Analysis Overview
SHA256
d3ff42e30d8fab9324a80f08e50445a1fcf72fa2cfe410043785bf4ff4c637ae
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
RedLine
SmokeLoader
Djvu Ransomware
Detected Djvu ransomware
Glupteba
RedLine payload
Glupteba payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Stops running service(s)
Downloads MZ/PE file
Checks BIOS information in registry
Executes dropped EXE
Deletes itself
Modifies file permissions
Themida packer
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Creates scheduled task(s)
outlook_office_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
outlook_win_path
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-18 15:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-18 15:38
Reported
2023-10-18 15:42
Platform
win10v2004-20230915-en
Max time kernel
78s
Max time network
142s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\F3F6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8C.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\F3F6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\F3F6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\8C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9C5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F1C2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1ea6db0c-86b1-4817-b6c3-f35a4e8c8683\\F1C2.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F1C2.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F3F6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F3F6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1944 set thread context of 3720 | N/A | C:\Users\Admin\AppData\Local\Temp\F1C2.exe | C:\Users\Admin\AppData\Local\Temp\F1C2.exe |
| PID 3312 set thread context of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\F3F6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3008 set thread context of 4564 | N/A | C:\Users\Admin\AppData\Local\Temp\F1C2.exe | C:\Users\Admin\AppData\Local\Temp\F1C2.exe |
| PID 2664 set thread context of 3568 | N/A | C:\Users\Admin\AppData\Local\Temp\F724.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\14E2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\F1C2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\427.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\427.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\427.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\427.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F3F6.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8C.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2ABD.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F5DB.dll
C:\Users\Admin\AppData\Local\Temp\F724.exe
C:\Users\Admin\AppData\Local\Temp\F724.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F5DB.dll
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
C:\Users\Admin\AppData\Local\Temp\8C.exe
C:\Users\Admin\AppData\Local\Temp\8C.exe
C:\Users\Admin\AppData\Local\Temp\427.exe
C:\Users\Admin\AppData\Local\Temp\427.exe
C:\Users\Admin\AppData\Local\Temp\9C5.exe
C:\Users\Admin\AppData\Local\Temp\9C5.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1ea6db0c-86b1-4817-b6c3-f35a4e8c8683" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\14E2.exe
C:\Users\Admin\AppData\Local\Temp\14E2.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1432 -ip 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 340
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\2ABD.exe
C:\Users\Admin\AppData\Local\Temp\2ABD.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
"C:\Users\Admin\AppData\Local\Temp\F1C2.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
"C:\Users\Admin\AppData\Local\Temp\F1C2.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4564 -ip 4564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 568
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\8C.exe
"C:\Users\Admin\AppData\Local\Temp\8C.exe"
C:\Users\Admin\AppData\Local\Temp\8C.exe
"C:\Users\Admin\AppData\Local\Temp\8C.exe"
C:\Users\Admin\AppData\Local\Temp\8C.exe
"C:\Users\Admin\AppData\Local\Temp\8C.exe"
C:\Users\Admin\AppData\Local\Temp\8C.exe
"C:\Users\Admin\AppData\Local\Temp\8C.exe"
C:\Users\Admin\AppData\Local\Temp\8C.exe
"C:\Users\Admin\AppData\Local\Temp\8C.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\2ABD.exe
"C:\Users\Admin\AppData\Local\Temp\2ABD.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 85.209.11.85:41140 | tcp | |
| US | 8.8.8.8:53 | 85.11.209.85.in-addr.arpa | udp |
| BG | 171.22.28.236:38306 | tcp | |
| US | 8.8.8.8:53 | 236.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 31.26.214.95.in-addr.arpa | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98bd123d-9d0f-4844-861f-5e99e86ad4bc.uuid.localstats.org | udp |
Files
memory/1456-1-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/1456-2-0x0000000000960000-0x000000000096B000-memory.dmp
memory/1456-3-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/1456-5-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/3176-4-0x0000000003010000-0x0000000003026000-memory.dmp
memory/1456-8-0x0000000000960000-0x000000000096B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
C:\Users\Admin\AppData\Local\Temp\F3F6.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
memory/3312-23-0x0000000000460000-0x0000000000B9E000-memory.dmp
memory/3312-24-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-26-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-29-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-33-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-35-0x0000000077730000-0x0000000077820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F724.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
memory/3312-36-0x00000000779C4000-0x00000000779C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F5DB.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/3312-38-0x0000000077730000-0x0000000077820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F5DB.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
C:\Users\Admin\AppData\Local\Temp\F724.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
memory/3312-28-0x0000000077730000-0x0000000077820000-memory.dmp
memory/4968-44-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/4968-43-0x0000000000490000-0x0000000000496000-memory.dmp
memory/3312-27-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-46-0x0000000000460000-0x0000000000B9E000-memory.dmp
memory/3312-50-0x0000000005F00000-0x00000000064A4000-memory.dmp
memory/1944-49-0x0000000002660000-0x000000000277B000-memory.dmp
memory/3312-52-0x00000000059F0000-0x0000000005A82000-memory.dmp
memory/3312-55-0x0000000005B90000-0x0000000005C2C000-memory.dmp
memory/3720-54-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/3720-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3720-51-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1944-48-0x00000000025B0000-0x0000000002651000-memory.dmp
memory/3720-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3312-58-0x00000000059E0000-0x00000000059EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8C.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
C:\Users\Admin\AppData\Local\Temp\8C.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
memory/3032-63-0x0000000000170000-0x00000000008C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\427.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Local\Temp\427.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/3312-70-0x0000000000460000-0x0000000000B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C5.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3312-75-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-77-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-76-0x0000000077730000-0x0000000077820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C5.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3312-82-0x0000000077730000-0x0000000077820000-memory.dmp
memory/2708-84-0x00000000007F0000-0x00000000008F0000-memory.dmp
memory/3312-83-0x0000000077730000-0x0000000077820000-memory.dmp
memory/2708-85-0x0000000000950000-0x0000000000959000-memory.dmp
memory/2708-88-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/3312-91-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3312-92-0x0000000077730000-0x0000000077820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\14E2.exe
| MD5 | 1ce0912c72e8d0bfa728e6a229b04330 |
| SHA1 | 071804aecef07ef6e2a43cacc9dbacf64a8a2232 |
| SHA256 | b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273 |
| SHA512 | 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e |
C:\Users\Admin\AppData\Local\Temp\14E2.exe
| MD5 | 1ce0912c72e8d0bfa728e6a229b04330 |
| SHA1 | 071804aecef07ef6e2a43cacc9dbacf64a8a2232 |
| SHA256 | b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273 |
| SHA512 | 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e |
memory/3312-104-0x0000000077730000-0x0000000077820000-memory.dmp
memory/4968-106-0x0000000002310000-0x0000000002436000-memory.dmp
memory/4968-108-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/1432-109-0x00000000009F0000-0x0000000000AF0000-memory.dmp
memory/1432-110-0x00000000008E0000-0x00000000008EB000-memory.dmp
memory/1432-111-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/4968-112-0x0000000002440000-0x0000000002549000-memory.dmp
memory/3176-114-0x00000000077C0000-0x00000000077D6000-memory.dmp
memory/2708-118-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/4968-116-0x0000000002440000-0x0000000002549000-memory.dmp
memory/3720-120-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3032-121-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3032-122-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3032-123-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3032-124-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3032-126-0x0000000000170000-0x00000000008C6000-memory.dmp
memory/3032-128-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3032-127-0x0000000077730000-0x0000000077820000-memory.dmp
memory/4968-125-0x0000000002440000-0x0000000002549000-memory.dmp
memory/4968-113-0x0000000002440000-0x0000000002549000-memory.dmp
memory/3312-131-0x0000000005C80000-0x0000000005C9C000-memory.dmp
memory/3312-132-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3032-133-0x0000000000170000-0x00000000008C6000-memory.dmp
memory/3312-134-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-138-0x0000000005C80000-0x0000000005C95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2ABD.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
C:\Users\Admin\AppData\Local\Temp\2ABD.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
memory/3312-142-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-145-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-147-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-150-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-152-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-156-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-160-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/4716-159-0x00000000012A0000-0x000000000130B000-memory.dmp
memory/4716-157-0x0000000001310000-0x0000000001385000-memory.dmp
memory/3312-162-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/4716-155-0x00000000012A0000-0x000000000130B000-memory.dmp
memory/3312-164-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/3312-166-0x0000000005C80000-0x0000000005C95000-memory.dmp
memory/1656-167-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1656-170-0x0000000074640000-0x0000000074DF0000-memory.dmp
memory/3312-174-0x00000000059D0000-0x00000000059E0000-memory.dmp
memory/3376-177-0x0000000000E90000-0x0000000000E9C000-memory.dmp
memory/3312-178-0x0000000077730000-0x0000000077820000-memory.dmp
memory/3376-179-0x0000000000E90000-0x0000000000E9C000-memory.dmp
memory/1656-186-0x0000000007F30000-0x0000000008548000-memory.dmp
memory/1656-196-0x0000000006FA0000-0x0000000006FB2000-memory.dmp
memory/1656-200-0x0000000007200000-0x000000000730A000-memory.dmp
memory/1656-202-0x0000000007130000-0x000000000716C000-memory.dmp
memory/1656-176-0x0000000006FF0000-0x0000000007000000-memory.dmp
memory/1656-203-0x0000000007170000-0x00000000071BC000-memory.dmp
memory/3312-175-0x0000000000460000-0x0000000000B9E000-memory.dmp
memory/4716-204-0x00000000012A0000-0x000000000130B000-memory.dmp
memory/3768-205-0x0000000002A60000-0x0000000002E66000-memory.dmp
memory/3768-206-0x0000000002E70000-0x000000000375B000-memory.dmp
C:\Users\Admin\AppData\Local\1ea6db0c-86b1-4817-b6c3-f35a4e8c8683\F1C2.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/3720-216-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\F1C2.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/4564-223-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4564-224-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4564-226-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3768-239-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_evrilpns.c43.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\8C.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
C:\Users\Admin\AppData\Local\Temp\8C.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
C:\Users\Admin\AppData\Local\Temp\8C.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
C:\Users\Admin\AppData\Local\Temp\8C.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
C:\Users\Admin\AppData\Local\Temp\8C.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 4fd6b3a467056385abd8ed1f85da0fa2 |
| SHA1 | 4c42cd69ac787622af8b0748cb72b76911f9ff76 |
| SHA256 | 5e9fcb024a6b188bad3226ea736d4b95df2a5cc6b493e0fab951c5bc051fbfec |
| SHA512 | 525067ffa8c9ef372255eaf264114971590a64cd06302e33ef89d5465eded3a1579b8b79efa1b445e593fa2cd907ed3394b4f1193c0ed63157ed5f06d4889289 |
C:\Users\Admin\AppData\Roaming\itwdwgr
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Local\Temp\2ABD.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e6f34915b4a137668be48eaa5ebb527e |
| SHA1 | 6818630f9505a80f3130567ac1e495c598289d58 |
| SHA256 | fed4b208f7b11ded1ded8e870bcac7e5dd13bbcec757e37812e9a3c437e7b9ab |
| SHA512 | b63abcaea2504bfda6eb3a8046d2db346f2f947a00c811edf191d14458b4d9d36aa2220a57aeaa1e4fcd112037bdd141755a9cc0f776a45c2b7fa25ec54a2b21 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 690e9a3dad3aec207144082bb6e2f2ba |
| SHA1 | 68c4632a5d281e868a1939000a04386b0c458295 |
| SHA256 | 90a96751fb0b0a0eeef3fa4667fc743a684f947d8a5ffe9b22f150cf62c7c96c |
| SHA512 | 422fcbcd0a6fb117278c9509d6d473843a72a676010e8e14538bc0e5da44027b9fa7bde018cba54acea6e574a0d5568e54164dfa4232cfd12d3111d874744746 |
C:\Windows\rss\csrss.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
C:\Windows\rss\csrss.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3352c4a44c76834e5b39b30bf1a45c43 |
| SHA1 | 0910841a7e75deec00b96c758ee3a9c25ab17d70 |
| SHA256 | d3ead587208408f9b5d3916d2db4b52ef719106de3d29d791f9fef2771034054 |
| SHA512 | 6365134b76bccf396cac562451a2bbba7c34f879e23707dd1212f3a706b5b8f95b96da678d569e17e42b30d215a44d90290dfc1f82095e9e945774a82ce6ec18 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 95f5a76efd93ce19b777bd572f2a4db8 |
| SHA1 | 101893e9b08d3b53f69ce978c6ac146ac67c455d |
| SHA256 | af9b4d02674f675566a28b148a461f8bd0a6582092b6731d8b48aad730b586d4 |
| SHA512 | 125d81695204f90f5ed67d4112831a1964bfdd493b178bd24839eafebb2f6fd2590da73f5397c24dd5d6ba00816aefcd739770345319acb333c898b15813cb99 |
C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 893b45c64e8de2a8307370f1bbd91d0a |
| SHA1 | 4985feb4589df020f8b0922380269e472585c3b4 |
| SHA256 | 073185a25755ea570431a052a345d3a853d96fbf8226f9e0adbba327ac0e3d51 |
| SHA512 | de4c20d174b2d6d4842c1ae729a16d5edb07745e4d25de5d3a9ccc4b7ad49532acfa06cc8bfa9441d69d838bc6328815eaa2bce54265e2476879701267f7a4a9 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 02e58e84a7a136cfc28a302af9939099 |
| SHA1 | 03313c0799d96a6f4693b08e5428c516eabc305f |
| SHA256 | 0092178ecd741fd010dbabd6df28f4b96cac179f21fb5d7c55976f6e5b8d1ee6 |
| SHA512 | 11c1fe29902094c12f935d5988d80cb38fb443859e8b0525253b5b52d798c1aa6b9d48b8cb6c35b69f4eb3665a8d0ed7a107065e688de56d0db4382a76e0a720 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-18 15:38
Reported
2023-10-18 15:40
Platform
win7-20230831-en
Max time kernel
54s
Max time network
168s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3535.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\47BE.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3535.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\47BE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\47BE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3535.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31F9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3535.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31F9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\428F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47BE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56BD.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31F9.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\47BE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\3535.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3535.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47BE.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2640 set thread context of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\31F9.exe | C:\Users\Admin\AppData\Local\Temp\31F9.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\56BD.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\56BD.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\56BD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\31F9.exe
C:\Users\Admin\AppData\Local\Temp\31F9.exe
C:\Users\Admin\AppData\Local\Temp\3535.exe
C:\Users\Admin\AppData\Local\Temp\3535.exe
C:\Users\Admin\AppData\Local\Temp\31F9.exe
C:\Users\Admin\AppData\Local\Temp\31F9.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3E79.dll
C:\Users\Admin\AppData\Local\Temp\428F.exe
C:\Users\Admin\AppData\Local\Temp\428F.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3E79.dll
C:\Users\Admin\AppData\Local\Temp\47BE.exe
C:\Users\Admin\AppData\Local\Temp\47BE.exe
C:\Users\Admin\AppData\Local\Temp\56BD.exe
C:\Users\Admin\AppData\Local\Temp\56BD.exe
C:\Users\Admin\AppData\Local\Temp\71DC.exe
C:\Users\Admin\AppData\Local\Temp\71DC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\24ed172b-c95b-4f2e-a693-e5557d696978" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\91FA.exe
C:\Users\Admin\AppData\Local\Temp\91FA.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\31F9.exe
"C:\Users\Admin\AppData\Local\Temp\31F9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\31F9.exe
"C:\Users\Admin\AppData\Local\Temp\31F9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe"
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {F1FEBC6F-3949-4CA0-A4E8-F11A4C0E3EA8} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\ihrwvda
C:\Users\Admin\AppData\Roaming\ihrwvda
C:\Users\Admin\AppData\Roaming\ehrwvda
C:\Users\Admin\AppData\Roaming\ehrwvda
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
"C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231018154038.log C:\Windows\Logs\CBS\CbsPersist_20231018154038.cab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MX | 187.204.68.14:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| KR | 211.40.39.251:80 | zexeq.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| BG | 171.22.28.236:38306 | tcp | |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.169:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| DE | 5.75.212.77:80 | 5.75.212.77 | tcp |
Files
memory/2212-1-0x00000000008F0000-0x00000000009F0000-memory.dmp
memory/2212-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2212-3-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/2212-5-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/1300-4-0x00000000029D0000-0x00000000029E6000-memory.dmp
memory/2212-8-0x0000000000220000-0x000000000022B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\3535.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
memory/2764-25-0x0000000001170000-0x00000000018AE000-memory.dmp
memory/2640-26-0x0000000000290000-0x0000000000321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/3028-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3028-31-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2764-33-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-35-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-36-0x0000000076A10000-0x0000000076A57000-memory.dmp
memory/2764-37-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-39-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-38-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-40-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-42-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-43-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-44-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-45-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-46-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-47-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-48-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2640-50-0x0000000002080000-0x000000000219B000-memory.dmp
memory/2764-51-0x0000000077820000-0x0000000077822000-memory.dmp
memory/2640-49-0x0000000000290000-0x0000000000321000-memory.dmp
memory/2764-41-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-34-0x0000000076580000-0x0000000076690000-memory.dmp
memory/3028-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3028-56-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\428F.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
C:\Users\Admin\AppData\Local\Temp\428F.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
C:\Users\Admin\AppData\Local\Temp\3E79.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
C:\Users\Admin\AppData\Local\Temp\47BE.exe
| MD5 | 1dc47ac0b00f58cadb013cb4653e3973 |
| SHA1 | 62aa607a45c4c31e515a5d86a86ab61738c336c0 |
| SHA256 | 1775fe12c1b23194e5198cae3ff0049a275d0659e8149f4add3ab049f78e7229 |
| SHA512 | 5acbce0bdc8d4c9dc49d6afe851e37fbfb5ac895097a41628322278546aa94242975a037e1087733df439565c52578f04d2d60bb676c1c1c2b589aeb271e9853 |
\Users\Admin\AppData\Local\Temp\3E79.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/1208-70-0x0000000000B00000-0x0000000001256000-memory.dmp
memory/1208-72-0x0000000076A10000-0x0000000076A57000-memory.dmp
memory/1208-74-0x0000000076580000-0x0000000076690000-memory.dmp
memory/760-75-0x0000000000200000-0x0000000000206000-memory.dmp
memory/1208-76-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-77-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-78-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-79-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-80-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-81-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-82-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-84-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-86-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-87-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-88-0x0000000076A10000-0x0000000076A57000-memory.dmp
memory/1208-89-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-90-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-93-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-92-0x0000000076A10000-0x0000000076A57000-memory.dmp
memory/1208-91-0x0000000076580000-0x0000000076690000-memory.dmp
memory/760-71-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/1208-94-0x0000000076580000-0x0000000076690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Local\Temp\56BD.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/1208-95-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-102-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-103-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-104-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-105-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-106-0x0000000076580000-0x0000000076690000-memory.dmp
memory/1208-109-0x0000000000B00000-0x0000000001256000-memory.dmp
memory/2764-110-0x0000000001170000-0x00000000018AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71DC.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\71DC.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1300-118-0x0000000002AC0000-0x0000000002AD6000-memory.dmp
memory/1876-119-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/1876-122-0x00000000008B5000-0x00000000008C8000-memory.dmp
memory/1876-123-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2764-127-0x0000000074280000-0x000000007496E000-memory.dmp
memory/2348-131-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1208-133-0x0000000074280000-0x000000007496E000-memory.dmp
memory/2348-134-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-135-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-136-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2348-137-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-132-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-139-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-141-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2764-159-0x0000000001170000-0x00000000018AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3028-163-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2348-162-0x0000000074280000-0x000000007496E000-memory.dmp
memory/760-164-0x00000000021A0000-0x00000000022C6000-memory.dmp
memory/2764-165-0x0000000076A10000-0x0000000076A57000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/760-169-0x00000000022D0000-0x00000000023D9000-memory.dmp
memory/760-170-0x00000000022D0000-0x00000000023D9000-memory.dmp
memory/760-172-0x00000000022D0000-0x00000000023D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91FA.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
memory/2764-166-0x0000000076580000-0x0000000076690000-memory.dmp
memory/2764-168-0x0000000076580000-0x0000000076690000-memory.dmp
memory/760-179-0x00000000022D0000-0x00000000023D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91FA.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
C:\Users\Admin\AppData\Local\24ed172b-c95b-4f2e-a693-e5557d696978\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2348-183-0x00000000075A0000-0x00000000075E0000-memory.dmp
memory/1792-185-0x0000000000140000-0x00000000001AB000-memory.dmp
memory/2288-208-0x0000000002860000-0x0000000002C58000-memory.dmp
memory/1888-211-0x0000000000060000-0x000000000006C000-memory.dmp
\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/3028-233-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1652-234-0x0000000000220000-0x00000000002B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\31F9.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | c6bdeb38224c6a2bc66e61b714f213cc |
| SHA1 | c0f4fa83143c9977bffffb3f6bdc2b55b05ecc70 |
| SHA256 | 9ae867c3367626c15d93e179ae805d358734d86debf538e09953ccc19b4276e5 |
| SHA512 | facd17c23895daae4c3a82b1585cb12ac029dec60c6e1450f30fa142440b1aa02b41db73bcea592333f26d81f2a768447afe1476585138aaed0c10d0ae17f7ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d113add6176ea0e082f07a4cde0f1e27 |
| SHA1 | 4961b8a68230a953dce167af8214537124b3c418 |
| SHA256 | 7f53f067744a039364152a66ab1a2da4d6b0ba526e0cb52dd8186f144360dc58 |
| SHA512 | 08c75f8e07457f3de0d37a543357cf63bf8c2edc2c10e740373cafdc6a5823a497a248b282ac3b8528deeff776bbdc0c780775435e756bef2903a08e8436869b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 4402a0fc0ec273e2c3bd6a1188700b05 |
| SHA1 | 2c8ff24692967b5ae6a2b827113336b51bfe59d6 |
| SHA256 | 18b75f28d4760e6da2dd7a54f388dfa8576e124acee9fa1127b0ad7be52c51b9 |
| SHA512 | fc105e88cc8c5a785914a2eb6920e4b648db2332e1984e3f61f396562229e89f6a6200859868419664cc5436750a0014934102e618088ccf7c270c13d60b9abf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7c198e53d344f0409291b1ded9827deb |
| SHA1 | bb562c08ee1086b7115c257a72c3f7b6d8a78335 |
| SHA256 | d0cee21c954dcc20089e3dcd6579194c9ecafa2ec6e652b938464724389a6999 |
| SHA512 | 4b7f1c090428230ed16bbfc344142a3338c2108b28214ade8f66f3847fd19bdc4fe848d46f37fffed5b7d28aaac1de6e78c87170c2f159863f99f7fa66d6d946 |
C:\Users\Admin\AppData\Local\Temp\CabC37E.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\91FA.exe
| MD5 | 52bf9d33e1014192f6519323983054c4 |
| SHA1 | 72279e7ad1d90598d39a5f617b22050c011c1076 |
| SHA256 | 3b10cbefece580482a1b5b6de698293d9f2b34b53520bd25a7816008956a4dbd |
| SHA512 | 7cededd371f141cad6431d2bea6af0aabf4093eaea784280ae08546a50d5153e6bbd0a06390a306de6e4990c6d59bb9c91168dc2f91357009ebfb61fdde412ed |
memory/2416-329-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2416-325-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1208-333-0x0000000000910000-0x0000000000925000-memory.dmp
memory/2764-331-0x00000000006E0000-0x00000000006F5000-memory.dmp
memory/1208-337-0x0000000000910000-0x0000000000925000-memory.dmp
memory/2764-341-0x00000000006E0000-0x00000000006F5000-memory.dmp
memory/2764-345-0x00000000006E0000-0x00000000006F5000-memory.dmp
\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\Tar74BC.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Roaming\ehrwvda
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Roaming\ihrwvda
| MD5 | a1c2a53b0b4f7004c0ab4e7b71824cb1 |
| SHA1 | d7b35120e2211e5a5b695e51fea436f86bcc422b |
| SHA256 | d3ff42e30d8fab9324a80f08e50445a1fcf72fa2cfe410043785bf4ff4c637ae |
| SHA512 | bc9a99ecb463784e670a8741477e29742559b5fe57d98de8f3ed72fc92ae68c34f0f283a6415bbc6463ab418f48d115b740eabe171006d0bbee2c0f638fcb4a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a443f563c40dea8dd61054214a985dc |
| SHA1 | 91c570f5712651714e1bc3ccd1ea6ccf3a0d7d69 |
| SHA256 | 0a7ab831417a466d35ea4504d0549cb1ced54f77467b8f5325f02f4126304ea7 |
| SHA512 | 4c288da9bbb189b50c22d229203f3168a2454ca4d55b2e1e6b9ba843124e85a94ddd774bfea70ac540fa043ccfdec0c2c01f40797d84b2eab8d704dfd5872d6b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 42183e78812ab99e0d74d70a72c72aef |
| SHA1 | 08c85edb13376d9d6b38b13ad8d5fa8d1141e430 |
| SHA256 | 6bb5e0b76820efe0997a1d3683733815b1ada338b8cd9b0574c46b5cfaf4cc38 |
| SHA512 | feb5eb444d12f42b115edf3f67f8782d3b61d48fc8ffafee99f0a5c9ddb2c0dc53bdee8a42881275d996194589e6936bca260c66eda207fda9f3abe2f6e4b49b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\0d4dd327-2b8d-4207-a229-6e0a9c0b1dbd\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Roaming\ehrwvda
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Roaming\ihrwvda
| MD5 | a1c2a53b0b4f7004c0ab4e7b71824cb1 |
| SHA1 | d7b35120e2211e5a5b695e51fea436f86bcc422b |
| SHA256 | d3ff42e30d8fab9324a80f08e50445a1fcf72fa2cfe410043785bf4ff4c637ae |
| SHA512 | bc9a99ecb463784e670a8741477e29742559b5fe57d98de8f3ed72fc92ae68c34f0f283a6415bbc6463ab418f48d115b740eabe171006d0bbee2c0f638fcb4a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 42183e78812ab99e0d74d70a72c72aef |
| SHA1 | 08c85edb13376d9d6b38b13ad8d5fa8d1141e430 |
| SHA256 | 6bb5e0b76820efe0997a1d3683733815b1ada338b8cd9b0574c46b5cfaf4cc38 |
| SHA512 | feb5eb444d12f42b115edf3f67f8782d3b61d48fc8ffafee99f0a5c9ddb2c0dc53bdee8a42881275d996194589e6936bca260c66eda207fda9f3abe2f6e4b49b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f8fd65f3eca7a3f0340ab8c9862a615 |
| SHA1 | 5de8b254766ae72d22fdc54e34ea4078ba2e689d |
| SHA256 | 7d107e1145e96bd300c7b3635af13ada5de3bd0848274f0d1371017184af74de |
| SHA512 | d5f9b93ac334f627a1aefc4091b0fc280e0dbff6d81a10397fdf343d9ebc3c5dafd8f43dd3de5933f27db7c308fe2dac1b4dfb4f66497b26e8cdc0d647faef7e |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |