Analysis Overview
SHA256
1ce005163f0931b60a2340dae83894ab89a710d930c7e0c28da75b41518a6ef3
Threat Level: Known bad
The file d03bcd36867e7c28bb1a55cce8dde5ec.exe was found to be: Known bad.
Malicious Activity Summary
RisePro
SmokeLoader
Djvu Ransomware
Detected google phishing page
DcRat
RedLine payload
RedLine
Detect Lumma Stealer payload V4
Detected Djvu ransomware
PrivateLoader
Lumma Stealer
Downloads MZ/PE file
Modifies file permissions
Reads user/profile data of local email clients
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in System32 directory
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Checks processor information in registry
outlook_office_path
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
outlook_win_path
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-15 01:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-15 01:48
Reported
2023-12-15 01:50
Platform
win10v2004-20231130-en
Max time kernel
31s
Max time network
80s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AB16.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B98E.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\11378549-d88e-45ab-b5e6-9d4716f58b69\\AB16.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\AB16.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4444 set thread context of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe |
| PID 2288 set thread context of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\AB16.exe | C:\Users\Admin\AppData\Local\Temp\AB16.exe |
| PID 4560 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\AB16.exe | C:\Users\Admin\AppData\Local\Temp\AB16.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\AB16.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"
C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 1916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 328
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94ED.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\AB16.exe
C:\Users\Admin\AppData\Local\Temp\AB16.exe
C:\Users\Admin\AppData\Local\Temp\AB16.exe
C:\Users\Admin\AppData\Local\Temp\AB16.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\11378549-d88e-45ab-b5e6-9d4716f58b69" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\AB16.exe
"C:\Users\Admin\AppData\Local\Temp\AB16.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\AB16.exe
"C:\Users\Admin\AppData\Local\Temp\AB16.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2332 -ip 2332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 568
C:\Users\Admin\AppData\Local\Temp\B98E.exe
C:\Users\Admin\AppData\Local\Temp\B98E.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 185.196.8.238:80 | 185.196.8.238 | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 238.8.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
Files
memory/4444-1-0x0000000000AB0000-0x0000000000BB0000-memory.dmp
memory/4444-2-0x0000000002460000-0x0000000002469000-memory.dmp
memory/1916-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1916-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3412-5-0x0000000003140000-0x0000000003156000-memory.dmp
memory/1916-8-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94ED.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\AB16.exe
| MD5 | 597507b354253ff613bbf18c31985438 |
| SHA1 | 0736a124c64ce6127912277c410186bac29a308d |
| SHA256 | e51a3064d0e0d267ac87301875c12545e2279ba282292dad110ada5806444e18 |
| SHA512 | d44830d95b2078e9f096cf68b2942a0a23cd30ec3b3356f09a9bb29081b77fe2325f943e088748db538be0ec41573d46b3d6451286b6db714324df8e32424a8a |
memory/1484-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2288-26-0x0000000002620000-0x000000000273B000-memory.dmp
memory/2288-25-0x0000000002430000-0x00000000024CA000-memory.dmp
memory/1484-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1484-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1484-28-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\11378549-d88e-45ab-b5e6-9d4716f58b69\AB16.exe
| MD5 | 3f5e0a8ea20c995f7c3100ba2a184196 |
| SHA1 | 1a89f579e08677f3f72102d556c77d49bb3d51d5 |
| SHA256 | 07bd1b82588438e8f050500cf49ddfe5f765ce0d7c4892036c2cc550db4ea20f |
| SHA512 | 1f1148b7b4744f314b87f33db32ff7e1786c6c8c0fc1800b47e6f47757778b6264c41a9022e26786d6301dc3ad2bf6c4c883277702e31a36ab86e351fde89bbb |
memory/1484-40-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB16.exe
| MD5 | 6ec082f63cd8692cc247107dba00492c |
| SHA1 | 69dc04077ca6c57c4450fa243c03b790886b64b6 |
| SHA256 | 1f798dbd5a075d86cc02515ff5f797b47172ff291efe80b857671ac4eb233e02 |
| SHA512 | 8e7bacf303a69fb15ee42393c76751d3542476542af9cf0cfe0d7539a48e560627dfba2c3ce3462b7d20f0b6794e36c1b1910912f3c771356f7bc1d6205d774c |
memory/4560-44-0x00000000023A0000-0x0000000002439000-memory.dmp
memory/2332-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB16.exe
| MD5 | 74959810eacebb25017021835fa503dc |
| SHA1 | 41b70b471a0a99c867b455617d74123414d7a995 |
| SHA256 | 04c2de45b62a0777a02982d4de73e28278ae299880afe517838e7af12359f711 |
| SHA512 | 4caaa443863a74a29ece6139315786d9c23f2994b0de93922722a62f683350c328e69fb278b13086023c17dd8396edbac256114b74f11197048aff73708d9f8a |
memory/2332-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2332-47-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B98E.exe
| MD5 | fdced44282e3b2601ba0b0e0eb3a8c43 |
| SHA1 | e0d6041213dabfbd533f1e257c94428ed9f02d0e |
| SHA256 | 54fc05d99c3dbcc41964af347b5e1c61d94a57ec7ac6d29771d0ee1fd9878ee4 |
| SHA512 | b6fd651e86ce66d4ca9bd571991ed6acee293f0923fd65409d5b8edfee8362517898d216ae1869841952f7302f8ead950174dc09cf01f651c26ed28483738150 |
memory/4360-56-0x00000288399B0000-0x0000028839B24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B98E.exe
| MD5 | b26823c8af5fbcdc86f84fc2e267311b |
| SHA1 | fc4efc116024547a35e1374e1a168895cadb9430 |
| SHA256 | e7e850769c68b1bdd5cfc47e30eb09d5bab56d19fa59cc7075b023b05d7f13f1 |
| SHA512 | d73bc376875649231e5f9ad2b216e2f6a8fa0c06609146fa3843652b52ccb0dc502850ac4f76e771bad5fe7f761cc06c34d5ba304cca307c849618c81bfb4c7a |
memory/4360-57-0x0000028854110000-0x000002885423E000-memory.dmp
memory/4360-59-0x0000028854100000-0x0000028854110000-memory.dmp
memory/4360-58-0x00007FFC3F8C0000-0x00007FFC40381000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-15 01:48
Reported
2023-12-15 01:50
Platform
win7-20231130-en
Max time kernel
85s
Max time network
125s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected google phishing page
Djvu Ransomware
Lumma Stealer
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\14a22dc4-2cc9-460e-a60a-a0c3751db70f\\7550.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\7550.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\D6E2.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\47DD.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E91EFC1-9AEC-11EE-88F1-D2343147A8FD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E8608E1-9AEC-11EE-88F1-D2343147A8FD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E8ACBA1-9AEC-11EE-88F1-D2343147A8FD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\7550.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\7550.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\7550.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\7550.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\7550.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"
C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5A31.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\7550.exe
C:\Users\Admin\AppData\Local\Temp\7550.exe
C:\Users\Admin\AppData\Local\Temp\7550.exe
C:\Users\Admin\AppData\Local\Temp\7550.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\14a22dc4-2cc9-460e-a60a-a0c3751db70f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\7550.exe
"C:\Users\Admin\AppData\Local\Temp\7550.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\7550.exe
"C:\Users\Admin\AppData\Local\Temp\7550.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\85B5.exe
C:\Users\Admin\AppData\Local\Temp\85B5.exe
C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe"
C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe"
C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe
"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe"
C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe
"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1448
C:\Windows\system32\taskeng.exe
taskeng.exe {97F87DDE-4589-4ECD-8AA4-8AA105F3E7B3} S-1-5-21-2185821622-4133679102-1697169727-1000:QHCIVBOB\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\D6E2.exe
C:\Users\Admin\AppData\Local\Temp\D6E2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe
C:\Users\Admin\AppData\Local\Temp\47DD.exe
C:\Users\Admin\AppData\Local\Temp\47DD.exe
C:\Users\Admin\AppData\Local\Temp\4B38.exe
C:\Users\Admin\AppData\Local\Temp\4B38.exe
C:\Users\Admin\AppData\Local\Temp\4DB9.exe
C:\Users\Admin\AppData\Local\Temp\4DB9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 216
C:\Users\Admin\AppData\Local\Temp\52F7.exe
C:\Users\Admin\AppData\Local\Temp\52F7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| BR | 179.153.102.52:80 | zexeq.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 185.196.8.238:80 | 185.196.8.238 | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 109.107.182.45:80 | 109.107.182.45 | tcp |
| BR | 179.153.102.52:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| DE | 5.75.211.54:1993 | 5.75.211.54 | tcp |
| DE | 5.75.211.54:1993 | 5.75.211.54 | tcp |
| DE | 5.75.211.54:1993 | tcp | |
| DE | 5.75.211.54:1993 | 5.75.211.54 | tcp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| IE | 163.70.147.35:443 | facebook.com | tcp |
| IE | 163.70.147.35:443 | facebook.com | tcp |
| BE | 74.125.71.84:443 | accounts.google.com | tcp |
| BE | 74.125.71.84:443 | accounts.google.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| BG | 91.92.249.253:50500 | tcp | |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| IE | 163.70.147.35:443 | fbsbx.com | tcp |
| IE | 163.70.147.35:443 | fbsbx.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 216.58.204.78:443 | play.google.com | tcp |
| US | 92.123.128.181:80 | www.bing.com | tcp |
| US | 92.123.128.181:80 | www.bing.com | tcp |
| US | 92.123.128.181:80 | www.bing.com | tcp |
| US | 92.123.128.181:80 | www.bing.com | tcp |
| US | 92.123.128.181:80 | www.bing.com | tcp |
| US | 92.123.128.181:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | soupinterestoe.fun | udp |
| US | 172.67.221.65:80 | soupinterestoe.fun | tcp |
| US | 8.8.8.8:53 | dayfarrichjwclik.fun | udp |
| US | 172.67.174.181:80 | dayfarrichjwclik.fun | tcp |
| US | 8.8.8.8:53 | neighborhoodfeelsa.fun | udp |
| US | 104.21.87.137:80 | neighborhoodfeelsa.fun | tcp |
| US | 8.8.8.8:53 | diagramfiremonkeyowwa.fun | udp |
| US | 104.21.18.224:80 | diagramfiremonkeyowwa.fun | tcp |
| US | 8.8.8.8:53 | ratefacilityframw.fun | udp |
| US | 172.67.161.55:80 | ratefacilityframw.fun | tcp |
| RU | 178.236.247.164:80 | tcp | |
| US | 8.8.8.8:53 | reviveincapablewew.pw | udp |
| US | 8.8.8.8:53 | cakecoldsplurgrewe.pw | udp |
| MD | 176.123.7.190:32927 | tcp | |
| US | 8.8.8.8:53 | opposesicknessopw.pw | udp |
| US | 8.8.8.8:53 | politefrightenpowoa.pw | udp |
Files
memory/2932-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2932-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2932-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2872-5-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2872-4-0x00000000009A2000-0x00000000009B8000-memory.dmp
memory/1372-7-0x0000000002AD0000-0x0000000002AE6000-memory.dmp
memory/2932-8-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5A31.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | 597507b354253ff613bbf18c31985438 |
| SHA1 | 0736a124c64ce6127912277c410186bac29a308d |
| SHA256 | e51a3064d0e0d267ac87301875c12545e2279ba282292dad110ada5806444e18 |
| SHA512 | d44830d95b2078e9f096cf68b2942a0a23cd30ec3b3356f09a9bb29081b77fe2325f943e088748db538be0ec41573d46b3d6451286b6db714324df8e32424a8a |
memory/2824-30-0x0000000000280000-0x0000000000312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | f2c4adace3088abebbbc93692dcddb9d |
| SHA1 | 0453b93ca9114bef48139d6ddf42d533a3f390f2 |
| SHA256 | b2c1be16d09428c8cf3135f937957065d6345efd84eaacef98ca192b285aee07 |
| SHA512 | 63570fc2dce309f95cf5d6d93514e288af28d4da999e19bd525c2b389778b8928c49b2e06bbadafb72089c4bf1ded4b65342c0e79470fc3711ff0920caff8e64 |
memory/2824-31-0x0000000000280000-0x0000000000312000-memory.dmp
memory/2824-35-0x0000000002220000-0x000000000233B000-memory.dmp
\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | 9e1c30e85113313c3c5f227b5d9bde5d |
| SHA1 | 9872d9bc104bee8843e613e96b2de274e5c9f994 |
| SHA256 | 742b3944a2946623653fab6a8f74a21af83068207dafc7dff5ea03bed869156a |
| SHA512 | b74541cc92cd92a3f6ed983ec41c7f54fae630b00e86425dcde2ccf2d47b3b58318db89a8707f4e94f3b87c3de2fc73d3f6395ccf8bcf92bab6d49628b7828de |
C:\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | 8ec0266edf36428c5bb864776f2488e7 |
| SHA1 | 32b4515f85df239d4df540426e06aa74e91fecd1 |
| SHA256 | 9ff212e6796dc01031299095edce4d5c844ef7024ff04c1c278c91735f75ba67 |
| SHA512 | cb2b2348d3967105484030200a8c73fd58f18eea277c18453ddfaead4aad24d0c1bad2169efd559435ac9e8f107959fb9c345b41a6901cb76db00d10cc0a3074 |
memory/2556-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2556-40-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2556-41-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\14a22dc4-2cc9-460e-a60a-a0c3751db70f\7550.exe
| MD5 | 5dbf4da9fac614a1124b94201ab05e72 |
| SHA1 | 9b6b1024600d0a7c293948c464878a7095c1efc1 |
| SHA256 | 1bc06073ca61d270bae4610ef87884cc56f0b221e7a8dc7400ab0aea419b37fe |
| SHA512 | a06bfd8ace46d99099df9d3df1fcd4f67090c2e9c5279052f04730a51498d6655025847c46366ebbf4a707a9bbad21170e16675fe98564ae6febab563d0c4bf7 |
\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | 51f274f3d5adb038858b4462a53be5f8 |
| SHA1 | d11bc1867042dcfead69ede3321f9286ade6d2d2 |
| SHA256 | 8b30c1175135f81973dc79008ffdc88bbcb29edfadc95bacc4357d3003cd581d |
| SHA512 | a5e7b88fd921f244cbece9d99803f2e2927590a496e2dff51605e9b116c674d665b5d1947f468265649cdfbf21fdddc3e20dadfe4f3b0231d21c588f6763787f |
\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | b598a31d5c552a3e756ffd26c93e8c52 |
| SHA1 | 9a1b23bddf8ab4262c2345cb7aa737bf6fccaca9 |
| SHA256 | cdfdbbbce4734698eef67ea4f91a14af0f29ee35c88d5311c1310c9ea8695ec1 |
| SHA512 | 32def60b865fd286dd13c6dc9528cdb4fc3da8e5a3f51b5cd85213fe38bc2a6397ce7fbaf4d2c5802bdd5f25831eb686c3564a713581aede5bf372ccdf5c74c8 |
memory/2556-80-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2008-82-0x00000000020E0000-0x0000000002172000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | b47cb6279c90383dc3023d1debcac272 |
| SHA1 | a54b28d243d5383b9333961fd43cc7093e6a1e81 |
| SHA256 | d6949c74ecf46bd8ec3aeff28c472cba5af01cbb5f71d86864775e9436a500fc |
| SHA512 | f2ba4d84f92ef661533a865e9276134e680c3a820d02174d175cc51637a9f5492eeb427e1628b022d16782e2867aed43573121b9976356b5150c049b97faaffd |
\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | 166112bfd22d1bb62a1524356ee1a4ff |
| SHA1 | 18e50db3d212af01887d50867c4fa46f0da37bbd |
| SHA256 | 326a6e99e3a8a45d1a20a8bf7892a7f131ddd66acc513196fbff3a3d066b8ad1 |
| SHA512 | 6ce6d109dc6f07f8f9ef083fb46e26db00ce149858061cb426d83b33ededdc0f8d209f92bd3c94d964264739952b59e44e5da2d7f390bc86010ad8cd3fd508dc |
C:\Users\Admin\AppData\Local\Temp\7550.exe
| MD5 | 0f88ac38bc246f35853f9e28f3110679 |
| SHA1 | 73f182ff7b04d2f007bac8c9a7eda4fb8650b180 |
| SHA256 | c428fe04958413976cd71b368da1fde2a75f17996febef29ae3f1dc5832c6257 |
| SHA512 | 1bc2d6759b38b43712034fcc8e41c912b98bb1ff8c9bdd8664897b40295220c8630d121372b296f76c16b8d5b4cc650f5f109650e7c5926b6ab33328e5d4137f |
memory/760-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2008-89-0x00000000020E0000-0x0000000002172000-memory.dmp
memory/760-91-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 871567bb3202a3faa90dd33d609df6c9 |
| SHA1 | f39c2cd3afa13cb18cad9df1375fadd225a9e27a |
| SHA256 | c8bc36169057de26e19def68e5ab1a584dd61746a590e673d2772add125f4eae |
| SHA512 | 0a37b9b6cd1785bf50bce9344ddc0c9ace29dc183e2820224bb8c999d64b0097ad351b5d171280972ec783e31bfe911f392d1068a336cccded07805b5af4811e |
C:\Users\Admin\AppData\Local\Temp\Tar7EC2.tmp
| MD5 | 1c37269ee4763ee6f1632ed98ee776fe |
| SHA1 | 567797fdc92ee9b03e61f3e67cd3cc9463c9ae2e |
| SHA256 | 231bda33be12a948868c2abba758971a64b20cda059c663a42c10ea37fe21f62 |
| SHA512 | c1610f6dc8a928a6f1832d127b5b95a4624b6612b452d50c1ab032c6a3434d3b88841c144e4e556aa8bb6bb8ab18d74b6abd85b5ffe3b4ef5bbfc0fff8c6ea89 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 5491475fd56ab6b74b9266b1252f3752 |
| SHA1 | f2b49f1ecdbee2ba9459f21178023ad3e66e4cac |
| SHA256 | 4d294d7a358070ad504a1e85e8d7be11a3a89b13d5b24847da9d8c4a43693269 |
| SHA512 | 9e6da009b2cfcbb5f5088c0009d358118f1444111bffef8495e775f0e7141cb049d2f092fc1ccd15ae0756aed04e4b466a360061fde1b27fc6ef9193ec94aaac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08c6d3787c733e84f88e0189e1796be3 |
| SHA1 | f2f181bd5c9043b858d3db36261d82a82ce63037 |
| SHA256 | 29aaba490874922c0f23b1a9af1b4457a2b9e1baa463c5cdb11fb390a9e4127c |
| SHA512 | f96ed1dc690a09d4060ff74216bbd2bcee73b652eae72949ee0b367e37d265f8841e8b294b600bb7b3144f5b81fefc60480ed20c6049d6a1581ec6cf3a9bc98e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f8c07c236291663e4f4749bac13e3feb |
| SHA1 | d3b8ccb4afcdf63be90d3a509e32516ec27693fc |
| SHA256 | bf740fc1d146fcea28aa697cb5e9f97350bc5a3200e8effe4174ede07d487bf2 |
| SHA512 | 4d76b51edcbed573be71b45b72c28d8399f784e1dd370f9327248b2b40e568cf0c90ea4090a7c3e90c05c94021edfe69a198bc62d28397147a9419c8004059da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a084e58a5d5b04e46aaea72cbf122619 |
| SHA1 | 86b23d015d7b6c2aee44322dc0b7e41e6ce69200 |
| SHA256 | 8ad1098ad99d75820bf30bbe4d692f4c1153e434d4cc63bd25bf11f19e606b8d |
| SHA512 | 45c66d552264d5a28c90d932a45a51ec83b696ef5846b123544820e8f8b44cf530f1d4355a3fe6103b060f2af1bf6ef16bb7c23ed6b9ddb3d199dd857296ab2c |
memory/760-108-0x0000000000400000-0x0000000000537000-memory.dmp
memory/760-107-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 74720066af206928fc4d91052d85f318 |
| SHA1 | 52de810c9d9fcededaa66f01c59924dbfaf8c65f |
| SHA256 | 8cab494a4920654b7ec5766e6a8c7a03389aba71a0a55d6cd99f4cf517cba388 |
| SHA512 | 42cc79a852413de60e256fd66242b9f9a3ba9238a7267f87e66d2a5f0ac7838b0e8ab7ae6bab44a8b0da6828b6bbb0a137b54578c198714fa0a478a92b78f968 |
memory/760-115-0x0000000000400000-0x0000000000537000-memory.dmp
memory/760-114-0x0000000000400000-0x0000000000537000-memory.dmp
memory/760-112-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\85B5.exe
| MD5 | e8a7c58150e15e5f50df5138d8ad76b5 |
| SHA1 | 72cf64a30a3b53edeaddcc2208d4b56213e2b621 |
| SHA256 | fbcf59e0a03d92b54131853ff4def06f0866d4988494d4177416545247ba4539 |
| SHA512 | 28c9aab25a955a36d38998b2a3027d50e4d7b7598687f41135c24604e7ba22baedeedb67fc9f9d4d2130e67a5bc5818822c8e9506f804a6baa1d83579a58728d |
C:\Users\Admin\AppData\Local\Temp\85B5.exe
| MD5 | 7dd569159d2cb939641a22367d7b5129 |
| SHA1 | e2f252fc02db41a5db4700c4a42829a899c44ff3 |
| SHA256 | 3b682ed9b8b4f94bf7f6d296c2c06fdd356993555ceda20805449249738eeda2 |
| SHA512 | 98f368d9561ac812a7695966db49c2af3ce145988c84307ed3f90eae2896a90794a0120a27edf7e4182be42a83f598d3f45b24ab402b448bac83177fe108c319 |
memory/2296-121-0x0000000001110000-0x0000000001284000-memory.dmp
\Users\Admin\AppData\Local\Temp\85B5.exe
| MD5 | dc51c4864c463652236a74f95b013886 |
| SHA1 | 0054c96664463c445ddef5b9539274695c56ec9e |
| SHA256 | 8cc670dfd85b18c0d81fc69fe025260c539c660598ef63a22f23f06d716a5cf1 |
| SHA512 | 572e0be1eeb966ce80a68efc0fb8507d3aec53b1028b87771b8a0beecbd23d5f33919d1f6309477818327fff8b8b3e1d5cc702812742e7e1b6cdd8b1fdcd3577 |
memory/2296-123-0x000000001BC80000-0x000000001BD00000-memory.dmp
memory/2296-122-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2296-124-0x000000001AE30000-0x000000001AF5E000-memory.dmp
C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
| MD5 | 2449def686158fff9801f567489d9c1f |
| SHA1 | a26a611f6c8f43745d69a6138e07f8f32b09fa3f |
| SHA256 | 4230571aea510591a55384cedd110eb4c220014ccda30d2d7018dcee89c7770b |
| SHA512 | 9fe324902e5c31e6db664b40074ffcc03cd1c13606e9e6c4e156e71cb89d1e234477454df3debbccfe5b9e2c88b52e6e8f7746832a6f2f4d4ad6a9eb0d75000b |
memory/1812-141-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1400-140-0x0000000000990000-0x0000000000A90000-memory.dmp
memory/1400-142-0x0000000000220000-0x000000000024B000-memory.dmp
C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
| MD5 | 90c9b3a0975d1a1a3b1d37ac384d8bbe |
| SHA1 | 2147710bf0a7e0411dd0bd5fd4612e810d80befe |
| SHA256 | b87169735848cc7806ce8312a7d3ad54ab11f15c8c31da9b010ef04c7cade8a5 |
| SHA512 | 366ad68492116911d697202e7eccb4a00d59f8a5f6eeeb17fce9ccf8e056345d1095efbbf136304c6ccb1dd1624237a321c5e32ed9ba7dd510828ea167cd1134 |
memory/1812-145-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1812-146-0x0000000000400000-0x000000000063F000-memory.dmp
memory/760-147-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/760-158-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1812-161-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1740-172-0x00000000009A0000-0x0000000000AA0000-memory.dmp
memory/1740-174-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1320-175-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1320-178-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1320-180-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D6E2.exe
| MD5 | 800d3f769d00d9b9f7917450bf46c9d7 |
| SHA1 | b58cea892a4d6ca6c71c92065b7a620f99cdbb42 |
| SHA256 | af206517607f46229631d8724ce835daff76e1fc29557aa2737cbe48dcd180f6 |
| SHA512 | d07219d33a1ceb45cb624ff0470944a844de0277e5bd4bf69ae69642c62ed5b0be5395c1b0c362e3736961f6859d8fa5938b52f24b42573bdc460182ef9a7acb |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe
| MD5 | c3b9ef73abd0ea56088336559c05e3d4 |
| SHA1 | 194423e4cf7c52681826e3faba7cbaf55595a136 |
| SHA256 | 36a769ae5577b8f8b32eae0f5983e99c68ca66fc86082c78dea67e95fefdb7a1 |
| SHA512 | 07c576520badad0b6b06e928e1579e584ebb7429153b8970f0796991d639f2349b783b174a6efd2d3f01a4ba3a15eaefc6d9b73547bbc4d4ec177be9544a5c61 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe
| MD5 | f84c96a4dc6779c73c19662171e0b4e7 |
| SHA1 | 9ebff33691795678af554bf756c8d4df74d2406c |
| SHA256 | d855dcfce333d898f1fac75bf9959a22c996b6c6d1f9957b14416ae859d7daeb |
| SHA512 | 8fc165746fbaf039bbc2b86d9615fb2e861c325a8faef1339829951b89a9a8c73aa304a1c3e85dad71af738fd45b210899f83fdf22e503c4c83388a7edb5ed35 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe
| MD5 | 138c4ef419ca7a1682a412e00341d06a |
| SHA1 | 0e6be4a1b3d36cf2873be2cf33e634b14107e963 |
| SHA256 | 99853c210b82776d3968df196fb2aad8c6bcb544a8c8306daba0d2a28b06eed0 |
| SHA512 | 5eae4495cfb5abcb536d17448af8ecfcff2f38c23bc610acc56e64f60e7e30b8d9670845d4ff33080883af52051f60df69ef621538b387627c22199f3d01cda4 |
memory/1812-323-0x0000000000400000-0x000000000063F000-memory.dmp
memory/2488-324-0x0000000000930000-0x0000000000A30000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe
| MD5 | 8e6877bcd17e995e17eba3d4cf3d8271 |
| SHA1 | b7b0f32f671b60e90a8cbfc57287c9112f519760 |
| SHA256 | 9968b741871e14da40d267b8e1f951e1ab559fbbcc17e7ba49f770c09f7e89a2 |
| SHA512 | 23e152693a6a5e57595eeda0c5035aae3abd26294f285eed6c3b229bbbe0374a7aa1d02d2f20d3979d41c805ceea6ef457990fc81bc9b810e64e763bc8ad1794 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe
| MD5 | 258a22860177be2c4729e00c59c440a5 |
| SHA1 | 0b9349f051a81180b893c30ab0e3f3ab87fe49cb |
| SHA256 | ea4ed9e103e77f7316e2548b91c5359420476cf7e9d014a878212d7998bde046 |
| SHA512 | 64cf62bd37e98a505d1a9c491a120f4e31d24c42ac31b208ad4cc4c32f14b3466c6715949107f68bc4e855308e92f50ee7553b8058cf22e69a23f3cf12baa97a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe
| MD5 | e06f79fce58fe9c0f3436040955a126e |
| SHA1 | c0b59707a4877df8af5a1bdea3f47a215bf68650 |
| SHA256 | c86abfed1b5080d60560f69d2c954b1a6070fbab181d8c48c3504f4fd5623961 |
| SHA512 | 3a649c3a639b4c0f15d3265ea842ef84235ab749054cf5b71d82dad01167bd1c8fc00401313334701bbf887d1b70a94e66f0cf8d292d49605e6cf37aaa2c46d1 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe
| MD5 | c2103da771887a4a2666d1bdbd213860 |
| SHA1 | b8f015ddab0f697fec5d7c99fed932cea11324f6 |
| SHA256 | 57818317f33293156c39739da10250efa3251a866fd4bda257c3217d6e758229 |
| SHA512 | 568c3c8615b52c9f5795111eca53f83a0a9f836561c8e13f425029cd2c207b1a830031cfdeb65e3f5c6d09cc2f9fc14ee59e3c1f0a04a63a452f99a5b61884d8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe
| MD5 | f72f16b09d684a186a735ab7acfeee65 |
| SHA1 | 9854afae7e018b4015cd23194b4183cdb25568f1 |
| SHA256 | 00cd016f274dd5f6bb38e09a743e57744c95e52ae031b39390125b8801073b8b |
| SHA512 | 739c8b7822a8087375f272cfbf04233b7508ea311b5cb4bc8fb06e6fb239808c03db632830e7171bc84da062817649b6ab4893a184780a0f41a792e1d05e4142 |
memory/2296-337-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe
| MD5 | ce619a41a432807ff441de9ddf77c555 |
| SHA1 | a9c37d8a730d8a4824a898c3f22f00986cafed35 |
| SHA256 | 2b07352150632b02319852e6de0be7c5471ca6ed0e7101265e41a4bcb34b0a50 |
| SHA512 | 5e45eb252a766e2595b3f729bd877d73e2ab97139d4b9058688e42c2a81b0c97be602baf8a1a0445b50f3d78143a66a5d2b404842c97181d8f575c0e6ebd3aa5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe
| MD5 | 3407ff230a228a586ddd51929540cc7d |
| SHA1 | 373d24406ec78947a8419aa9364b46073caca218 |
| SHA256 | 8d3b41616ce5250a0a32b9c695a7a062bf1beff8bb9d2dd2f4890e9bcfe5fe4f |
| SHA512 | 18b84e72f1425a3c3cabd34527aaa1649fc02e016fcbc086948d536b8ef13e4087981b4dfa33911986e346718dc03c9778b6dc09b8eeabee18b1b4368284b591 |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | e16daee0837cdb57c16d578bc31cd64b |
| SHA1 | ad5c53836b1a3dabe9fe7784c7b75b92a1f65bef |
| SHA256 | 0495eb34a92fde5675414b99a66a0dbb3cef8bdf314ee19ce681746733ed0227 |
| SHA512 | 4514bfeb504d1f7bd45eca6fa87e47734c4339e3c4fb69890ff1c4eb426fd43a0407244aac757bbb9cbda3368f51fca8eb2b8b9dc4e599ccf6e9c3eba3f5f3f1 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E8608E1-9AEC-11EE-88F1-D2343147A8FD}.dat
| MD5 | 00ba279bc27d975af0f5928cecc2a5f6 |
| SHA1 | c700da4d49e6f79c6814ad224f8049ae8ebea4f5 |
| SHA256 | c41595d07de0dede4c055ccbdf81e3b4cff873813d251f6283e7f5514c31adba |
| SHA512 | 017cd8c7000543b0b1250ad40b1504756667b7034e8e0778975cef45d39acb1b9aa09b0ca1ca72c6d93adf90d4c1caf122af7dede4aa93b23802d63009a6fa69 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E8ACBA1-9AEC-11EE-88F1-D2343147A8FD}.dat
| MD5 | 93f7e4e7af72f2c5d4bd666e0fe7b1e5 |
| SHA1 | 14f494554b6a6fe5bca3a335ae8b6eff62dc7b84 |
| SHA256 | 1a6ac3afda32cb20a3486c2e08367d02e4f79576c21fe446c4f13c4b5ff907e1 |
| SHA512 | 727e3b4eec2dad840eecda23b9e0d71ba0714431214603bde344e9e065a9fb9ee229f9740445081fcf373aea80e990047b0fa6d0f05c94279dcc1a6e2c90e95a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe
| MD5 | be319efabc9c9ad5f442e706cb8ab2d0 |
| SHA1 | 82996999baf46f3fb1db3883c5ddeb7026f6dd3f |
| SHA256 | 7b749c06f7ea80d7f9377a9d5fc5988fde5d4c0f4ab779428ef5df418f1a9ff1 |
| SHA512 | b037cab3735c2dd4c4d7a6905188939a68f3270ad83c86e8f990f2a65e9dea20c9b6bd259f825539bde2bd4159d7c9d81e69e9feb9c0baabc8f3a60aa80769f7 |
\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | a0c40930d0921a00456333f71ef40218 |
| SHA1 | a048da86ff3cfef486c4ccec7a53e19fac6c63ea |
| SHA256 | 8bd53b4ea48bb970004d960e5b7d41a9857a4e5f3a2d72278eae8aef3f5768c2 |
| SHA512 | 9d8d9966a08250317dba4cb7fa600c00284e60531c2655edc4dac0d38497badda159b4b1c77e9465a1e99e84a40f261e57e4d514c9b057d6b49ff137132ccb9c |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe
| MD5 | d0115bf31a754e541b702705f5698127 |
| SHA1 | 71571eadc90a16a3ff45ad5a530fa6ff3edff3d0 |
| SHA256 | 1ba4b3775e15629434473185c440d083dd89f08f01a8c7bec51850433ebada0e |
| SHA512 | 9634476289692609dcad4618361bd81cb37201ed8f9c188a1e28bc7683f04635a6b81dec664b2945dbd0942a5e31d2b97b52c00554c63f0699abe111090a8cd6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | d253b1d419fec8077b257c50bdc9268b |
| SHA1 | f4cfbff8822b55b8314374aceb8bb453f3892308 |
| SHA256 | fccf7b8cb4ac95ba942f8fa984285c98da5710b4a05f3131c520d7b7f2992771 |
| SHA512 | 38dd299dfcb0af978fc4c6496c2f8af853fccaf189375acee309f19b4a7a01b09bb25658a544c263966ae4a7edbfccdc8f9701ac1707015ee39a965858acfcea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee0d028fb1a4ab2cfca8a04143975826 |
| SHA1 | fa31c031c5312f7101fd0fa3bb5843cb5ea7995d |
| SHA256 | 24265cce79b893d5ed9740b8b3e99ac25b3a46031d4745dc90b7c513b6dc6c85 |
| SHA512 | 8a9ff5eb54de7b826b0ef8ca8a7f494a7affead9b5fc7582f9d9fed4b2a5f54e4378f614a153d4a862f13dd5b97e38504ec53d1b093bcca84e4cb521fcf3be49 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76529b2c12538fcd177d86466e39ce88 |
| SHA1 | 0f025c8f60e54bd6a1999c1410aee464546e6597 |
| SHA256 | 38332b463042cc2f70ff364ad37c3d354c784f967c9f10f29859abd32360c5f4 |
| SHA512 | 7d187c26801f38632bc19834b3189c5d4a8cd3f26d1236146e63828af649eaec8880dac216f746736145f54376d32233f753cf5749ab2109af417cbe5317d4dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | f7a415bf1ae1476c0a958550620e4701 |
| SHA1 | 971a48414208c2f4c5d209f587f0f746a85418dc |
| SHA256 | f6b52fac27d5435d1a74af70f96f8e118909ec6b2e9dbcde4afab4013b33b577 |
| SHA512 | 379caeed128b3d48dfd45501e651b51a7cf151d52e2a5e299b4c04978c58f7d6043ce728bd545ec99d3b286df6bf01b31d28c59d367b4badb4ed4398eec6dd97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33
| MD5 | 6bae91bdf5ffcc85f724f2a34e226555 |
| SHA1 | 10483138da53e8932dc33e705734105d83f7fe5c |
| SHA256 | 5995b648b9d54009920709bd4e0d3b4d37eec9410b52384fe5a0a1108d3b4cde |
| SHA512 | 0840a6d8f52ee279ec5def2853ce975e79494af9600959ebf55b0af25f4a753453dfa49f35ea29fa528052b3366e50b7a28d3ad1b67bb7e32c853b206e70675d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33
| MD5 | 5da328317af9eaad10b010cd0a0291f9 |
| SHA1 | 0c467e62d8f2a4f136cefc045afea8c5121fa718 |
| SHA256 | 12e863bc7714128e8965ae4e97d60367ab3f55064750cb405caab100a36c5841 |
| SHA512 | 6fabe694aaacf33bb65187208c15a864e7d20b84bad58b3619036735bfabaa4c1f9eebaaf16cb15500dec5da856aa38978d08f3ce75b8a9f9831dfd8425174cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33
| MD5 | 41476a75846df20cba21258a0b5228c9 |
| SHA1 | d337b4c793b42abf2a30d399d22e8030c0524fc3 |
| SHA256 | 0d4cac93aead006a2829b2bcb9f15fa6fa568b9ac1e1951e2618275af082d8f6 |
| SHA512 | 8be16ca55e0c31be1020f30e1aac8dee940f1bc5505e7b06df6108a8cc7ca48358bc1c50cb3cd2f937229e4ca7affae5905d033b627d0e3905846196ce19df2e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4IZH9ZYG\favicon[1].ico
| MD5 | f2a495d85735b9a0ac65deb19c129985 |
| SHA1 | f2e22853e5da3e1017d5e1e319eeefe4f622e8c8 |
| SHA256 | 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d |
| SHA512 | 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DTPS7C58\hLRJ1GG_y0J[1].ico
| MD5 | 8cddca427dae9b925e73432f8733e05a |
| SHA1 | 1999a6f624a25cfd938eef6492d34fdc4f55dedc |
| SHA256 | 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62 |
| SHA512 | 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FAO9XAUJ\favicon[1].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Temp\posterBoxSInlMWXrW97Rz\QdX9ITDLyCRBWeb Data
| MD5 | c8d1c11f1b295675211691e5c27e6e60 |
| SHA1 | 7ee187c9b4255ab8c5eaa9be6017758c2e82e654 |
| SHA256 | 2cef086176e0551becc76db4bc4a7cb3e6b79718d6f035f6082f4e7313517e31 |
| SHA512 | 0797c496c80732a0492a78f265815eaa851de9c80dbc0550b0049b79e97292f70700fa7444444255978699b8414ee1ba9827a51eec64a02be01e55a513a1f6dd |
C:\Users\Admin\AppData\Local\Temp\grandUIASInlMWXrW97Rz\information.txt
| MD5 | 2e0329da921f4bde29259825b8b7ea9c |
| SHA1 | ba30d47f34d68884d2cccb7a9799ed007a7dc1d0 |
| SHA256 | 366cd324850e9b1043f0db31451a9e07eb05326190cb893f069dedf5cc8db9fa |
| SHA512 | 26ba5f30cb0d473044358752743e7718aa6a4fd9d734949c82af78f1e15b3053e1d5b0b5fc4d353aa02995c279791fc09b2ee9f3c85ce6e4088aa119884a25c6 |
memory/2296-791-0x000000001BC80000-0x000000001BD00000-memory.dmp
memory/1936-799-0x0000000000020000-0x000000000002A000-memory.dmp
memory/1936-798-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2788-797-0x0000000000110000-0x000000000011A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe
| MD5 | 09d728f7ab39a9bfc2e16d63f1981349 |
| SHA1 | 2b9417b2d2834c948c5a01b65747a6cd966817ee |
| SHA256 | 9bc40e9164a0e1352416838b4d5787a916b2e99ef265c2068857581d66f5a909 |
| SHA512 | ebe4723520e73e893204d6e477fdeb0ee78352d5bd6811fdfc542ad01683cdd1a757effbb82acbf71fa0385f98cc9aede2c09c5ec1209a9ead66dde9d6f92eb1 |
memory/2788-796-0x0000000000110000-0x000000000011A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b930bac8cdbaac9a063c0dfa348d5a66 |
| SHA1 | 73fbbc2fa9ac00ae4bce91fc4175a3273684b6a8 |
| SHA256 | ade9ff1d5d1677c393d9ca681069b309a5b22b524730aedf692ea7e6f482f576 |
| SHA512 | 5a76711491e2e7e30800d9b8d4bd2b2b9d45479b9df54ffd38a6dcc6a36d66e84aca6d6ced814234fcfec836c6722c1af758068f9341863b86aaa7ae4253ea8b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f10d78bede9819377f91f8812b5303a7 |
| SHA1 | a6a697da35b0d1484aa7800f420c8e33a66d27ca |
| SHA256 | 35d9601f74952f6305cadee3f4bc49f8ef848dc6ada2ee80dd54cf74bd7cf8f9 |
| SHA512 | 8dd23022d4ae907ae7b3744d9926cf169e97db763296fc1ef845084f0789f9bd64e889dc956ce79c77c8a654acf84b37b89d7464de7d158763816c123e8fde97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 985295532cce60f78ef7832ac5502139 |
| SHA1 | 248feb6bc9bc2034f942ee42ccf47e192e8b6763 |
| SHA256 | 1489e73c993343826ce10d9de44a86bdd33cdcfd0505ea6de93a65df0a87647a |
| SHA512 | 39753e36dbf958bf71725542092c7f7d71a8d78699e988e94f00f8f0408fddee15faa4ea0495b4d3dbf1521bb339bd8c6e596eb67e4df7f61899f8271e0dfe73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 385e4d9db7de41a398e70c0a2ff2d862 |
| SHA1 | a1e4573a33400202faddf5ff282efc06ebb55ba4 |
| SHA256 | 82887ac8a66e574d8734ab96a3044818ef38ebb9cd0cadf6a584622c2240049f |
| SHA512 | 2a7ebb7c8cc0296821efd5ae7d4ad75aeec5719585fdbaa8eeb819107a5edd30e0a6c67f15c36237b0d07c3625a23588f930b062920d3c0ab71889b816a87304 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b363ceab913620c6cd1c87a3f124e270 |
| SHA1 | 96ab538fd8125cbec53a244b7a856927034d0099 |
| SHA256 | 635117ef800e95acccf777fcb246e0261f032607efb559665e27c9a6e04c10e4 |
| SHA512 | 72c363a292ee66d94f5df413a58904b8f7ff94e5babe450f5a81edde9e63024e6d5012c04335b2123b301ed02da14a1d53894eb521f5bb02324b1006e05e8317 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfee7c58232f13ebd644fdddeb2f79e0 |
| SHA1 | 19f6c4d9bb5cdf8318181f16e785910c79b0eb04 |
| SHA256 | 866260a7f5b62cdaae43d15c5aea70b40a3a22e7ea85f1c88282cececa3835ec |
| SHA512 | f16d1dcf3c04136e1c13677bd3d0084344a987a2c52dffd3d57e6ada51ea58d8a55a74a3fadad016efcb9226d5ab929e981a241cf328bf13349575f147abfeb3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d9240d2e211af6e3e28aab031fe52a13 |
| SHA1 | d21bb94dafcbc69ec3c34a1640e03a0b8df1d85e |
| SHA256 | 4e882a31fc64ac57f1fabe2c8b45f3f3a08ab35943cde1280a36b093faacedc0 |
| SHA512 | 20877b1e5b0c9c28aef6c6258e30eb492c009ac8cec7831d0f394949b5707c41e6e959bb72cd959716c59ec675b8168a24d3d5fe4fcfb4bc425e1c5683ede10d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 25b8f3b2558cf624833c8a1380a28690 |
| SHA1 | ac21bf3c7311eb16f3b75c88a37fc9ab0d362be1 |
| SHA256 | 1f54ddc77c763d296fca3cf9e319883d8ef7ee9ac378eebad796bf8122d79065 |
| SHA512 | c43997957de99f96bd8d6c3454de35ebb75d4d5c7d5b4e1b8409a26471b3f22586d34cac38f22f8e6d23dd17aa2e0f7556558eafc568fafbb12bdf7eb461df46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df47d5f0b9ae83145ea4bed844de93fe |
| SHA1 | af4e35953d74cbeb0504f12ff2681a35123a4aac |
| SHA256 | ac516be2608d236ffd566ebcdc01cf2e4879e217355ef560d11eb67cf60097db |
| SHA512 | 5bcb8e2354424f73ba20f90ad8f48855de0406d32216cc5acc39bcfbef7db3eb4e521d08faf025271aafa8ae2dfdd19989382cfc9504aca9ea9b40fac0621a56 |
memory/1372-1095-0x00000000042B0000-0x00000000042C6000-memory.dmp
memory/1936-1096-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cee073ab5ae6741e15729ecdb1c82222 |
| SHA1 | c303ec954cf3a9e7ad63ae84cb0135d97c453f74 |
| SHA256 | 1b9daa7b2e13bae4d4cdcfddddeb1857230dd2c9d417e9711e00d97d92c6ed96 |
| SHA512 | 2394127416dfc9ca7503c80b30b527437433b74a05d6fe9e896fa108f31029dffc2a313f813f1ec81575fffe87f9ac9a7fc6eff3e4f58d9637fee18b296669b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Temp\47DD.exe
| MD5 | 700a9938d0fcff91df12cbefe7435c88 |
| SHA1 | f1f661f00b19007a5355a982677761e5cf14a2c4 |
| SHA256 | 946583a0803167de24c7c0d768fe49546108e43500a1c2c838e7e0560addc818 |
| SHA512 | 7fa6b52d10bcfc56ac4a43eda11ae107347ba302cc5a29c446b2d4a3f93425db486ed24a496a8acd87d98d9cfb8cad6505eb0d8d5d509bc323427b6931c8fff8 |
memory/2764-1286-0x0000000000A00000-0x0000000000B00000-memory.dmp
memory/2764-1287-0x0000000000220000-0x000000000029C000-memory.dmp
memory/2764-1288-0x0000000000400000-0x0000000000892000-memory.dmp
memory/2864-1292-0x00000000004F0000-0x0000000000544000-memory.dmp
memory/2864-1293-0x000000006FA80000-0x000000007016E000-memory.dmp
memory/2864-1294-0x0000000006780000-0x00000000067C0000-memory.dmp
memory/2864-1295-0x0000000006780000-0x00000000067C0000-memory.dmp
memory/2864-1296-0x0000000006780000-0x00000000067C0000-memory.dmp
memory/2864-1297-0x00000000009F0000-0x0000000000A4E000-memory.dmp
memory/2864-1298-0x0000000000B40000-0x0000000000B4C000-memory.dmp
memory/2616-1303-0x0000000000A20000-0x0000000000A5C000-memory.dmp
memory/2616-1302-0x000000006FA80000-0x000000007016E000-memory.dmp
memory/2616-1305-0x0000000004030000-0x0000000004070000-memory.dmp