e76de41c35d6348b5a |
| SHA512 | 2dc4d3489f312a052cb534cd8adfb79f379d60656825b6ee6db58cbc2a8713d025f801533ac22fee3fba6dc0a1eda96404c796afede42aae01391020147131f9 |