Analysis Overview
SHA256
fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a
Threat Level: Known bad
The file fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
SmokeLoader
RisePro
Djvu Ransomware
Detected Djvu ransomware
Detect ZGRat V1
Detect Vidar Stealer
Detect Poverty Stealer Payload
Vidar
Poverty Stealer
Lumma Stealer
ZGRat
Downloads MZ/PE file
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
.NET Reactor proctector
Executes dropped EXE
Reads data files stored by FTP clients
Modifies file permissions
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Modifies system certificate store
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-28 22:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 22:28
Reported
2024-01-28 22:34
Platform
win7-20231215-en
Max time kernel
300s
Max time network
184s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Poverty Stealer
RisePro
SmokeLoader
Vidar
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6a6cfcd-d541-4121-8e6f-6cd93ceb39b0\\AC57.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\AC57.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3007.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92BE.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92BE.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fwactwr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\92BE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fwactwr | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\fwactwr | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92BE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fwactwr | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3B20.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\371A.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe
"C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe"
C:\Users\Admin\AppData\Local\Temp\92BE.exe
C:\Users\Admin\AppData\Local\Temp\92BE.exe
C:\Users\Admin\AppData\Local\Temp\AC57.exe
C:\Users\Admin\AppData\Local\Temp\AC57.exe
C:\Users\Admin\AppData\Local\Temp\AC57.exe
C:\Users\Admin\AppData\Local\Temp\AC57.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f6a6cfcd-d541-4121-8e6f-6cd93ceb39b0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\AC57.exe
"C:\Users\Admin\AppData\Local\Temp\AC57.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\AC57.exe
"C:\Users\Admin\AppData\Local\Temp\AC57.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe"
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe"
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1460
C:\Users\Admin\AppData\Local\Temp\16DB.exe
C:\Users\Admin\AppData\Local\Temp\16DB.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B07011EE-33EE-45EA-8E51-7EF707BA6710} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\fwactwr
C:\Users\Admin\AppData\Roaming\fwactwr
C:\Users\Admin\AppData\Local\Temp\3007.exe
C:\Users\Admin\AppData\Local\Temp\3007.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 96
C:\Users\Admin\AppData\Local\Temp\371A.exe
C:\Users\Admin\AppData\Local\Temp\371A.exe
C:\Users\Admin\AppData\Local\Temp\3B20.exe
C:\Users\Admin\AppData\Local\Temp\3B20.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 156
C:\Users\Admin\AppData\Local\Temp\3B20.exe
C:\Users\Admin\AppData\Local\Temp\3B20.exe
C:\Users\Admin\AppData\Local\Temp\3B20.exe
C:\Users\Admin\AppData\Local\Temp\3B20.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| DE | 146.0.41.68:80 | tcp | |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| MX | 187.204.100.230:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | novoscanais.com | udp |
| PT | 194.38.133.167:443 | novoscanais.com | tcp |
| PT | 194.38.133.167:443 | novoscanais.com | tcp |
| NL | 45.15.156.13:443 | tcp | |
| NL | 45.15.156.13:443 | tcp | |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| MX | 187.204.100.230:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.243.18:443 | 65.109.243.18 | tcp |
| FI | 65.109.243.18:443 | 65.109.243.18 | tcp |
| FI | 65.109.243.18:443 | 65.109.243.18 | tcp |
| FI | 65.109.243.18:443 | 65.109.243.18 | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | olivehr.co.za | udp |
| ZA | 41.185.8.154:80 | olivehr.co.za | tcp |
| FI | 109.107.182.40:80 | tcp | |
| IT | 185.196.10.146:80 | 185.196.10.146 | tcp |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | udp | |
| SE | 192.229.221.95:80 | tcp |
Files
memory/2204-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2204-1-0x0000000002CA0000-0x0000000002DA0000-memory.dmp
memory/2204-3-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1256-4-0x0000000002A60000-0x0000000002A76000-memory.dmp
memory/2204-5-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\92BE.exe
| MD5 | 01fb175d82c6078ebfe27f5de4d8d2aa |
| SHA1 | ff655d5908a109af47a62670ff45008cc9e430c4 |
| SHA256 | a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3 |
| SHA512 | c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe |
memory/2724-18-0x0000000002F50000-0x0000000003050000-memory.dmp
memory/2724-19-0x0000000000400000-0x0000000002B04000-memory.dmp
memory/1256-20-0x00000000039E0000-0x00000000039F6000-memory.dmp
memory/2724-21-0x0000000000400000-0x0000000002B04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | 9942dcc604e22fcca1c46a5311207dba |
| SHA1 | 41629919ab65620e9f5be01ebdbb8fc6a1cbd49e |
| SHA256 | a86aaa108c68378621ee1c3152aa5db3aaef3564600ca822df76f29bab86a0f7 |
| SHA512 | 5c17fb6765c21cd68ed6410776c1a37f3330bda07f36e6d3800042fef1da2cb21085f8b81667cd495b948c9535e26464cd53ea37cdd5ec5fec90be6491dd5436 |
memory/2980-30-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | a672e66a90d5fe402e6b9937e621c866 |
| SHA1 | 6ff0e94017cdf4a704f4241f2debd4d7a6cfa3a4 |
| SHA256 | 1f8b0c2f91a771a970100cae325f1a1f7b9838aa35ae8ce5c0e1d392262234f2 |
| SHA512 | d129e8592983d4b415fb274689bc180e924694b066668409e60f92501598f9a6ed3cf77f7a7e3e5f63580329a75f42d12c100ad27af6b951b05334e91e7b0449 |
memory/2980-32-0x0000000002B90000-0x0000000002CAB000-memory.dmp
memory/2980-40-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/1656-41-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1656-42-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | e32d75a077a95007baa8c672a87513c3 |
| SHA1 | ac5acf50135941d3f34c68ec54bdb423f2866c44 |
| SHA256 | b720b40c7bcf81ef97932c9edecdc8c0958eeaba8886b4e5e4e5236064cb19b4 |
| SHA512 | bc7e602563d26d62b96e4be778759b560b8add3d3489ed082642e28d982f206acd891a785f60b522ddafc859d35ddaa04333ca19a09ec7dc7f736cc2df41e231 |
memory/1656-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1656-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | 9e91d0b912def3c4e5b310e3fd2fa93a |
| SHA1 | ef6f9e5189a11c326ccedc47a1231ef2d8bf9b99 |
| SHA256 | 2041fbdd873f903934cf109be7aedffe9217147c41c1dbc35dc129a48b765f9e |
| SHA512 | b9246eb516bf0e0eecd1416533b5e362a96e6a6c9b11bf64a32cb01b6abec9c4c441c65d92bec91f031fbde7b6dcb6d10acde23de6173b96c7add77fc9a977e9 |
\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | dd9c88d433ee4299f73e62b57709ed09 |
| SHA1 | b8a9613ec41d87f0730f5fae26d76f9bd8370197 |
| SHA256 | 73b4b5b330bbc7e92f7131fb62633d6a6c909e699aa713b3e6037e8cb338bbab |
| SHA512 | f65ec97225d54bf84b439dddb6aa6172649b56298bb39a1a7e0aa5e519e2a8c8b56856516fb56fe1ccfdf59da614ace581fa187a53212d5cef048349fb6b1569 |
memory/2980-31-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\f6a6cfcd-d541-4121-8e6f-6cd93ceb39b0\AC57.exe
| MD5 | 3ba7e01d7871c1578135181c87c8fc06 |
| SHA1 | 7460b6607835ada9178efe1d8614c782286425ae |
| SHA256 | e56b321fc656d6542e5b27da933577c15f96c318ad0011d3d74f19a75877b868 |
| SHA512 | 670ebdace55b460dc3fec0cd849a5a7f3989043f728a67e33f5be63beb223ec335e1bfacfb2714cd9c41d947bef40112032b53a9d760c0fedfdf093e1175db4c |
\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | f36a4015f6da789fac1af7d9a521e1ea |
| SHA1 | fc008e528c3d72a7703260923fccfdbe7acf301c |
| SHA256 | 4a629b3276a97466bc4a77de8a3a9cd7e10e6da6f8903678bb21833524be01c9 |
| SHA512 | a2ae7ee0f5815246ef16906339788147e54280e089556e5b565364194334a40e021555843f10628bf8e012a28966faa25f7f0e3a67ec232a30b4314d62ca1bc2 |
\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | 53a3ab70d3e2802b938d66218c51dba7 |
| SHA1 | bab7f6122c0df9e4c1b245ebca769f7517e03819 |
| SHA256 | e33cc28ab230378080b3598b1892d77e632d964f96bdfa0d095a56be6c39897e |
| SHA512 | 82cdfaa5bf06948a5dff4575856a338ef3850cf6ee88ea151314ddf3b22c383039494852aca439a5360fdd0999160bc46a940b46d455672cc99d39778ba91a88 |
memory/1656-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1920-65-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | 99cc42fc53518090a19ffcd675f277b4 |
| SHA1 | 6803df024b2353f32c9d8c63da8e3275d569d129 |
| SHA256 | 2a92245747b7354e7da5b39caf552e111d2a6caf4a035d81da91aae5eb36a47e |
| SHA512 | ece58b011b649e400a356ef2cc208d25c19e7604bbdb884529bf5f39fdd58a39862d0cb66015d080711f14c44ac20910bebf1819002f314d11df417bbbed359d |
\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | 892e5b6ce94cb4d6830c081dcbdb6ea1 |
| SHA1 | a897c411d3066e12f88b85056942d09a28d015c7 |
| SHA256 | 4dc5fb979f34a048cfa09da89c49e8a54ff3097807c274962b7e6a070731cdf1 |
| SHA512 | ab5096b4932c23d2a7ff167c248bb5f13021e125c15ecfe626554c6c710fca9041a9682c7f9c624b9f9c0bc86e4fb1075d27930dfc4ea431e63095630693abbe |
C:\Users\Admin\AppData\Local\Temp\AC57.exe
| MD5 | b41150e5b4d5a450cadabfa67b02d0a2 |
| SHA1 | 28d69f8aca2daeb799685487a8262cb0c6666eb6 |
| SHA256 | c971824dae57a547a10e35fa141228730befedf27dadfe160171acff85b6727c |
| SHA512 | cd39c550182c19884b7c934e08566ddf04648d7d8481ebd71df62e4bc878601257cfc4b01e80a0d2514f709b0569c1ea358f35d5fecd281ec1e930454acf2967 |
memory/560-73-0x0000000000400000-0x0000000000537000-memory.dmp
memory/560-74-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1920-68-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB673.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 44e370d6dd35a2ca9d54aee3cc7e353f |
| SHA1 | 858efa31f097690117106aee67a8af27252f2091 |
| SHA256 | 1213e3ee84910409a14a460646ab4f8ee16245f1dcef511607bf2ba26b4c9979 |
| SHA512 | a944f931b48a6f4c9e238abd23282b69edd82aa66126fe59d510815c779142bde4f9b955c333c59ae8eb890a52dcb10e1c0265d90e68bad4b3cd480033a5569f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | a085b8d3a143cbb54317e4257cc3bf8e |
| SHA1 | 70f06591ee02c0d73cdfb27e20ab1ad29a7194cc |
| SHA256 | 1ef8d84afb6194218f65191e109c1eee101da8694109caab311da8eda1871471 |
| SHA512 | 1d8509fbb1f3f54b4d4c3693a502ac9110819db2b71617adddff9be731ad59e567b9768bb354abc5efa854efc2e4d6dd3252288c36096d8dea64ade10a41775d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 28baf5fd68df59a9964b94cb39ffee77 |
| SHA1 | b3fddc328582ee68eeb23616393db9abb9e27380 |
| SHA256 | c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b |
| SHA512 | 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 375f4e1f28d60738dbb55294d4dc87f3 |
| SHA1 | 589f99ec9ad5c47f762039d6c9e6c6004ebb5312 |
| SHA256 | 5adab77cf434959cb1f58caa4af35aa57c77d3e994091164983742fb519d2649 |
| SHA512 | 06996ab03ab4d3320d77974077cd2a6f7b492a4d487b680cf563ebfed08cc32d6b99c4027f06e660cc006a51e1d9ede4d7522adc2da8d3b4713b4ca9780d8287 |
memory/560-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/560-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/560-92-0x0000000000400000-0x0000000000537000-memory.dmp
memory/560-94-0x0000000000400000-0x0000000000537000-memory.dmp
memory/560-95-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
| MD5 | 044ebce26563d94a76933620d1e46d5e |
| SHA1 | 8c61d993fc3daeadc3ae2e1a7cca5d85f71eb2fd |
| SHA256 | cd921a90c0407cc97311e400997d9261e6aaed578ea3d73e752494a175e3570d |
| SHA512 | c2929c94c87cc80df7f26021d2440759c76edb58c3ffd65a790d0e3dd007e54ddc518355540086b088e770fa445f9f783b868386783d9beae30800f59fb75e7e |
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
| MD5 | 9b00df1cca53e81d90dfc2548f8d9114 |
| SHA1 | a783bde9346c8ece56aa6fec12348fea40fdf6ec |
| SHA256 | 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe |
| SHA512 | 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc |
memory/1692-111-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1692-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/852-113-0x0000000000540000-0x0000000000640000-memory.dmp
memory/852-115-0x0000000000230000-0x000000000025C000-memory.dmp
memory/1692-116-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1692-117-0x0000000000400000-0x000000000063F000-memory.dmp
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
| MD5 | 1c260741a4c8c0a31f92d879f0ecf8f7 |
| SHA1 | 61f5b8cd90865a7e7b0cfbc9d83aea316bf4af8d |
| SHA256 | 18de2554bb72d55d6bfd27cfa395e0b021790fdb3427a21e4e2de4541a31e540 |
| SHA512 | 6a1726003f1f5cc7a76d94b5d9c8804490e2b122343241a5b94e2c4d581cc6d79a1d2aa4cf053114a2b8c7a4966477a11e1cdb7e66b4d537888698401f643a8a |
memory/560-118-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarC7E2.tmp
| MD5 | 5170bdaf3f4d15203f4b79498590e81e |
| SHA1 | ae45b412ff3fc20aae07aa6b7513a54be3d41d6c |
| SHA256 | 9514cc14ee665f728a3e985824dee43711ad64b1be8e7461279c8f086a64772f |
| SHA512 | 91b47839dbd2b2bbab015f10fece6425f4e2811e14833e518f8d9cf1e98391d87db5c391d8caff8958b46644a2b714859fb36653a489ff6da30f3805f81288ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fe6495bda784966aac4fa8b63dc7997a |
| SHA1 | 099e305a08db27c582e3442ab6a39f8904ca30b0 |
| SHA256 | ff61b701ed677888ef39761af3f9b6edec177c32eb29ac21d72cb6b6bdae834f |
| SHA512 | 76415c5ee9aa7e5f7e5fcbfadb398441623f55a700e140ff55bf2094f1a6a9905f0ad293e317d09a52f3557bc1fa7ab66d3808b8b0e9a630eaed260a2de42e2f |
\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
| MD5 | 92f52218e3d0191fc91584b3ff71fb02 |
| SHA1 | 09b07718a39eb597e572fa59ccaeeca3b71fa348 |
| SHA256 | d537aefa07608e67d098240488fdbffeeaa760dcd0a0e61c6d2adbee9ef895ac |
| SHA512 | ad7b04e2a00729a5fc162f0263b66b6f1f9adfab1448f5072539d22d829a190123b178210ea797d80af05d39664dcf3cf2b8c7f19015a6e7a8a3067745f79557 |
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
| MD5 | ee64192523d465c22ce0a439e72e5eec |
| SHA1 | 593e33ad392d50b1d03deff06b003968b67e4af4 |
| SHA256 | 3140ad5b9013795ba73ef0fe8113f04aa99bdf071d90c0f6f79144728a31007a |
| SHA512 | f0e513eab3ee5e684e5dfa9020c4b340664766ff0bb680303478fd3dd310351a67c01fc02df291dc3fa68ebad248e0ec2399ff9b86bd68fc48de77cc8e781806 |
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
| MD5 | 315f195ce59fc5c0235175bf76dcfa9d |
| SHA1 | 68c4eeeaadfedc5939ff429a93479f89d676e249 |
| SHA256 | 9887a91bdebff455998a63cbfc95e1899a6a30e7d0c635c35fee34a2c2a4e7f0 |
| SHA512 | 7cd1e0b5532a5a6530a9ee900f80571c6e7f809018ddaf074cea8308c078739764e35d7f0b016a170beaaa7f44c208eae701ed2cca3864434255a97b0b194a53 |
memory/560-190-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
| MD5 | 198e2903cdf599af5f0c793673d472ff |
| SHA1 | 868a7d09a2344284ecf8bc98c543148d380553a6 |
| SHA256 | a7740883c43684823171af8dc5dbfd5d55681549d7e4bbdd89a491c21525ad20 |
| SHA512 | bfa5da3718b8fe227aaea9ef12f1f464c43236956cbaefb3433ca8fe0853c0a677c99d0e5d378ffbfc82f10046100dc7c6fc895147e47c0aa18a654b9aef58aa |
memory/1804-231-0x0000000000860000-0x0000000000960000-memory.dmp
memory/1864-237-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1864-239-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
| MD5 | 0d37a94868e9b5cd7804dfece3297f91 |
| SHA1 | 5415ac03b02ff1c0bd1a839ea5443e5c972296a2 |
| SHA256 | e5f00ac1b0e1ccdaad7e8cd9e6ea3e51bcf1d098e6e3ac10ddf7d2f27d709505 |
| SHA512 | 12933d885bf0eedcc753724baed9cc7197208797d64d829fdde6f7024d6e8e6ceb31c0082af8ec21f55f84f1b4d0c7cdbc5b0254f544dd15afad54c6916703f7 |
memory/1864-234-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1804-232-0x00000000002A0000-0x00000000002A4000-memory.dmp
\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
| MD5 | 633f6053796a35a53478cab3db82a30f |
| SHA1 | c53149580f8a7c3bc052fa6bddfcd980ac081a66 |
| SHA256 | e671c5845722f5e6914be4175ab97685e909b30d9a1c938db07ab821d550acbf |
| SHA512 | 5a8d2080bf3ddd8f183fd7fa29f9683f5569f4303867a30ac0665b5c762c98c72b9c56aa21ba67bfca4bf0a3ee9d94beb337eaba97a68ef335636747a0b273bd |
\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
| MD5 | 58f2e433607fe95db002f2fe21211cd2 |
| SHA1 | a4193bc250e004904ebaad72af3d3e9e0ba0bd4c |
| SHA256 | 0718fbb39dc12a0af825ea3cfe9a69e937d1a012d7d4b2d981ae9e722381aab9 |
| SHA512 | 349bd64872cc1995535ffd4d6878486dfaa2e427f4e3abb808583e9dfb3e131547d5bb3422ce8839b617004d3889dc4db9d427b8f7b73b9af028c00b72eacc7c |
\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
| MD5 | cc1e2e5e11088917aee302355c6e529e |
| SHA1 | 0e2d6c139923b4a25125ee6fa661de2dcc71b28f |
| SHA256 | 2c71db965f17f85f2961aa103cde4580b46d732d1a56fe60a191bdfc45ac9541 |
| SHA512 | 8ae23ec31bec41e5604704c08dadd95d5ad509bf02dd1938f3af3255b2c4738fb67ae681464f2f61aac390c017fe8f24a9820f0ec046066e2990bd99d12b780d |
\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
| MD5 | e7fb172287de130a8882d8fa7444901c |
| SHA1 | 510ed8b432f52411c5dbc097b0eb75d379d790e3 |
| SHA256 | d4389046d624a7687ca6de57435ba161ae36812ef5b8c91c793cc90b4fcaefcd |
| SHA512 | 12ccf361c3c1ece041c435b276344eab4d231a3052670235f8d9517ddae395af58f2ac8d31943ad060b787084abf6981447caaf92b6de929e4f65d06c546cce0 |
memory/1692-266-0x0000000000400000-0x000000000063F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | db6ca8871b7c61ab7da487227318c9cd |
| SHA1 | 167ba87f7bbe03a7e2d7d57d8277cf4970dd78e3 |
| SHA256 | 7fccd458fdada40e1b62b2791557f1345cabcb80313efce8f62e6cbb3fcea322 |
| SHA512 | 8c0e0945a04c0279234ead1124f5f925435bed2193f6e8491d111edffa68f6eb506ee2723fa04cf23423936ffaf428d395ce064a64a22d946adb8e643755b759 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c882bc12ac29a903042d271ee9668b4 |
| SHA1 | 9d7f4d4f386dba0432d9eed5f90a83ecae2cd13f |
| SHA256 | 3b5f2fc96d472b665d5d4070fbc357045e9e12cec6e0fe9b94288530e0f6b521 |
| SHA512 | 0e6eba08cd094e0c81c66fbede6a9af917beb2ef0fc6c79813826e92f9f88dad94e1a093bb6d7f6b585e5ed59d5a540e73a4a438ad88ec4aab5871955ea8d435 |
C:\Users\Admin\AppData\Local\Temp\16DB.exe
| MD5 | bbb443209263029bce215a3ba34634d8 |
| SHA1 | 20514a28111052705fff77465364bccb70394d27 |
| SHA256 | 010d993812bea3045c1ba94894897e0df36d19aca6e2cce89b0d4663c3925e9e |
| SHA512 | 7e85acdc0f65de67923fe57e95fc024fd1b9325899923085fba75c097157a51e1057d954408eaccb361e68c7cfd79b6547765480844d1521aaf4130e1f4c5f96 |
C:\Users\Admin\AppData\Local\Temp\16DB.exe
| MD5 | d23cf8d242ae066463bf8647f3c0b851 |
| SHA1 | 1bb312970a36d55e9346d4e90a157e38a9fd86ff |
| SHA256 | 64f6473bdab3b8531af6fb26f642c53f1b30001d4ca8bb8b681f3f5e7c0d3c48 |
| SHA512 | f51a0852c7d8dc1bbd5525ceea9a2da63d191ad428186937bc2b5398070f8b16bc403e34a1c8ccd6b5fabe2f3e5403a6021390481cad569eb02cc649a566fb1e |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 02854cbad0296bc25662d3c307c0c031 |
| SHA1 | f94aae0cca9e6971f7ce37f3b02eda67961ab6ac |
| SHA256 | 85e550afad4aa76fa5734e2266fd8edae0769abf67d868f1a813a04b9da2a72f |
| SHA512 | bc530c06227ac5515b6cbaac442af05714a246dc65bfc66e8b5525fcd342ab4eabb69dcd8f260a95ca9bfd8aac68be75058113c15838d67f79c9a273e4dc5d60 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 1355e4ec8207b40f9e3534b2c75f085f |
| SHA1 | 67c2349128474c826ed05409ecd156bc8773db2a |
| SHA256 | 85d2ebe3449b97cd1896d4b34e4b9fd6a79bb95097a86df40c34275f17449629 |
| SHA512 | bcd7368e84522e89345a40d856a8808aa0e39860bba835c7874a37ee660db7f1f14b4a9b0ca97e0fd36ec54a0c33190bbe3810926201b72f9d195b7ff992f543 |
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | b28abec15940b5ee3f53e0dbcc619ecd |
| SHA1 | 524ab7bec2c35c531968d68fb749e802fc595bc5 |
| SHA256 | c015f94db8d1c33a5843ce9d2e738ac71ebcccbc4badeea970696a9377f3d06f |
| SHA512 | 6e86244834fabf9bf5ce0424dc4b5682548321baa0cf17edb9b1d9eabfb23f5db64fe08f2efb3adeb9f9ae6189dba35b500da1e71906d52df9d87646295bf7b1 |
\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | d2f5cc792f97fcf3b6968a189d10320d |
| SHA1 | abe7ac36e5e99a7d13f71a60803492c9bd439676 |
| SHA256 | 1e06b9fed59ddd1e1b53e044dc2881dec9168f5e342864ef5dd2eec9f1565a63 |
| SHA512 | 6fd2a417c696c2f985a557a94d27c0440e4f0d2d3d63a044d178bf7c2c73c597ef8dcdeccb650f7e5037ed4d61c4e3fd9a681f13dc6c31d6ce40e2a75690a09d |
memory/1728-373-0x0000000003760000-0x0000000003ACD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | ac1affd3e58924ae679fd5b4cc5ac424 |
| SHA1 | e597ed8b6c7d958285c2f5153c9e7081cd92f18b |
| SHA256 | 1eed922f831550da0e2f70f24aa79a2f551511d1683a7c3c9bd40b6636ae5cd9 |
| SHA512 | 34693a7e5ad0b39200e466472f4ce8546c18c5eff0ebac3a5b8c8798f4cd4999396c9a89ae7cc1428f5bc723dc8c5cd3ba5bfb895738043dca93b50d336134ae |
\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | bb1f3a8f91f09d6eab3eb00336105478 |
| SHA1 | 9b0104800dd2f3c3731a9683593c8d78beb4e765 |
| SHA256 | c68e82f877fccce2e97ddb7a6b968cbcc5dc60e166c9cb0ffd325b4db68832a5 |
| SHA512 | f626429b62281e0306084f2c1fad1bb304ac1e34e377e4168c8ecd08a49035c5d1c38c6816e8c06e4705cdfdd1d7ae296be985eccc6959cd81e50033db9b9c5e |
memory/1728-374-0x0000000003760000-0x0000000003ACD000-memory.dmp
memory/1728-375-0x0000000003760000-0x0000000003ACD000-memory.dmp
memory/2052-376-0x00000000003F0000-0x000000000075D000-memory.dmp
memory/1728-377-0x0000000003760000-0x0000000003ACD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | f76fb97975a7a82485283409e7392ad2 |
| SHA1 | de8b95965c76adf82a4c9b76106c4322ca5af75b |
| SHA256 | f330bd0625f0fd1b9104eec9b06ef81a3054f4a1acb7550dbfcf38a49c978b9e |
| SHA512 | 0bec8b23d692f1b8ed228749a476bb2c7ffe68a84327c5906be0fe9ac1422c9d63ebe6e572ef02282c9076887942aad980013a474e7309c7e05d032e36597c15 |
\??\c:\users\admin\appdata\local\temp\rarsfx1\fesa.exe
| MD5 | e118aff2bfba65865c059189899ee76d |
| SHA1 | bda5316df47dd409be41e889c32c835732bcc09f |
| SHA256 | e87ae63caa9555385b26850b8da75c4a564570ee1c173777f5b66eb68f8ec5aa |
| SHA512 | f1b1a2eba38c61d8afcfd22e10ed62f4915aa7c1971c8fbea2c6801ce6dfe24de6afc7dc6ea9477432731d82f759e66ee43a7dd86b81fc349dbac0a1c7c269e0 |
\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | 5de7230a7fa131c0f3daca7a177ae443 |
| SHA1 | e522429d2ffcbbb3fbc96d46e27add17116772bb |
| SHA256 | 5e34dac91e9106d009abf99424dee4c3bfdb88c6c2b8bda0bcf57d1be09dc960 |
| SHA512 | 26a60246e8441eb70948fd6badaf2fac893954a3e3a5466e4e35596247ea5926d453539a68a7694a7e13efb48020983199cb8b3766602adba66aaaaddf8ffb4f |
\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | 568d3de870dda8a255763f5c28ebe984 |
| SHA1 | adf1dbdb02fa6b0e9efc3bc52c45017368bcc0ce |
| SHA256 | a326d35df0281661f29f27cc95f28ad7b186cf536b8a3718209973bc8d99d8de |
| SHA512 | bdcd6ea5bef5f9f04ccaa3e9177bfac6c87f8bfe42e7f5b377079cdcbd730118cbf2b5de088648a798a26f41318beda8e061e9391b52dfdf12379bcc3724891d |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 981b7a407189abc0834226f32c56e23d |
| SHA1 | f9ff016d25dbb1dc45e2cb5502c254b62f26ed4a |
| SHA256 | 4b1bf5ab0676b5caf36faeb72991b18d1383562ae61a721db0e9935ed128ff38 |
| SHA512 | 6189a6a60db08379425747b098b4521f7709c1509025a6b70b67d71c15aefe511f35d22352d7cdf8ed317b519f9d36f6dc77f1bf9d708f810994e09220f1fabd |
memory/1404-385-0x0000000000290000-0x0000000000390000-memory.dmp
C:\Users\Admin\AppData\Roaming\fwactwr
| MD5 | ebb7ef2eb8ce2b4a91a3638a13fb394c |
| SHA1 | d13c8a2275a2eeb54251c5bbc8dc6e466509be76 |
| SHA256 | c0e727bf5ca186bb83f85796dc25da0b6645a6371b33b722200e55a7124ef5e1 |
| SHA512 | 608dc1649771bca9aefd945af51a3fd591b6afa114419ac583165169dccc5d6e1b32993ed887e426476c69e4877f228cbb18f9373f99971fd683a72c837a0802 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 21a0f4bd469cc6ca5f50595f77836eb0 |
| SHA1 | c03e75c4ee88b98d50f55406b0070f496500da79 |
| SHA256 | ae0decd9310dc5c6c86831181d24e6f6febfa7b58e0b55d73dbedb6955d9c016 |
| SHA512 | 262ced57b7965cf29d6571191328b3a355d20f31a4c38157103250413d83f37d05be54f849a18221ce80449ce205e56abf4ec91f914e17b326306d2fd45e0e3a |
C:\Users\Admin\AppData\Roaming\fwactwr
| MD5 | 94919d50ff439256225f5c48baad3ae8 |
| SHA1 | 54d309499581cee2a9e42a873982a3d4b9350f50 |
| SHA256 | ca713b99670400637496c64001b373ab67950db162741ed1ee82d7deabd19dfb |
| SHA512 | cc4e7543b93be55fe51dc2f58fc3db6dac469bbd1dc01c556f605bdbebf2f06c7eea75d424d6227732de4cd30a0de1b0120fd2a8a401bf2b45f60c0267cfa6f5 |
memory/1404-386-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3007.exe
| MD5 | 5af884fbfb5162efb2bc85b6908e76ab |
| SHA1 | 82dcaa9ef03bad180f1c68100d8ab84930bb929b |
| SHA256 | fc561ba3d30c2e7c1948b9b28df86fe33fb240dfef92e5f2c7483a507aeb6403 |
| SHA512 | 5ee66867a41ed4e32b3d6d1487021fd1c70824055d70ad6af445bb9c798315de1eda3398a6968c8b142a42689436c86a15342c5f2f3840f2fd695b833152475f |
C:\Users\Admin\AppData\Local\Temp\3007.exe
| MD5 | 525fdd908d0f021b0965645466a764a2 |
| SHA1 | 8403e06b289519a4af9ffb80fd79733f0cbad6d6 |
| SHA256 | c08678c21155324e639c4a44ee64d3c01d74af73c9d0b1bcb541a3977c425fc4 |
| SHA512 | 0e47fc224815f6cd936a65597c11ed326fa68b92fdd439039d58de41125c1a4d1de199a3ac5f90e560691a6ffe58d0ffd02e623c4f33c21948fb1ae82e08328e |
memory/860-392-0x0000000000200000-0x0000000000201000-memory.dmp
memory/860-395-0x0000000000E80000-0x0000000001831000-memory.dmp
memory/860-398-0x0000000000200000-0x0000000000201000-memory.dmp
memory/860-404-0x0000000000210000-0x0000000000211000-memory.dmp
memory/860-412-0x0000000000270000-0x0000000000271000-memory.dmp
memory/860-409-0x0000000000220000-0x0000000000221000-memory.dmp
memory/860-407-0x0000000000220000-0x0000000000221000-memory.dmp
memory/860-405-0x0000000000220000-0x0000000000221000-memory.dmp
memory/860-402-0x0000000000210000-0x0000000000211000-memory.dmp
\Users\Admin\AppData\Local\Temp\3007.exe
| MD5 | 95395675707fe93a49ed51830c5e8431 |
| SHA1 | 763fc3cbcb79b18654bea53b67036a6226751492 |
| SHA256 | fdf724a908125bbbfa35724f7140402a6ec61d8d7bae2ed232c2b22ad7705465 |
| SHA512 | 2d8de5f51e66a4790ca8f7896190581cda55eb8b10039fd5d9ef438f29a2ad80848356bca804a46a0bd8151afe11ebf431c820e43c9ff57e4f9f1fea41511f50 |
\Users\Admin\AppData\Local\Temp\3007.exe
| MD5 | 910bf5e8766bd8de944bc5b0ceaf27a6 |
| SHA1 | 22e3fbba70bd42115856e5a31adbe82ebe7e3294 |
| SHA256 | c6fb7c192ebda7714034293926254cee8e24bb7ac0cd6bbcc6ddfbbac0e9e68c |
| SHA512 | 58fb53de2d6b297ee765d3f8aa962b53a862f3fcd1c9b5a9022b6fcf9490c7993c24a8bd1176227d093a5a14796fc78661148cc334e790f1a2957eb19fa5d044 |
\Users\Admin\AppData\Local\Temp\3007.exe
| MD5 | 8eeb7a49ddb462b247c54c0a7984ee2a |
| SHA1 | e05c8ffef90a333fa01a32a6d23854c0cecd9a95 |
| SHA256 | 2d0d8e67b37ec53eab453c82835fe3cde5c2628eec4b56582ff96fc35a9e604f |
| SHA512 | 19647d04cb9d5af9d39f5a92a1c6b6b96c10c08c82154948c6a8e8ba3fd51507a9d1e749b2d2f0b56fe1538b0b61bd913814264f0077197340079ac7070ef2de |
\Users\Admin\AppData\Local\Temp\3007.exe
| MD5 | 7d9fc7d66e28b88261cee289d8047957 |
| SHA1 | bcaa7777455e13b07f183ab31143096fcc810a0d |
| SHA256 | 20576e42d36b01e4a3bca64ef232cc5124be5f9bd85a2253700bda78144da84b |
| SHA512 | 4903aa88e05cb593b933f672de8daf4f69682116c9150114cc1e16eee34a413bb6a759dd9353200ff78639757f494d783eb6c68625ee98c6af9e787695ed4a03 |
C:\Users\Admin\AppData\Local\Temp\371A.exe
| MD5 | e5e40c1b4525474c1f8a6c37373df09f |
| SHA1 | 2a079b3c3f518804496ffdcc41c4f6a8ce431b81 |
| SHA256 | e04d57e1134fdd8e587c7b1918eb30d310d504d69f694b9767c3a49d2cfcdac4 |
| SHA512 | 3dee71465cf469b63ce1266fca744703d0545d6dbaf4cc825a2d866e29f6cfab7193bbaab7281cfa50bb9942eb9d774c7e69c4a945e0dac4b7784ab1e9579c1b |
\Users\Admin\AppData\Local\Temp\3007.exe
| MD5 | cc99deada35aa2c59a03cf2761f82160 |
| SHA1 | c8a4ca5717f8a2e741df60c839ffb08d770bcca2 |
| SHA256 | 5f7a00f1d20fddd8850ae4b9825a58d8385417ca15115dfc28f74e608e54b61b |
| SHA512 | 757df9d1aed9047aded3c03e254a0ba2ec11e94edeff15b4ec2597c136267f387eaa23c8fb4421efc51d2e6e83f32d8837b0af674c9dcddde204b4bb92ed1704 |
memory/3028-443-0x0000000000E80000-0x0000000001360000-memory.dmp
memory/860-433-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/860-400-0x0000000077C70000-0x0000000077C71000-memory.dmp
memory/860-399-0x0000000000210000-0x0000000000211000-memory.dmp
memory/860-394-0x0000000000200000-0x0000000000201000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | 384b9fb7ec244ff146d8415fbce021f5 |
| SHA1 | 831230dd688fd3de5a26684e85102e4949194988 |
| SHA256 | 08eb9ef72a049de4d13b3e4b073c07bef072d4e8b6a2e9583d0c23a318e2c2e5 |
| SHA512 | 1ac008b472bd1af67f8eb056758003012fb915fdfff91b923577b20410e2da1e85d7eda85c76ed0278d017c2cbb126e70413a0d9ffd90a41c2b54ebf92d16f9d |
memory/2052-450-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | 1c3b130f0309c6f8166160f0bd20d6ec |
| SHA1 | 0cad034a8f615843d68743357a6f24de456c994d |
| SHA256 | a1312ece539d7b0d55ca5c862272dab30aa42c8a7d20c63bb2192eb8431c778f |
| SHA512 | d10f3e524716c76d828f709905d8a970805da6aa07271c2f1dfadabfef4917bc3104cb481fe444da3343cb6546f21c60e97553ba5fe1be90d19385c99348cebc |
memory/2052-452-0x00000000003F0000-0x000000000075D000-memory.dmp
memory/1956-453-0x0000000000C00000-0x0000000000D32000-memory.dmp
memory/1956-454-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/1956-455-0x0000000004910000-0x00000000049DA000-memory.dmp
memory/1544-480-0x0000000000930000-0x0000000000A30000-memory.dmp
memory/1404-482-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/1956-1402-0x00000000049F0000-0x0000000004A30000-memory.dmp
memory/1956-1404-0x0000000000200000-0x0000000000201000-memory.dmp
memory/860-1403-0x0000000000E80000-0x0000000001831000-memory.dmp
memory/1956-1406-0x0000000000460000-0x00000000004AC000-memory.dmp
memory/1956-1405-0x0000000000B70000-0x0000000000BD0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 7eda6fc800500c5fa97df13391f79956 |
| SHA1 | 254be705c613e058da36bfdb79c0ec6d1cadde93 |
| SHA256 | ac6322ce42837db2224b052555736631f90ac9e88b1e33806b41a2f1a0febe99 |
| SHA512 | be34f0378ebe8deed88de267a6427158eb943a7e68f37de90751fc077f5ef7f2874c5df87d0be1762d69592e6004fc178331518e028e00af89c2c265269c0256 |
C:\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | fb44d20e89b3a6b22749c72c815eec81 |
| SHA1 | e9d6b04c0e547ddd872b97fc66ba4513150582f3 |
| SHA256 | af2796efede38928b2a58015a79f23e3759165838af208c3df11e4c0ef1d5291 |
| SHA512 | e384de851dd966fdd9d5cd3b96bdc864d8bfc4f6d6525334e0adc82116188aabaa8b69145942fe2c4587ccc01667a754603396d484ea8f4e46a3371b7af6ea62 |
\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | 8e6491e94fc0db51a23b8325710903c0 |
| SHA1 | 30270eb2b0f781788836d505929fe8e0bafc7501 |
| SHA256 | 0f2790297e57c14e9b216dcfc4b0fcd390dd2ff953c11c1a69c19061abeb90fb |
| SHA512 | dbf92376b8a73e3eebce97e3e6ed68d8ec643f84f90bede7e7b89bbe155aa631391ac5413c989a8a1c296522f5c51cba6fee6172fe7847a1d774be8e745f0886 |
\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | 28b225bd64faa306158a2f13a99550e3 |
| SHA1 | 75380a3afb8918909f52f4d80464828b330aa5ba |
| SHA256 | 18d883ee911b6cd6df483989b7bcdd56a319349b5278da55b406479e46034049 |
| SHA512 | 675900878a374cbf12307fe5e2effd15e0ae3fe90391ee0fe9fd0ccd287be92301eedb349c00ef56c7da9e3c5e933f331338e40bc6f3ac214bd110c677cad8e1 |
\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | 9bd1ee0ca5b2ff2224e19d2bae0db3a9 |
| SHA1 | 9f74d687711180523c75d2491138fe1262a20b7d |
| SHA256 | adaa9f4927b121c3fcdf86d4855a5cd5aee1959320053df38c105b3e7cb1f09d |
| SHA512 | 37893c504340fe6bac6da793a3015dd83cd39e367bac41f1ce98a52fd91d822d55e502fa6ce56d4cfaa0e038c10a0f8b3b7d8b5aeb6957185a3e559cd518df4a |
memory/1956-1424-0x00000000732D0000-0x00000000739BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | 50b591ec9222c0d3571c72d111385031 |
| SHA1 | 0dc8bfe4111b515fab7fbc8bda8dcc98c5e3a129 |
| SHA256 | 6b4baa891eb9e996d19671c177afdfe896a9fc21978e4c39f1503e5f721daeda |
| SHA512 | 7ea8f80c6875090a91caa4091e31795be491831e79eb1a288a49c8057f931f50dc215fc6f59115b7d131d92079f143e71165e1659fd5625061076035a050fc2a |
\Users\Admin\AppData\Local\Temp\3B20.exe
| MD5 | ed51799d4c4740a92ebd7b24fb7e2bc5 |
| SHA1 | de6ff5db004ee76c4778f84928a1a1402b95e070 |
| SHA256 | 1ce240af6f9fd677d8cc6064216385139209df9557affbb2f66a9bef82f876d6 |
| SHA512 | 904e1eaf9dce28b45af9537f53e1d30e60beacc9aeea611fc32ec028f8dddd1f73a32bce6205d8d564ef9607f18b600b4403e46b1e4d2064ee8c6589d9efee09 |
memory/3028-1432-0x0000000000E80000-0x0000000001360000-memory.dmp
memory/1660-1456-0x00000000009C2000-0x00000000009D2000-memory.dmp
memory/2652-1491-0x0000000000912000-0x0000000000922000-memory.dmp
memory/2888-1500-0x0000000000992000-0x00000000009A2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 22:28
Reported
2024-01-28 22:33
Platform
win10-20231220-en
Max time kernel
300s
Max time network
300s
Command Line
Signatures
Amadey
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
Poverty Stealer
SmokeLoader
Stealc
Vidar
ZGRat
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eb849e61-72c6-46c1-942c-915b400011db\\DC96.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DC96.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\76D8.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jahrivc | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jahrivc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CD91.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CD91.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jahrivc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CD91.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CD91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jahrivc | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FA41.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\76D8.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7224.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe
"C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe"
C:\Users\Admin\AppData\Local\Temp\CD91.exe
C:\Users\Admin\AppData\Local\Temp\CD91.exe
C:\Users\Admin\AppData\Local\Temp\DC96.exe
C:\Users\Admin\AppData\Local\Temp\DC96.exe
C:\Users\Admin\AppData\Local\Temp\DC96.exe
C:\Users\Admin\AppData\Local\Temp\DC96.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\eb849e61-72c6-46c1-942c-915b400011db" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\DC96.exe
"C:\Users\Admin\AppData\Local\Temp\DC96.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\DC96.exe
"C:\Users\Admin\AppData\Local\Temp\DC96.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe"
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe"
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 2080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1148
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\FA41.exe
C:\Users\Admin\AppData\Local\Temp\FA41.exe
C:\Users\Admin\AppData\Local\Temp\F416.exe
C:\Users\Admin\AppData\Local\Temp\F416.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"
C:\Users\Admin\AppData\Local\Temp\54D6.exe
C:\Users\Admin\AppData\Local\Temp\54D6.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe"
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\jahrivc
C:\Users\Admin\AppData\Roaming\jahrivc
C:\Users\Admin\AppData\Local\Temp\7224.exe
C:\Users\Admin\AppData\Local\Temp\7224.exe
C:\Users\Admin\AppData\Local\Temp\76D8.exe
C:\Users\Admin\AppData\Local\Temp\76D8.exe
C:\Users\Admin\AppData\Local\Temp\76D8.exe
C:\Users\Admin\AppData\Local\Temp\76D8.exe
C:\Users\Admin\AppData\Local\Temp\76D8.exe
C:\Users\Admin\AppData\Local\Temp\76D8.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 912
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 17.118.160.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BG | 95.158.162.200:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 200.162.158.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| DE | 146.0.41.68:80 | tcp | |
| AR | 186.13.17.220:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| DE | 88.198.191.199:2920 | 88.198.191.199 | tcp |
| US | 8.8.8.8:53 | novoscanais.com | udp |
| PT | 194.38.133.167:443 | novoscanais.com | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.191.198.88.in-addr.arpa | udp |
| DE | 88.198.191.199:2920 | 88.198.191.199 | tcp |
| DE | 88.198.191.199:2920 | 88.198.191.199 | tcp |
| US | 8.8.8.8:53 | 167.133.38.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| AM | 92.246.138.149:80 | tcp | |
| AU | 176.97.69.235:443 | tcp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 154.8.185.41.in-addr.arpa | udp |
| ZA | 41.185.8.154:80 | tcp | |
| DE | 146.70.169.164:2227 | tcp | |
| FI | 109.107.182.40:80 | 109.107.182.40 | tcp |
| US | 8.8.8.8:53 | mealroomrallpassiveer.shop | udp |
| US | 104.21.47.178:443 | mealroomrallpassiveer.shop | tcp |
| US | 8.8.8.8:53 | 40.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.47.21.104.in-addr.arpa | udp |
| IT | 185.196.10.146:80 | 185.196.10.146 | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 104.21.1.205:443 | braidfadefriendklypk.site | tcp |
| DE | 88.198.191.199:2920 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 23.44.234.16:80 | tcp | |
| N/A | 45.15.156.13:443 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.67.211.25:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.21.1.205:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| IT | 185.196.10.34:80 | 185.196.10.34 | tcp |
| IT | 185.196.10.34:80 | 185.196.10.34 | tcp |
| US | 8.8.8.8:53 | 34.10.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/4040-2-0x0000000002C00000-0x0000000002C0B000-memory.dmp
memory/4040-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp
memory/4040-3-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/3384-4-0x0000000001520000-0x0000000001536000-memory.dmp
memory/4040-5-0x0000000000400000-0x0000000002B0B000-memory.dmp
memory/4432-16-0x0000000002D10000-0x0000000002E10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CD91.exe
| MD5 | 01fb175d82c6078ebfe27f5de4d8d2aa |
| SHA1 | ff655d5908a109af47a62670ff45008cc9e430c4 |
| SHA256 | a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3 |
| SHA512 | c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe |
memory/4432-17-0x0000000000400000-0x0000000002B04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DC96.exe
| MD5 | 45c8c53b0572d2431e750524c46e79b4 |
| SHA1 | 1e0f02ba52efd7c8a6e7a68642c74a6c8c19106a |
| SHA256 | 846f2b11662452610f5d4b180b7602142c1c3c7875274c181355136dd64b8ed0 |
| SHA512 | a534ab24248235053f9998f4cb355174c50872bacf3fd15e07152eb8659ae0898dc0f4dce1216e29b714e802f8440cba542e27280227afb8c70784e6b4ce5024 |
memory/1044-23-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DC96.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1044-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1044-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3580-27-0x0000000004850000-0x000000000496B000-memory.dmp
memory/3580-26-0x0000000002CF0000-0x0000000002D8B000-memory.dmp
memory/1044-25-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DC96.exe
| MD5 | 5c6994011c913c8d2065f591d2ec44e7 |
| SHA1 | 2184e2552e8c474f961c0e87188d5939863e9de8 |
| SHA256 | 68fde2dbc602e92d3d66e26d4d170507be9893cc619d1525b3140dcf727e63ee |
| SHA512 | 1837ccb607a653740dcf6258c44381073df20d65f6f6d6f17032d4ee8be895ae6edf0ac249d03fd7af64e3e027168d2af5535a29ff9161ffe3cb3247bc4c46d0 |
C:\Users\Admin\AppData\Local\eb849e61-72c6-46c1-942c-915b400011db\DC96.exe
| MD5 | 974adcfe032ccd9da86e80f7f3303dc0 |
| SHA1 | e457b910f857418faec6ae0db4c8b0df8ccd4aec |
| SHA256 | f4b883275eed0fa75e9ff6e564b51a13e2bdcc39c47f93450ce6bd724e6e0e30 |
| SHA512 | b5c6a3276e7a74f2835b6c18d2699e714052221e8f18d87846d991e7fb65b65bc19fa3dfb33a9650071b3681c8f0bca5ad94daeafc15d5361a6c847e9364a1f1 |
C:\Users\Admin\AppData\Local\Temp\DC96.exe
| MD5 | d359c527ccbe5f109eaa5774d2190040 |
| SHA1 | 6df6f31888a35cadcd10d97e0a10928a267fbb31 |
| SHA256 | 320b229411ea210758a5719cfce4e23ec6b75111e04b32fa30a63c2e2199e460 |
| SHA512 | 30ce3e4fee4504ddd53a1497c35f0a8e45ffff0df787acf7810570bb7127167fe92b950821e95316d88e876740c789e8628d4eea66ad64b8b71d716047509c53 |
memory/924-44-0x0000000002D00000-0x0000000002D9D000-memory.dmp
memory/4392-47-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4392-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3384-50-0x0000000003390000-0x00000000033A6000-memory.dmp
memory/4392-48-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
memory/4432-51-0x0000000000400000-0x0000000002B04000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | fad9e0108550621571d40ac977d303d9 |
| SHA1 | de172f5d41ef53284d5a9542e4deb380f8de71dd |
| SHA256 | 58f271a871d3cc751d2c3d5895274edd659f0043c35133dce33cf0859f1d008b |
| SHA512 | 5ac3f4d694557400926d2dc0901249dd7de66258602dcfe728e27a664528a6b40ada95be7f563741b641e477c257e8fecfb68bdea109761c1da7f11ecf5a4146 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 28baf5fd68df59a9964b94cb39ffee77 |
| SHA1 | b3fddc328582ee68eeb23616393db9abb9e27380 |
| SHA256 | c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b |
| SHA512 | 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7 |
memory/4392-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4392-59-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 1ab4406c45f8e8beb4d32e895dcdbf91 |
| SHA1 | 7b603ebec505428365c1f4dcd76bd65adfea9bb2 |
| SHA256 | ab9e60e2458968b5235fdce73a96b870949f0ef6624c375c47402e86e2c6d470 |
| SHA512 | 1aba31f1578072ba5f41d0051d35078d5c38a800525ce278361a8b644ddccd7b8f59576a65484bb8d2ce0aeed42ae4bf6da751804b8b017fed75acf29ff9d531 |
C:\Users\Admin\AppData\Local\Temp\DC96.exe
| MD5 | cb211490f31778b78da375e6bef4ad70 |
| SHA1 | cab5731867fcbbf73466a674649afeaeed06d8fc |
| SHA256 | e80f8b588fb5dc80377e3fe015857ed4a60402db6f1cd1513af9a31046d7ad2e |
| SHA512 | c60cc39a98d367eb1247221ec59f68bcacf787ee77131bf70709304aa1d6d984169686ad08573b7e28857d22d282f000dbe8cb692371a79ba20c3dea0c243073 |
memory/1044-41-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
| MD5 | 6134c934b98893109928b4cd9289d743 |
| SHA1 | 72c9f652baf79bd260e1cc27cf1f444c84964927 |
| SHA256 | 0f8f5a5c914179cab891cb7e68cdb76a09aa43e10774e21c420170049da85b1f |
| SHA512 | 47a1b64a99000d35034d0f115a6bd9a7c46ae262d9b43acd5dd65d5a23b075f3d1cfe75574ada297b6afc3c58927723748c4140f19b6efb4c5cd1c3fb52599c4 |
memory/4772-68-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/3244-73-0x0000000000400000-0x000000000063F000-memory.dmp
memory/3244-74-0x0000000000400000-0x000000000063F000-memory.dmp
memory/4392-78-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4392-81-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4392-80-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
| MD5 | 2a1b46c2f932747bb144634a9da6dfde |
| SHA1 | 4485f91d328f854081d3024bfcb81c52f9f760d2 |
| SHA256 | 3700a2243b314f930f0f9aedfece902c0dd4045ad28e8d76f7447c766c1412a1 |
| SHA512 | 18e18eda4384191d89bb1a2f2a74bd6fb0dafe8c31ea5d60a2d7dc5220fa4c8d27071ccd72e91632849d4bfc676bbeb075e01ca1923826ee636a53a0def6f35d |
memory/3244-70-0x0000000000400000-0x000000000063F000-memory.dmp
memory/4772-69-0x00000000005A0000-0x00000000005CC000-memory.dmp
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
| MD5 | 40781463f74e5be27d262f71d7d17958 |
| SHA1 | 7e91415b23a9be1c5fe33e844a3bdb1a0848b71c |
| SHA256 | 6bcd8b4ff2f3b4c16c03af55976642b5dd0618ce0625d7f77ac734a454523698 |
| SHA512 | 910039eb53593e61b879753d3f9aa0f21ec2e9c3fa60f5c43699f5b7bf7b37298a16cee15984b2dfef0da6de63be659ab87dd1378a626bf0c0a1c6a332900aea |
memory/4392-94-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F416.exe
| MD5 | 3c4a9ea2e94c66b185864bee10e4a44c |
| SHA1 | 9ae30069be1089dece321398baa97df2dc4338d1 |
| SHA256 | b9cbad125791eaa7fba8c8ff3a0c6cce3d2f107bd842bf38af081cb41dbc0b49 |
| SHA512 | cdc2a2d58223db62daca19d9c7fc176c7b4f42d7ab04ad2e4157dafcd09f78f933256fa3837f7b1e9acd28c84ce5a5c5cba37ab3f442886dda71a1224d3e2155 |
memory/5116-106-0x00000000717F0000-0x0000000071EDE000-memory.dmp
memory/5116-109-0x0000000004DD0000-0x0000000004DE0000-memory.dmp
memory/3580-112-0x0000000004850000-0x000000000496B000-memory.dmp
memory/5116-113-0x00000000027B0000-0x0000000002848000-memory.dmp
memory/5116-115-0x0000000004DD0000-0x0000000004DE0000-memory.dmp
memory/5116-114-0x0000000004DD0000-0x0000000004DE0000-memory.dmp
memory/4740-118-0x0000000000400000-0x000000000048A000-memory.dmp
memory/5116-111-0x0000000004DE0000-0x00000000052DE000-memory.dmp
memory/5116-110-0x0000000004DD0000-0x0000000004DE0000-memory.dmp
memory/5116-121-0x0000000002880000-0x0000000004880000-memory.dmp
memory/4740-125-0x0000000000400000-0x000000000048A000-memory.dmp
memory/5116-124-0x00000000717F0000-0x0000000071EDE000-memory.dmp
memory/4740-122-0x0000000000400000-0x000000000048A000-memory.dmp
memory/5116-108-0x0000000004CC0000-0x0000000004D58000-memory.dmp
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
| MD5 | 2b87f0cfa8b7ba96c5e08365a2452bd0 |
| SHA1 | 8e40fcf3677d49d1292e432ef0cd7d3779fb62d2 |
| SHA256 | 957f069d706cb05e1fb6c316c8c154c5e278ae181bb904dd4479aee4f6beae8c |
| SHA512 | 66383329227afce3b06c116628710b7d450df79246c3bdf0e7faee5f293066affab69858172b12d2928c2cdb6ff1a603bfc6a2c77169cb4f04b73138640cb87d |
memory/4392-104-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
| MD5 | cdf1046e35a147627b55a06b03da0701 |
| SHA1 | c7e9b58c045213ec788ae104838d5573f3bb8547 |
| SHA256 | 548bb0932cf5645abce7e7210f24b493510f3b17eeb8e962e2200c9251672bd1 |
| SHA512 | 7192327c1f4c85fb03d1727c9527f312cd842e4949a055136e03a6668a878836af45f5e4394434d56cb8067b57fe0ffdb79fa65f8fb1c496570fe45019bdeebd |
C:\Users\Admin\AppData\Local\Temp\FA41.exe
| MD5 | 315af8cdcb441cb286e31c631eb12625 |
| SHA1 | 0f0537841540a0047bd5c3df8f9ced566a58d144 |
| SHA256 | fff5d4c3de2cc1056a6395f37ac8d6c4eb7423883281caf7fcdb1fcb7c9797d5 |
| SHA512 | 03bfe10d227df6c529d0b35f5340964da07b28d908bc776a63e43a02755c073868281f8a20d573077ddee5def2bbda1d545ce6d459cd0d53ee5541d00b176681 |
memory/5080-130-0x00000000048D0000-0x000000000490A000-memory.dmp
memory/5080-132-0x0000000002140000-0x0000000002150000-memory.dmp
memory/3244-135-0x0000000000400000-0x000000000063F000-memory.dmp
memory/5080-136-0x0000000002140000-0x0000000002150000-memory.dmp
memory/5080-139-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-138-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-141-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-143-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-147-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-149-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-151-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-153-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-155-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-157-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-159-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-161-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-145-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-163-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-167-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-169-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-171-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-165-0x0000000004E70000-0x0000000004EA3000-memory.dmp
memory/5080-137-0x0000000002140000-0x0000000002150000-memory.dmp
memory/5080-134-0x0000000002140000-0x0000000002150000-memory.dmp
memory/4596-181-0x0000000000400000-0x000000000062E000-memory.dmp
memory/5080-183-0x0000000071120000-0x000000007180E000-memory.dmp
memory/5080-180-0x0000000002490000-0x0000000004490000-memory.dmp
memory/5080-133-0x0000000004E70000-0x0000000004EAA000-memory.dmp
memory/5080-131-0x0000000071120000-0x000000007180E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA41.exe
| MD5 | cc99c3247a963cea4b0a6b66c09f652b |
| SHA1 | acbd6d470c80d28a1549daf1cb8ccff938279ae6 |
| SHA256 | 91aa8041569ac1491c4c253854fe4a9b120a5ed93184baef447a06fedac972d4 |
| SHA512 | a1f9eba603c1269beeef1dd55d072dfd04bd7c8f48c665abb1bbe85b57c02b4c1b962a069760981a021d830ed2bb3755f3631ae1bb23e7a23e03886d5e60f64d |
C:\ProgramData\mozglue.dll
| MD5 | f194ed05ba033ed2ccd458383ccc5961 |
| SHA1 | 9d1f9ce04e76e055be53a408d887ea78f1259e9b |
| SHA256 | c2429137a8a4c6c248e9f29aa71f2fe4f2327e8797e133e91951b4943f9334cf |
| SHA512 | aa4841ec9bc3cfb2fb7c9708ac1e4b6cf643385b13161637966624f2b695bed4a2ed92c8467b0fcdd4035f9e063d7274a0c72c37d44638bf3c81e3377b588e08 |
\ProgramData\mozglue.dll
| MD5 | 16f38e3eca9f3dd96f5625e660ae1cf3 |
| SHA1 | 7ae3587b034d681ba63abe85beffd66dde42edc0 |
| SHA256 | 1691f91103e651d0d5f2e0bf4e019cb726b4bcfa6ad9300a16b99e5175758e6a |
| SHA512 | 93e980a0431f1984746ee16cb815da242fcb97d8897eae9a9a9b3298382b9c57b1bfa6f70d0fdfdd04b1ef6e443927ff55868bfe3955faa72f9a1e333ab6d202 |
\ProgramData\nss3.dll
| MD5 | b9f13ee223aca2540dd2939d114fb4e7 |
| SHA1 | 07940daaa4f415f42404afde2b9542dbb23e0623 |
| SHA256 | 071331d37db6639a43c7c06c0888ce8aec792f358ab99dda184c33a486d6cadc |
| SHA512 | d7ff85f42531ebccc478ab9fcb60105bae7d4ead3df77d48c348a3e8429fa1a087d59bbbb2a56b30748d1b60a684bbba71f8f4b61e87781f40546cf226748871 |
memory/4596-244-0x0000000000400000-0x000000000062E000-memory.dmp
memory/4740-246-0x0000000000400000-0x000000000048A000-memory.dmp
memory/3932-252-0x0000000000A00000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54D6.exe
| MD5 | b33ad50c8b053f329aaf42820bb22043 |
| SHA1 | 118dcab431c056cd00a2e089fdfe40f8cc5c86bc |
| SHA256 | fafa9b06eb9c21c93d95055734b3fa02877b16a48683964fa5cf683914b1bb1c |
| SHA512 | 01d555c141af4a623b67e27a0e5b2c0f3d9d5e05c75641320e8561081e1bcb9774906daff4dab8a5ada385b7cc98118faa1c4af58aa68e6cde12ed7d6a4543db |
memory/4564-265-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54D6.exe
| MD5 | ed4fb00c4f36f5402dfbce54cf052cf6 |
| SHA1 | 95bdae77945d442d2c451b99e8745da9397a7ba1 |
| SHA256 | 2e54f5fa93d5e09c1a75a76aa498c90cbf125631b0e329e38082e4d40f06c0fa |
| SHA512 | f08f1aa57477d2e7065674c3c810175b63f38139533bb0c560d5ebdce85a4575d749e7079c12d2bb4391e427ee1ab6464f488b664b3739dddf1ada7edb48091d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | 04f8bb3d913f0755dbab73837dfd743a |
| SHA1 | a1c893373667c72fab247a8e8cc3597e374a75e2 |
| SHA256 | 3c4df6df8c253c8c193f1c495fd122c8f12c6e134aa0e09606f3983be959ae41 |
| SHA512 | 9976bc8ec86d9062c7a8bbe8dd67cc91429724c122f55cc537a49f4ccc352f3992030bbbbdf6c4f002594f5a89cf5922032bff0747d69deaab93ac36141eb4fd |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
| MD5 | d2bba198c2ec27f882acaa2a8759e568 |
| SHA1 | 64e8cfc989fe05002b826886305dfa47d3ac51b8 |
| SHA256 | 488b588f5001fe472e6d5f12a3ea9ae826698e2a4bc2b32f4cf5553d1b55d05c |
| SHA512 | 4e6be465e513145e51b72b8d41dcd9bc955f9832bb9aed10eb74055aebd23992ba1852c6f2d78a4a33d7b22860e78ec8d8a43e3b2e08e9a67acf253c876fb368 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | 859f69ff3fde85f7bc699d9e125815f2 |
| SHA1 | 6c8ac2b7c40ab9c2b78796ec2cc634a464309777 |
| SHA256 | c2d2087d76b3cd84b98fc01dc2252a934c3c3b2db17f93cff9d96abbaeb8f7be |
| SHA512 | dffe323673624a267504ae314e664066ab19275b0efbb25120cec9480ab8b5d1d02394e57f5c385587e08e8ed7937041689d6a4ec378fd398942d20f3dbf2245 |
memory/1808-285-0x0000000000350000-0x00000000006BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | d097e641b2224fcb1fa52fb5e170ac63 |
| SHA1 | d39956b2d3fcf555a39541914fda04da090bd490 |
| SHA256 | c0a28433e8d943cc9647bd8a67c55087d5ca60dc56d10b7e56cdd17bb8c97a10 |
| SHA512 | c84cf9ff37137767346fa29f29aa0337241f6bd56494a93aa912c5c5986826c9d40512ddb829513c1257e7b95df1c5d1e49843c5cc3baba3602f8abbd8a2ba07 |
memory/1808-286-0x0000000002970000-0x0000000002971000-memory.dmp
memory/4564-256-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/3932-253-0x00000000009F0000-0x00000000009F4000-memory.dmp
memory/1808-288-0x0000000000350000-0x00000000006BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
| MD5 | d9f61f2e886b5a2dc4608bdaecc04fea |
| SHA1 | b881bdf6ad24354ba9fdd6a6465c9e588ea3bfe2 |
| SHA256 | 4871eadabeff43b0b05d199cbb05a95c27cc50793f480079a8780ef61c80fb6a |
| SHA512 | 6a6cd50eaf2f3d6c9d8b941ec2a94ee40a0188d5967e8735f76b16dd545f1abb6fe8bf1efc0e77bbe1ffa16b7e6ad51b11936b404da175d5407a4638ea0dfa84 |
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
| MD5 | 5d44ef7e5bcdec40769fd06e605cba67 |
| SHA1 | cd837d208ff00b1573fe4712a5a29334156735e9 |
| SHA256 | 7965c69a165c76d1714297c503fb5d5b726cb5f1a268ce87ec403ffc3e1e7db3 |
| SHA512 | 565dbef917b5e3c071ecabde5fa9a6382ffddeb01a7c6a33dc06c3b597193483c4229a41a8f5f28e6cced475c83e97b03ab9e13080bc08eb976c4ff545dcc517 |
memory/2276-295-0x0000000001020000-0x00000000019D1000-memory.dmp
memory/2276-299-0x0000000000760000-0x0000000000761000-memory.dmp
memory/2276-298-0x0000000001020000-0x00000000019D1000-memory.dmp
memory/2276-309-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
memory/2276-308-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
memory/2276-307-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
memory/2276-306-0x0000000000EA0000-0x0000000000EE0000-memory.dmp
C:\Users\Admin\AppData\Roaming\jahrivc
| MD5 | a6aaf1c14caeb87c027f256394d8cec9 |
| SHA1 | acd55dd0662f610ad8111f50aa729e06dabb43f5 |
| SHA256 | fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a |
| SHA512 | 7d169b8d161b75ddee913a97f0cfab01f363ce2abc39bfeb31b572728622579138c77ca9084b93fd586f2d51f3da86fac4a992aae814731fa567ceab9656c7aa |
memory/4852-313-0x0000000002CB0000-0x0000000002DB0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 565d74df5c6b3398ab3e1ecd0e802794 |
| SHA1 | 98c278959a7dcbbcc94da9bf6ce410c9e366a458 |
| SHA256 | 465796cbf89ec8ea153a81c6058167905845e3d10727b6010b778a971b9abc89 |
| SHA512 | 69d359fc2fe37f551581465f44eecc89035f195dfcbd92183a1206607871d91192f8f9d7ddc9074fc70464f0cf0334783d49934693436226adb765be190ca6ce |
memory/4852-316-0x0000000000400000-0x0000000002B0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7224.exe
| MD5 | e80440894d7a309eb917aeec158af821 |
| SHA1 | 9ce1b578487cff9f7c2eab3cfa5316579b2ac1fc |
| SHA256 | 4a5a3f94604237fd3db8eb5e5d301e6b667d6048c6de4b18f8f1a6c9b9b356c1 |
| SHA512 | 82951e254cb5abb33a5cc7836551b3f2df987120b1613cd5acc2f5581ad782e357f263a7f67e5d84ddda22b93ee763b229dc18d9d861ed29cab7bd081bd0381e |
C:\Users\Admin\AppData\Local\Temp\7224.exe
| MD5 | 33f7fd3303fd8f5c019750f958a39b9a |
| SHA1 | fdc2a5870edf9ac105e115ce678558aa44ff4319 |
| SHA256 | 89c551be5728760d9e4795d1b24491fb8a785d68ffe72e4fc1f171068ec109d8 |
| SHA512 | f375bbdf30b9e967f995cdae2c60461ea76214393627043ad9fd95c8d454c3ee132e6e7824571ff5830ea741015bbe3e56744d3fba5b97830b61d3db19a9a08e |
memory/1704-321-0x0000000000900000-0x0000000000DE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\76D8.exe
| MD5 | 443579a51beba0b31d638b4045529ca2 |
| SHA1 | bcb043d71bc602f04fb8b2fa974b4424afe775a3 |
| SHA256 | 2503a5001c3756f567772d31937f9c591383b58a12176b138bb66be74cdcf7e4 |
| SHA512 | 14d300ee7f508fa8f5de4189fd9dc734c055724beba50a47d8157dbf7bc27650a6a034d05154194c6f3ad69cfa048dc1c2244aa3e248f21664d7bb97bfb369d1 |
C:\Users\Admin\AppData\Local\Temp\76D8.exe
| MD5 | bb2147c255360691841f2aef6b211eee |
| SHA1 | 60aaaa99f7aeb353fd3811993900674521026b65 |
| SHA256 | ebdb00465857ef516d1a3a42193d911a1f70b9974e29ff8bb20033605941f97a |
| SHA512 | 6f2679833eea962f9ecae257729dba6a6a5723e6a395fd5a86b453c3dbbdb030a7c6fa578b09c7b73064b56747bfbc516efb5a34e5ce0b64da4d4bc69da2eabc |
memory/4520-329-0x0000000005120000-0x00000000051EA000-memory.dmp
memory/4520-328-0x00000000708C0000-0x0000000070FAE000-memory.dmp
memory/4520-327-0x00000000007D0000-0x0000000000902000-memory.dmp
memory/4520-1263-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4520-1264-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/4520-1266-0x00000000052B0000-0x00000000052FC000-memory.dmp
memory/4520-1265-0x0000000005210000-0x0000000005270000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\76D8.exe
| MD5 | 9ec578f8958c835c2d6dcc29b5d89c2f |
| SHA1 | 47b90a9d713c41d90afac00c0a3ba922d44b06fb |
| SHA256 | 6f86df42fde5727ed2969342ef862fbd9cf71ae05267208909bb2ff76c4bdbda |
| SHA512 | e0ae7ee9343acdfac059ba49f3b73c7d3819ce6fbf19360fd7b64892fc91ccdd674fd6e6699733261293dcd2720692cea332ac82e46885508fd41f800c30631d |
C:\Users\Admin\AppData\Local\Temp\76D8.exe
| MD5 | 612c46aa3ba8a76b35eae8f088013e7d |
| SHA1 | a7304cc69779442c1bfc9f7b1d5a6eb9a1ec8109 |
| SHA256 | a00651a2926e3ae5c1988c8ae8f52e306b5089e3565f268a9f0926b46c82f8c9 |
| SHA512 | f010c053851fe11f0447a53a08fc752ef9fd305867bc66b032c407e2382bc5f4d80599884520b1d978da2ab912e8cc4bb3b4db713efd107d7dcf400770596761 |
memory/2276-1278-0x0000000001020000-0x00000000019D1000-memory.dmp
memory/4520-1275-0x00000000708C0000-0x0000000070FAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 8ff384ccd31dbd7663ebbb0937e5ba6b |
| SHA1 | 9f3f70034e4424b08cd98c3288a26fd6f1ba21f8 |
| SHA256 | 7b1287aa7990c5a6fdacbf94477cc8f4eaac86ba9ecd667af77c5e1fea43ac14 |
| SHA512 | 67fac944eb69efd0c6f0fa7f6ca717f9b2b22bc12ada3699ae4c5cff6277da3da1f0106b5f694542dea327a5611c65287cc41559e6225ad7259ed9f4c631ac08 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 58d5a4054fb2b552c02250a2ba355421 |
| SHA1 | cad1c48f5cff5d6bdabedaf9a3ff1961ee650a71 |
| SHA256 | 49b524dbe9797e4a8905bca4b74da0f7aac977b07a5f72c66e7f3d22597a86e7 |
| SHA512 | 182092ae43d0ba0fb8035ab92ac07aae902593bc8f0900c51dfb2629e8958faf1e1d89bf3e8f897f4cc971e49ebc8b224004defdcd717cc2b382eabd5f87f60a |
C:\Users\Admin\AppData\Local\Temp\934047325409
| MD5 | ec7bde544f4fcfe6d7e78bbef47855e6 |
| SHA1 | 1fcfbea9910086258564fcb1e3486a750a4f7433 |
| SHA256 | 8757782a7fba58946b55faea802afbd2cebcbb749107efa3c264f07784c71458 |
| SHA512 | a587fd701e1c181117fa0b1fe5546ef3b403cb1027bb4ac9d171b175fc33206a9fde8df85d9466a76ad9c7e3951f934d9ede90f327a1d0e81b1443774713ed24 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dctooux.exe.log
| MD5 | ffe7bf10728fcdc9cfc28d6c2320a6f8 |
| SHA1 | af407275e9830d40889da2e672d2e6af118c8cb8 |
| SHA256 | 72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522 |
| SHA512 | 766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c |