Malware Analysis Report

2025-06-16 02:13

Sample ID 240129-fgvsfsbher
Target 5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2
SHA256 5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2
Tags
djvu risepro smokeloader vidar zgrat e7447dc405edc4690f5920bdb056364f pub1 backdoor discovery persistence ransomware rat stealer trojan amadey stealc spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2

Threat Level: Known bad

The file 5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2 was found to be: Known bad.

Malicious Activity Summary

djvu risepro smokeloader vidar zgrat e7447dc405edc4690f5920bdb056364f pub1 backdoor discovery persistence ransomware rat stealer trojan amadey stealc spyware

Vidar

Detect Vidar Stealer

Detect ZGRat V1

SmokeLoader

Amadey

Stealc

Djvu Ransomware

RisePro

ZGRat

Detected Djvu ransomware

Downloads MZ/PE file

Modifies file permissions

Loads dropped DLL

Reads data files stored by FTP clients

Deletes itself

Reads user/profile data of web browsers

.NET Reactor proctector

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 04:51

Reported

2024-01-29 04:56

Platform

win7-20231215-en

Max time kernel

294s

Max time network

210s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\602A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\152A.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f0f9029c-4a2e-4a29-bbb6-78bbd2923866\\6D45.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6D45.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\602A.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\602A.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\602A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\152A.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E17.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\602A.exe
PID 1168 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\602A.exe
PID 1168 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\602A.exe
PID 1168 wrote to memory of 2748 N/A N/A C:\Users\Admin\AppData\Local\Temp\602A.exe
PID 1168 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 1168 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 1168 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 1168 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2752 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2692 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Windows\SysWOW64\icacls.exe
PID 2692 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Windows\SysWOW64\icacls.exe
PID 2692 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Windows\SysWOW64\icacls.exe
PID 2692 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Windows\SysWOW64\icacls.exe
PID 2692 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2692 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2692 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2692 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 2772 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\Temp\6D45.exe
PID 292 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 292 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 292 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 292 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 880 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
PID 292 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
PID 292 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
PID 292 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
PID 292 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6D45.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
PID 1708 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1708 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1708 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1708 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2392 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
PID 2392 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
PID 2392 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe

"C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe"

C:\Users\Admin\AppData\Local\Temp\602A.exe

C:\Users\Admin\AppData\Local\Temp\602A.exe

C:\Users\Admin\AppData\Local\Temp\6D45.exe

C:\Users\Admin\AppData\Local\Temp\6D45.exe

C:\Users\Admin\AppData\Local\Temp\6D45.exe

C:\Users\Admin\AppData\Local\Temp\6D45.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f0f9029c-4a2e-4a29-bbb6-78bbd2923866" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6D45.exe

"C:\Users\Admin\AppData\Local\Temp\6D45.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6D45.exe

"C:\Users\Admin\AppData\Local\Temp\6D45.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe"

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe"

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1480

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B93C5019-7B30-4C64-8AD3-6DA1C6F2B561} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\A11.exe

C:\Users\Admin\AppData\Local\Temp\A11.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 96

C:\Users\Admin\AppData\Local\Temp\E17.exe

C:\Users\Admin\AppData\Local\Temp\E17.exe

C:\Users\Admin\AppData\Local\Temp\152A.exe

C:\Users\Admin\AppData\Local\Temp\152A.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
KR 211.171.233.126:80 habrafa.com tcp
DE 146.0.41.68:80 tcp
KR 211.171.233.126:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 novoscanais.com udp
PT 194.38.133.167:443 novoscanais.com tcp
FI 65.109.243.18:443 tcp
PT 194.38.133.167:443 novoscanais.com tcp
NL 45.15.156.13:443 tcp
NL 45.15.156.13:443 tcp
FI 65.109.243.18:443 65.109.243.18 tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
FI 65.109.243.18:443 65.109.243.18 tcp
FI 65.109.243.18:443 tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
FI 109.107.182.40:80 tcp
GB 92.123.241.137:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 185.196.10.146:80 tcp

Files

memory/2496-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2496-3-0x0000000000400000-0x000000000085C000-memory.dmp

memory/2496-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2496-5-0x0000000000400000-0x000000000085C000-memory.dmp

memory/1168-4-0x0000000002F10000-0x0000000002F26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\602A.exe

MD5 fab1a6d1d2c9bdcbf5f327d10ca9f4de
SHA1 f7b0c90f9f9a7b35e604683e2b9efad1e8b510b3
SHA256 4f275520ee0f2de49fffc16cdacde51b307d886cb47fc80609559caf42bc1a26
SHA512 a1d8a2957a99e0263b95511f522f647ae343c6e483a672edf0d1946ad5c507aec2e3007339179389d69bf112b2e230f62bdb049926ebe722ef5f726f3d633abb

memory/2748-18-0x0000000002C80000-0x0000000002D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\602A.exe

MD5 01fb175d82c6078ebfe27f5de4d8d2aa
SHA1 ff655d5908a109af47a62670ff45008cc9e430c4
SHA256 a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3
SHA512 c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

memory/2748-19-0x0000000000400000-0x0000000002B04000-memory.dmp

memory/2692-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-35-0x0000000004530000-0x000000000464B000-memory.dmp

memory/2752-34-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 2f50ccfc662fcc8e5d236f9c9a9820b7
SHA1 a9c3f1ffba7438133131493b374efa80cf1ff804
SHA256 b556a08ca894ed9e858480c61156767b71ffbc7216cb409df5297a42cd511cf6
SHA512 419ae07b3f13880c90d0731f12137975ef4c366e35ddc92053432e66ad306ea47a48838b19ccf58e3e52ede744f6c31916ace33ee59aa2e58884db1a39cfa2af

memory/2692-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 5870b3730eb3989cd551f9136da65491
SHA1 6d051e194d9457fe31c482db3cc3dbeac87a7b4d
SHA256 4e243f835b25bb440f4656577081bbe5141ed426ba78a2dba6e0e856221a2975
SHA512 685d339a527c29689300b4c3af2336588da97c2fc539bb93ae970f53530bfc6e4d99ca6dc7cda1c3b5d65a78e813f3f20033280eaa520617545e031439a63a17

\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 24eda8fd2fcf2f355ab91f3dfe501a1d
SHA1 4433ece653a0648956218aa3270c74c3ccb519a4
SHA256 8d63abd82fdee448a52e0f911f9d5b2784f948899e48c5173389fa660d05183e
SHA512 b728d738ef3a356d5f813959ba6cdf37ee2ad9e9c5752f5e8d1bad81156069280dbb61c31074b1f7a556f84332af6a77752f014ca5f00e25e377ba8166838599

memory/2752-26-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 95c9499f14bc7149bac0bdb781621646
SHA1 98fdac3a7c3712add05c7d9273e30b00216b8a0a
SHA256 58c4a6f7c9cab89b6992e648f70a543e4fe21830b8dfa9fe6bd43bf1b11c590b
SHA512 9a1111d479e12cd3615833d08c986fdec356f95d796a2f3313bb3d63d9cf8b44f809729a1824cd418139093ab6a57a49441992965aab869eb6542a7cfc4a7025

C:\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 15c91f05c48278f3aa417e009b1f426c
SHA1 249cbc537a3162893c667c17f5780fadc7c537af
SHA256 11ee49e92080a3bf0aa77011e511b5811bac2ca2f893032409cfb6d340b8a484
SHA512 97b767fabe82d9ee9acf6be21a620d881bc5edc5c15277e848064d7c66d906cd385d5fde8fdd5f096cff34cf2e25617642ed4cdd6f31d33d3b8e906756c71ae9

memory/2772-60-0x0000000002C00000-0x0000000002C91000-memory.dmp

memory/2772-63-0x0000000002C00000-0x0000000002C91000-memory.dmp

memory/292-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/292-68-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 6b445877bf1b16f25a49ed1c462a0024
SHA1 87f5fbbda548987d896ca8a4a31f112f8b207de6
SHA256 c61d7a879250ee5e924591c5b571c7004e608f0c76c055dc6e5e0edc0221e2ff
SHA512 62d60bec3b42a8073a2532e6f12b74ec5d68d00966911dd45a5a28e8f3288e439e7556e4eabee2c9af2c3b4cbbe56969f2cddf485455d095ae1887d3be4473e9

\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 fe5820f5cee24e499354aa5d071a0693
SHA1 fec8069a34466faa2f9b2a695c1400279f04a44f
SHA256 4d895290869c5ac0329d950caa6c3655c32bc0e17bc85f14c48249b4a5c38dad
SHA512 c9efadf678504874054b56fb62ed980f9ddd01352b1ea374dbe7e4bd6b1a04613268be9969e19c45fb60d6f774077c4aeb456189de42d1a0909564ff8af38c74

C:\Users\Admin\AppData\Local\Temp\Cab7233.tmp

MD5 7bac88154885b257f35c45c60cbba016
SHA1 f1d58819eb64c8b9245b7038296945cde9034ff7
SHA256 57466b6cc7133691e4bd4123174a4474397b2b16cfec39c7a66a18e5ab1a39ba
SHA512 fb50fba28f4a2a1a75d4dc417e17f26993fb13fafd074a872f1f8dd30eaf99e2a771f2cd8106d1c99ab6e05b633ace7f8afbe466f24fdc54779faf516be0d7f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65ba538a16745aa5285819322debb2ba
SHA1 f9161b05e8e84e5351215b98494cbce5e4a095f1
SHA256 95740421cbc4ab0d88427514297e124186fd0483f1087b9d385a63ee871d5b3b
SHA512 c9987260d034e01a13e0f5ada65115394eaa659a875209464ecc1e43f60c5d4c6166f83e1c78fdded56ae70d89a8e3efbd85f58e2cf02a42963ccfb0898dc10b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/292-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/292-83-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e4ab38c897dc79e9775af503ce73f8ba
SHA1 26820173fbe28f76856a889659e10260bed322e6
SHA256 f1d4ec5081574d5f7d6176cc7a3a112a0507a50bb73c51100861e47f0bc7509d
SHA512 d5279677d8ea4f2af20c896c60709a9fbf3b25a6190ee035e06ea7ce0e76d4cf0dc6af06cf2328191183d22eb917dede3c081adae1bc29b57fbd64e819273955

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 28baf5fd68df59a9964b94cb39ffee77
SHA1 b3fddc328582ee68eeb23616393db9abb9e27380
SHA256 c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b
SHA512 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fe4d3bdb485693dc204b15dce33e4e1a
SHA1 e41ea3f482a7abe29d5eee7b02fb269b910c17ee
SHA256 eff08c5244d3e4bd734b4374402b612bc5bc9650ed5d4ec2db64b3f3329b6f6f
SHA512 7e6eb61034a3eba0a35ecbdfa8a15a034b7cd2f3409fb066459474926d978f0af659497569c48eace22eaefbce0ca8e0861af2c084cd36967346a55fdb0b51ed

C:\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 db74fbf7d62029230d7727729d600a5b
SHA1 eabc56b7e64fda82059349a8749389079201e39f
SHA256 0bb83776071fbd45b0abdf5e5e00804e2a1333a312d47e981d31b2a2338d69f5
SHA512 f56025d587ebbe99328c0b9e1dac05a0867ae971a65e5ac699b3e0b632af8982748cdf17a475c1a65e439380e78648d7ab6e762fa37eb85db1c608440924cb86

memory/1168-84-0x00000000030A0000-0x00000000030B6000-memory.dmp

memory/2748-85-0x0000000000400000-0x0000000002B04000-memory.dmp

memory/2692-58-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 5d59453a30abc5e258a112e84cf7b557
SHA1 e9ea9dfd1a9f6f6eaf1aa4418af24f478ed2c947
SHA256 b436a2f3337c710acad8b446057717ed0980507c1bd3845a586cd79bf0635fb2
SHA512 dcd50a3ba56bddaacde990f225072a41dfe378483de0b5f9d2b7beb6febbfa9b035acb1c8f5e1f33623189a4491eb131a6425b8fbc8963b65fabfbcc3e64fa8b

\Users\Admin\AppData\Local\Temp\6D45.exe

MD5 99269fe8c61efe8109e2cd0d95298af8
SHA1 60563569cbad0a3d9e3520f5f04c757f7f7b7663
SHA256 1b33c7458a93334c9278825bba82c321eb32296e364fcb0c9ea29d064bce88a7
SHA512 09a169ebc6f4d534b3ac97be56207b92a25f9ef22aa39467102223967fef0a2473f31b27f5bf9b5fb42f6002f62eb606ecf2647de3b7fb9a0920ef28fa498482

C:\Users\Admin\AppData\Local\f0f9029c-4a2e-4a29-bbb6-78bbd2923866\6D45.exe

MD5 e6d5b731bd414c8f989e7363de944ecd
SHA1 17de6b80ce5dd5330965df515f9d78b783d68036
SHA256 f4d55078931cc42d47f3d2c8b37b63f6fcc91c6415ba206610a0c77f5969ca01
SHA512 7ca4b4d9bc1d8e647f32085010d1d0d6c1b6bd289d1ff38bfa14b592144889f7ec56fd081fd3f8c0a51fa5228e324338809e21b757467eafa249925da5d57b4b

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 3b0c73c3bc2209f9e1a4da5734b75ff7
SHA1 5950fcc4d5a1aa63dd503a313a4b6bf895091753
SHA256 d4998e96f0f00606eb44756ac1ed6a770dc6c5420f36f1b0e96c5a00f685b8c7
SHA512 c2f9794f896f07652047067c125488b9023580f8e1343d90f28018c68107470ada74acf042c3e3a421cd38743e259889c9f3f70de5d53c438c890c3c1a864f69

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 fc56e8edb50a2f75bcbd98fd51caa5b5
SHA1 7d7de4be9b9bf14c26f753990959eda8352ee415
SHA256 288ff1cf0ddc9f5222a4715b474e7eb02c31fb45ed3d496a8655a1850d3434e3
SHA512 878277aa2699d1da68a05fe6d175f53071b9373eec6f548b6826e95e9fdb477b08d8dbd49781026d01eed6fa3ab16c7bffd7b5a4c3ce7473d8eac1d987332b23

memory/880-104-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1708-108-0x0000000000400000-0x000000000063F000-memory.dmp

memory/292-116-0x0000000000400000-0x0000000000537000-memory.dmp

memory/292-115-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1708-113-0x0000000000400000-0x000000000063F000-memory.dmp

memory/292-112-0x0000000000400000-0x0000000000537000-memory.dmp

memory/880-107-0x0000000000230000-0x000000000025C000-memory.dmp

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 b9bb523212e12ca7bf1a16a493b88114
SHA1 277d80f3638b4783fe029ea99bf8898e9e0e708c
SHA256 384ac8d339d59266fcdab0b7bfbee66da68fa36afe21b2ece7db7ce8d3958834
SHA512 18637acbe75cf23890f722061508fad1658d054423e893cd0291922cb20d7489377fe08480089d66625de8909faa90fbffef379867c843cc0b2cd6de3f70f6c7

memory/1708-103-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1708-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 efe55157180963b85190f1868ff7d385
SHA1 d7e3a972f975df765e7724a6e96a14d44fde4ab0
SHA256 ec546ed677887fd5dcad010ea10fa6ab787ef65942cb1cf462ec89cd143c5211
SHA512 35f16251b1f1029b98a4337aa6b83c1d886b17e1d0f10a358127efa286f121e32fd603af7ee7a08f51adeea00bd374c2d4426dde1b85ae751d12c604e6674ba5

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 4529db30633423eac18277874736931c
SHA1 a30768bffa620aaec9b2711d7e2bfd24918cd33d
SHA256 0b6f69e141b7a4c1b8f8c55c140542f6a45273a051da322b4c91f0bf97d9e7d5
SHA512 35e18d2d8f6d1c5356233a50b0543a2dedcb5727ebe4c3d1eed5bdc7d9d22cb52da1cadc80f4cb7b103ddf681db7a1670336ffb74ae9be49e3d23b0c20867e20

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 76830df60b430297f943a4136eaa2a45
SHA1 04d90bb53652a7fb5aef5e2976801c516d78e679
SHA256 69a5514030751dae3dedec8b4146cb0dec21112387559fa3cbafa7c08d26be4a
SHA512 3c405205e2f9c7506c7e071aacd8ad522525ece609d12739822ebff6ed3a11bfceef4c52dd9c574bdb4e65155e86852224f0fc88972e9cfbd76f2abab333e118

C:\Users\Admin\AppData\Local\Temp\Tar7BA6.tmp

MD5 8c7b045034dd2570b46b74823183f35c
SHA1 5af91c5d7a76fb51ed96861cc09f969396c2cd68
SHA256 4d018418e5cd7ad004c32bca5968e04e8f4d0a306618d0ce4b7057de95af8fc0
SHA512 e16cd2876f1f731f920a40d5b72ccbaa3d7be158a5f9ea749b1947c95a0bfe4127e09a683ce98eefc2051cd6128069cd1e5d42fa65be44d9393620da2d90c62b

memory/292-201-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

MD5 b236d8fab9cbd26781342f2a71925fda
SHA1 837072bf4262d405b53cda23f1fc41972c6d5bb9
SHA256 6a90007d980aaa6482c0406f6b31f271628d5edad63dc7453d2b7ce5a09206f2
SHA512 65734358e17d8ca79e4514d5615e6e6a2153d348fa1d00ca521de009facb7dba37b01387178184137d23afa459c6dde23c9fd17f2e2818fb1f6f51d688b7bd48

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

MD5 a79fcd7f663730f138514479e5a1dceb
SHA1 0fa81fb4bc4213597884b909cea00e65fc2a4af9
SHA256 1ca82af8e3becb65116fbf334e7c552373f954a4405c847a924660235d2445c3
SHA512 540a7ebcc618f4ba64fe61f31410a5d81b2399405a6069d60803b2596f3b889bfd0219511c1b107b6931471c267afda065b640b066ff634f97b6f4eb765e3c31

memory/292-230-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

MD5 9f033d7433b20fc2bb8e77f93e3c1584
SHA1 a08eaa09307cfd1695ac7d2f4d7b74732a5b63db
SHA256 c36a4e6d21ac9beebd5369cdc22d9eac7e457b6bfa6d6577995ada112a515bb1
SHA512 69730f767072ff63cda0bbeae79205d3ef23da4eba75c18e4d3059d3a28d838b44ef79f19526af47146110ce2331ba8a9252152474be2270abdaf14c4b1d74db

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

MD5 cf5cfd934886fbefa816ef6965acaddc
SHA1 2cd7fe7327cba673c0a798ba2e9c498cd5081610
SHA256 26052eaa3715b3b8b19fc478c3abffa6f9f0bb26875ee7627d90a59da3b4b67d
SHA512 862c96edaf3fab4fb0174aa41949b6296c7246de7f29f13cfb357c64035c3aa75ccd7d8105424bf539a26b3ab1385159197f2ff7edd632c9d97f3b52a921f096

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 bd67a55b11af81684d17bf3986f36bcb
SHA1 328cc48302d6b5d348359ae28c0c707a34eaaf81
SHA256 3046d9a1d4582bb9ea817604e7604083195a1fee62a672140082ac27858634d6
SHA512 310386ce430671fc650710cd4b6ea8231c5471a172c107eb6d31e5b053c665985b5515fc2392da0e2940f965c902b5a03044a5d1f8df0c5bee97d1bd1d934a37

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 03a8ee63660ca468103aa075ecf2c328
SHA1 852083da704c1571e599fd32f23b022f55aaf6c6
SHA256 2342dd3c1134908a46d69ce2d02e2b74060413cca749e63effce00595086f2e9
SHA512 9976b362ff796ab2150baf1200b92915c61da3b55497a348338fd028080dd1a96dde143392bf2c07308ab58f03a2193fd31e50cf5348a481dfb3c41f2f2b832f

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 f74814d358e1c1c4a4e241e9d8ae465c
SHA1 bcb2a3b24a87e84b38a9e626c6fe95af16f61ece
SHA256 47b6d5490202a07faef2bf58774cd617f6f4a162edc38aa93e25d5ad2504b867
SHA512 a52b0c766486a0edc8137c47c78748b0ee88cc61a528beffb1618d213e0197a8b6ec299eaa9ee4e4fe2b97c2eeace8f79f5b099ca0c659cbf2a985a41e1f145d

\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe

MD5 11b1ed791adee318876611e1c6b52d08
SHA1 f3b44cc041e87082c3d31269b1f23b8553397554
SHA256 c20709479c2203a9d2dda38414f75a26146b5d3c4ceb6f753cd8ead24e7e14a9
SHA512 8e35fe8150d595ba0fe78ba6af8dcfd8ab5bdf3c6953fa32a1e487feff4fb5b753ac606e5218f23f930e240f5775e70bd9cec7174484d7da244f5a5a00270ccb

memory/2388-265-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2388-263-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2392-262-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2392-260-0x0000000000C72000-0x0000000000C83000-memory.dmp

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2388-258-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe

MD5 abbdf4b6976967a33fa628695d7c7044
SHA1 8a7743bc5233487715a29590a966707df0a08287
SHA256 cc72efced3d14f110ee8247aeace4fb3746326576abd3ba557ad1eefa0acc6d2
SHA512 5e584c325354c986746bd92991ece7ee582b9255aaa5c30f29ccc86014df66024cb9ddfeb6cd568bdabf92610e1a9ddc46a2abffac43753a3c376120f6ee651d

memory/1708-268-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 63aec9a562980f2df3e20c412769f0e3
SHA1 9916625aef113893bfec09dfdd5c9230f496c6d9
SHA256 ef1c56032d935a2af5c6f70eb8e9b0932a05616094a6d230b014fe5ee8452d88
SHA512 b69c399896891a86f50bee03d1606bb69a8bbfd00ce01fdea97c6d09fdffaa54a9d8b3221497d56d41e988829f7ddaeeb291c53312aa8617c3f430e8528cd5bb

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d35c806c95b926208b06f305860de044
SHA1 fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b
SHA256 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061
SHA512 cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

memory/2632-279-0x00000000008D0000-0x00000000009D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A11.exe

MD5 76013e1d3ec5c702eaeeded9f395c951
SHA1 db62fe010b82722b5e62e783b1811b21ab56a341
SHA256 4bff603581cc603ddf36d11e26ced832993b8b55d14ffaefb0cac02f6288c213
SHA512 46819170b98da048e0b3680084706bcf3a691a822c20db7830efca82eb9264ad2e5dfa4979d88c90362e048433964d7bb175ab39d7268798bf8e193e1f6acebb

C:\Users\Admin\AppData\Local\Temp\A11.exe

MD5 1537f8732870d2db7bc81a1457fc4cb8
SHA1 f12339bd4717215205534dad0fce559990c9a54b
SHA256 239afe82c5a02bc731a50a02d3740a47a3c52640e3f0b27da4132e15c8b6eb1d
SHA512 0047d0a2862727fcf4b075fec88d380cd6b68c6facbbaf4fa993692622b96ee5a43c47f73c9e020ac3a423cbe653033504b005239e76c1a9d027809b9134346b

memory/1652-291-0x00000000009E0000-0x0000000001391000-memory.dmp

memory/1652-293-0x00000000009E0000-0x0000000001391000-memory.dmp

memory/1652-298-0x0000000077710000-0x0000000077711000-memory.dmp

memory/1652-303-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1652-337-0x00000000002C0000-0x00000000002C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\A11.exe

MD5 dea038b577bd9b3e26ae29c6f18027d8
SHA1 36de37dd9cc7ffb2622a302bef64da52fca0c4c5
SHA256 2ca4018a719cc12a936055aa04c28a2bdec2cefc66f706f9c058aa86d71290fc
SHA512 eec7f416d5af4f8e0b5b775130ea0b6b923587929216d231b52e3da3ceb4ed7a7a774844c0babe0a557c5c286257c0b5b2ba3e1365078dc4e3136a568682ba23

memory/576-339-0x0000000000DE0000-0x00000000012C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E17.exe

MD5 f7b58bfd36c7a5b74aa77eccd7ce72d7
SHA1 a25f78521b805db2a8fa0e6b2544b7afa89dd37f
SHA256 2a1b50b7442f42ac0ab92cc6c6c8413738a87b212ded89723aa038215c72eaf9
SHA512 ca78e4631321c1b857f33b77faf53a1282d36f2810e2fbc16dfed2bd3f086695ac01dacbca23e75e0340f905eeb8213255981c1606c1dfd7732273963622b339

\Users\Admin\AppData\Local\Temp\A11.exe

MD5 7ed61b7ecadc58ffdc0aea153853c651
SHA1 6d6d5f48cfb7cc75e943518a94e7e4e17fe7778f
SHA256 2dde7e4ee8c5dbc5b515bc15258ac48bdd7222f264134abf64bc18743498bb2e
SHA512 02ac0ae282e7ff82dc86a7a0ac25ad5096c912b5608764ecb57befcacc473e8c0f9eafda75042e5bf5dbba0d8744fa1e5cb3f4684f1f596eded4c5d7502e73dd

\Users\Admin\AppData\Local\Temp\A11.exe

MD5 92e3bba1f25cccad452be7e14e21db75
SHA1 f20724db7387b34941f84dc6e34e9f5899065025
SHA256 4c75ecc34302fd8aa0f1f7357217af0434b057560e31503d9c1c3f437c9964e6
SHA512 c03ee39d5bc32c2437255826802e738ce9b08f7cc35d981f52767e804ae632e3ba2c95eead25ab053b7b70adeba1d8a0ae96079ff9e4c55bafe7eb9898ea463c

\Users\Admin\AppData\Local\Temp\A11.exe

MD5 c1917b478c3c47584bccd19dffb0628a
SHA1 2962959a81ac3934eab43b61c2d1e2de9a43b77f
SHA256 b8b7a84923b1276c086af7d899c1e338d477eefbe48171a2a685e4c96df2299b
SHA512 9ba9bbca3607184bc6b228ce3a8332998ac467b130425c61d38472a150a76980b0323060adece067bfa5fa61d11447452793df240beb49b198b405538fa96032

\Users\Admin\AppData\Local\Temp\A11.exe

MD5 77d6387cdfac46bcc8aae6d9316935b6
SHA1 35d7f162cb19f80ff976fb60520f7278bc44c53e
SHA256 7933cc1f30fa4e6b572ea92662cc1017f330d97ad191c87f93e986ef19151121
SHA512 78fa19bacb122d2918823d453a468d98b26e87acf482148cd509ac62cb759191d15119fb4cf139c11e14de13a86a8bf0c6da2203ecd3db308d4c32913fd85a77

memory/1652-302-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1652-300-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1652-297-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1652-296-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1652-292-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1652-289-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\152A.exe

MD5 a0a69525c8f9355dda2f7e3b02d1cffd
SHA1 482dbab7d09369c661d0371c77f91682ae3bef34
SHA256 154b5a056b0163dd8261d044c97554e22e10e2c0f7342b4d460daf29a7a9e1d2
SHA512 0d1990d3912675ea1e040effdfdc90ef756f9abb92e5c2219633e08f7505aa99094e7f6e4af4c982a79b9b57991860df8180e321193051cd55dbf87ca1d0f840

memory/1204-348-0x0000000000070000-0x00000000001A2000-memory.dmp

memory/1204-351-0x0000000073020000-0x000000007370E000-memory.dmp

memory/1204-350-0x0000000002150000-0x000000000221A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\152A.exe

MD5 7f8f3c8f23617d4b393c7788b306cc27
SHA1 542f68e9d9c0407011449592bc04430c4bb9600f
SHA256 33c8b19b6d24f3af862d7b542c5706f05777c767a653dbd71651a9c0f7af3125
SHA512 ee83c0b0549cb88b9727515e017a3122ceed2e5dab2771861c4c7a60309dd7cfa9ecb863c89f6cbb15e2636c818802f7781c0be51de2e569297da1b3506307c0

memory/1652-620-0x00000000009E0000-0x0000000001391000-memory.dmp

memory/576-628-0x0000000000DE0000-0x00000000012C0000-memory.dmp

memory/1204-629-0x0000000073020000-0x000000007370E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 a06e0ef319f912cdf6aa6136b52ac3ce
SHA1 6494d4253abb176b0e6c4c32b52e216d2d7fddfb
SHA256 cb92304fb6fcb5f00cff8368aaef79a9fd06759504631e25e6a10baf12f3f560
SHA512 dcdade666377c868dd094ac7d78300b55c98b5f6fe76394db994b3aecf58134c0a25664e1ba6afc05885cefb6bcbe5e8c28f4b1167f1a5016ca935bc0ac36205

memory/1040-640-0x0000000000230000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 130010140699e0993c60ebf193292ac4
SHA1 a662dd8f243e122f661a1c6fdef832f2a48376e8
SHA256 fa9c1400fa3f4c717f8e80ba372ee77e5f10eed72cbfe961c344e84834fe6d64
SHA512 9d3fc0130e2b4402a68ff77b5261490501cbeff4085566e97fd7ebbc8cfe0b4d2e246698e56208fdda957546ec6e26c8837e9edd4a2eb533778dda6e0927ae47

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 fc1fe7cf37a2eec52c8215bfee2719df
SHA1 976bf12d6eb342846e36970529a72d63f86f4083
SHA256 fa571c717eb71d3d27c224d5c60430a17ad8c50f853bd175c7f475f799370e16
SHA512 eeef44c2d6d48d940de5dd6aaa097a4915125875a7b4a403105b97feb873217d1a37e1fe8abd3412ac383375e2775dea86665c980ee294ad359208c09537c1d1

memory/656-679-0x0000000000920000-0x0000000000A20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 84b0e4e4a1e7ebd076d931154f6a4783
SHA1 f566686f98f9f3935e35f6c460a03fa406003222
SHA256 b844f9b342ddd544fd011f3787856bd9b0993d290a41b4d6418661c690cede0f
SHA512 c6508657b519f1c2087008c58b9e266ea4b8960a0f9c5b8164258fe8391465e33a2abba40d493f428d5c597c470c1ce6596d93e83fe6a3ec222636b903ae25b6

memory/2552-721-0x00000000002F0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 24593328c692edaeacd12222b57db1e5
SHA1 277a100b97a6843319ee42ccfe2f1c251e202ea6
SHA256 e13bf89518d5fe340413ff4579d91715aa606bc86e3e69bcd7d800992c445d16
SHA512 d878ba880ba92fd97546f83f7c6877acb80c7b78fc545c89dc7e0c23099d00004a8b560e27610587258801cacfa15a9120a68b14b0ded58a1ee8811b7b499dfe

memory/2084-764-0x0000000000870000-0x0000000000970000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 8b6a819c6926597dfa7529b692d7a6cc
SHA1 50c535e9cca464afd3a589d2231d87ce417d4312
SHA256 b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c
SHA512 dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 04:51

Reported

2024-01-29 04:56

Platform

win10-20231215-en

Max time kernel

272s

Max time network

294s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CA16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EE7A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E7B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6BAC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6BAC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6BAC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2e743ac6-deca-4958-9048-212029496756\\D4B6.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D4B6.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4572 set thread context of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 set thread context of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4960 set thread context of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 3536 set thread context of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3804 set thread context of 4164 N/A C:\Users\Admin\AppData\Local\Temp\EE7A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3416 set thread context of 2560 N/A C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
PID 2356 set thread context of 3080 N/A C:\Users\Admin\AppData\Local\Temp\6BAC.exe C:\Users\Admin\AppData\Local\Temp\6BAC.exe
PID 4620 set thread context of 2244 N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
PID 4960 set thread context of 3672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 656 set thread context of 4544 N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
PID 4124 set thread context of 3912 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2828 set thread context of 400 N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
PID 1604 set thread context of 2344 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\6BAC.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CA16.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CA16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CA16.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE7A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6BAC.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\662C.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 3288 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA16.exe
PID 3364 wrote to memory of 3288 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA16.exe
PID 3364 wrote to memory of 3288 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA16.exe
PID 3364 wrote to memory of 4572 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 3364 wrote to memory of 4572 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 3364 wrote to memory of 4572 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4572 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 2408 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Windows\SysWOW64\icacls.exe
PID 2408 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Windows\SysWOW64\icacls.exe
PID 2408 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Windows\SysWOW64\icacls.exe
PID 2408 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 2408 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 2408 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 4240 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\Temp\D4B6.exe
PID 3296 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3296 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 3296 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 4960 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
PID 3364 wrote to memory of 3536 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe
PID 3364 wrote to memory of 3536 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe
PID 3364 wrote to memory of 3536 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3536 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\EA43.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3364 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE7A.exe
PID 3364 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE7A.exe
PID 3364 wrote to memory of 3804 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE7A.exe
PID 3296 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
PID 3296 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
PID 3296 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\D4B6.exe C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
PID 3804 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\EE7A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe

"C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe"

C:\Users\Admin\AppData\Local\Temp\CA16.exe

C:\Users\Admin\AppData\Local\Temp\CA16.exe

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

"C:\Users\Admin\AppData\Local\Temp\D4B6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

"C:\Users\Admin\AppData\Local\Temp\D4B6.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2e743ac6-deca-4958-9048-212029496756" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe

"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe"

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe

"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe

"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\EE7A.exe

C:\Users\Admin\AppData\Local\Temp\EE7A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 2008

C:\Users\Admin\AppData\Local\Temp\EA43.exe

C:\Users\Admin\AppData\Local\Temp\EA43.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe

"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe"

C:\Users\Admin\AppData\Local\Temp\5E7B.exe

C:\Users\Admin\AppData\Local\Temp\5E7B.exe

C:\Users\Admin\AppData\Local\Temp\662C.exe

C:\Users\Admin\AppData\Local\Temp\662C.exe

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 932

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 17.118.160.158.in-addr.arpa udp
US 8.8.8.8:53 brusuax.com udp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 habrafa.com udp
BA 185.12.79.25:80 brusuax.com tcp
KR 14.33.209.147:80 habrafa.com tcp
DE 146.0.41.68:80 tcp
KR 14.33.209.147:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 147.209.33.14.in-addr.arpa udp
DE 88.198.191.199:2920 88.198.191.199 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 199.191.198.88.in-addr.arpa udp
DE 88.198.191.199:2920 88.198.191.199 tcp
US 8.8.8.8:53 novoscanais.com udp
PT 194.38.133.167:443 novoscanais.com tcp
DE 88.198.191.199:2920 88.198.191.199 tcp
DE 88.198.191.199:2920 88.198.191.199 tcp
US 8.8.8.8:53 167.133.38.194.in-addr.arpa udp
AM 92.246.138.149:80 tcp
ZA 41.185.8.154:80 tcp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IT 185.196.10.34:80 tcp
FI 109.107.182.40:80 tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
IT 185.196.10.34:80 tcp
N/A 45.15.156.13:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 172.67.211.25:443 tcp
N/A 88.221.134.147:80 tcp
US 8.8.8.8:53 udp
N/A 172.67.129.233:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 176.97.69.235:443 tcp
N/A 88.221.134.147:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 172.67.149.126:443 tcp
US 8.8.8.8:53 udp
N/A 185.196.10.146:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 52.142.223.178:80 tcp
N/A 172.67.129.233:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
IT 185.196.10.34:80 185.196.10.34 tcp

Files

memory/5108-3-0x0000000000400000-0x000000000085C000-memory.dmp

memory/5108-2-0x0000000000990000-0x000000000099B000-memory.dmp

memory/5108-1-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

memory/3364-4-0x0000000000D10000-0x0000000000D26000-memory.dmp

memory/5108-5-0x0000000000400000-0x000000000085C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CA16.exe

MD5 f8ac4c53560d6a04583eda524e76f3df
SHA1 f25fe6b6bc16bc700037eb9f1228b622e333437b
SHA256 b5be8b28b8588c0516dcebcd2da8c13ad5c4ae33500501439b684c81a393d035
SHA512 ee85fe22c02a585cb5f8ba5d4b5369c52c98b93bdaa1dd782d409fab6dcd7ea19633d541480252dfd48cf9ff19618d0c4f533620634fb2c5ec06514db7854b9e

memory/3288-16-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CA16.exe

MD5 661750f7729c4ce10e65dc35646dd491
SHA1 caf83e4c4468a27f59c625b2eac9211103b2e0ac
SHA256 aa7a8a86745823dcef352b8395101835184abfabe854e4978a7a0628cf1c293a
SHA512 8823bcd3520f7824ce210f51c7cc346e33c6cb475688b653fcf4c8560f252f0779c2b2640740a82198afd5bb7dd34df1812b93a16ad871c6ddca546084755979

memory/3288-17-0x0000000000400000-0x0000000002B04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

MD5 c6c1b7f368b2e8d1ffa22ae677a9e0fc
SHA1 ac3b0f542388302682093bde47c4005e7e00f942
SHA256 5a50cfc9452a9db8ab49ec5c5685639f801aa6a7d1a2bddeb79df17e7477e1bf
SHA512 b337463d23f12e1d2223d3506a453ad05bc0a354ab5101b369d6658bb4a4c01caf4cf6efeda26aa3b64aba90323021036ee0a1fa109cbd1565a9523221e49925

memory/2408-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2408-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2408-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4572-27-0x0000000004920000-0x0000000004A3B000-memory.dmp

memory/2408-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

MD5 e3772c066e72cc86777e4a7801382836
SHA1 5522405e667a57ba89b077eb3322cb1052f7fc70
SHA256 6930a114d1bfcec5ac434cc30195c62c721bf3a08f61fcd0bf9b4281d45e151e
SHA512 4f70f5bdc595a283aed22ff2d70ca920784e76e8106005d8cdc3c2cf097493ca48366777c99eabd684323ff1b77a8f9bc78b0db13cc2ee18926aa97864e71a9f

memory/4572-24-0x0000000002CE0000-0x0000000002D75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

MD5 0ba0c7ccb164433c8f38efb7b6d37c30
SHA1 d228b42eb073bf964bb2ef0cb62bd1ce9014da95
SHA256 6a2ddaac6d829863a62c8152ec7c40e0fe5bdd7e76a51def4d0897452be7ea17
SHA512 a5a358a598f3af6bc86792b7c08b8a4eb8597415b3b517c4777d37125ecbdde6612d53d795058e62e49dce5c249246b3bb3dabfb40e0e0ddf781bc636f2bd626

C:\Users\Admin\AppData\Local\2e743ac6-deca-4958-9048-212029496756\D4B6.exe

MD5 e7b8e4caeda74527d4deb4091158c3a9
SHA1 f1feab73214b10830e14ff2cfc17590c3ea219df
SHA256 ae9990a139c9c7ade25361daaa434b5f43c92da7104cce23c9242813ca61b995
SHA512 d6e61509a26c262f4d853b0d8bf419fc04632b9150ad49e0b9e2126c5cb459bf5bb828b5f00fde809ab0a10b8fe26f70599375adefb241679a0d7ff8d6d31074

memory/4240-47-0x0000000002B90000-0x0000000002C2F000-memory.dmp

memory/3296-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-48-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7d576d4bc1ab42ce0b548c882c3246aa
SHA1 273b7a0f69d37d28ed1155b46e4d54950eb02ae9
SHA256 44fa984e9b6b45f04d146b2e98663824f1b53adc45a53fb4ddd9780664eea907
SHA512 ad5dbba1983df113337be747d5b58453ed0324f33dbd9dc9c8d3770e43a6f9e48e097e156348f7368500ee184d80a79d18893b81158361ed92bfbe9b197686ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 28baf5fd68df59a9964b94cb39ffee77
SHA1 b3fddc328582ee68eeb23616393db9abb9e27380
SHA256 c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b
SHA512 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 da642d13993c47f847bb6a4a9ef47e4a
SHA1 a571783510ce5627e50ebf492030b8d82a1e100a
SHA256 392ca4f1de48bb9c54a7a59d65e3fa258864ab0b84571b83fb3d12ee6be2197f
SHA512 76434d5a848de8c8e78d2c157953fba7015792d95b855ba5fdd977bf56ed9956a802fb9009c10cd0f402836dae73dcf0a3e651e79ceb8d3a841d9e4377ab330e

memory/3296-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

MD5 eb8878ef85bb94b06e02b65fd5f5eac8
SHA1 99384c4c25cb0cf7435c0fe1d19d312e1a5ea7d6
SHA256 4d8519c14ec5a661b980efb61349283389c426f3e1234204fee78ff1b68e7980
SHA512 dbf68b18a138bd6279c5c96d0ef38d5d3e5586ba0987b7f8fdba6382685dbdb2d239c31c8a9dcbc5676874155bcad8a1c936f23fce0b12f9e7d40c25db72efd1

memory/2408-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4B6.exe

MD5 027d19c82b36a7faa8bef470ca6db13e
SHA1 f96142ac0dcd0ac5c1721fe77c9d501b1f645657
SHA256 eba137f6fede9441954078effc1ab36396398a7079fc7e428c0a684f4f378569
SHA512 9c31f7909764e1265fcd29a670eb5411d55409070d1740b10aea6653fe5203f038b9c15889e57ceab26b2678bcc582d2600957353b6275b6a1b9f19ec75cf1af

memory/3364-56-0x0000000002C60000-0x0000000002C76000-memory.dmp

memory/3288-57-0x0000000000400000-0x0000000002B04000-memory.dmp

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe

MD5 fdaa6252ee44f2129d0dbd537f0cfea1
SHA1 7d412a0054c31b8cda8f02df80d615e1a5e57c6f
SHA256 0e9a42ca0e56ccf1a8552263dbc604934137932beffb4ecc29108150eea62a4a
SHA512 c27782f3a06773ce9979eb449c94ba05032f2fdf86b1ef61bf4baf0439b08611ee62226f916ac595eb7316859b097f17176f266309fb7c491684100ada6b9f8d

memory/3296-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3252-81-0x0000000000400000-0x000000000063F000-memory.dmp

memory/3296-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3296-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3252-73-0x0000000000400000-0x000000000063F000-memory.dmp

memory/4960-71-0x00000000006B0000-0x00000000006DC000-memory.dmp

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe

MD5 4190ef544273f89a977588ae6d411d39
SHA1 e5b42142f250d73f218f7c6c81444447d80798d6
SHA256 ba09db2f1a3e2d8c18017368129ea65f89a2e6bdcca530dedeeb6fa1ef37739a
SHA512 5394c35501c43606e4737468395ca4e3cd1eff848b3117dcb0a210cfbc04a74e8bac6683efa361541d7d3727e1d2e5ba50ad9bc4fdac7d7f669e428221928cf6

memory/4960-69-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/3252-68-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe

MD5 f7fd1c1cb1e9bacb9f039b76f70b1a2d
SHA1 30346d6a12e53abb7eefe73513f1a57ef1da63e8
SHA256 95df36447ae6c9db4f5243439c3b818c787f2e09be215b283e48f7736a1a5b08
SHA512 7b343cd0b44a799b2a2dba876f8d12cbe83e4df0f43338c3a28ea7de20c60d24d1fdd714482e822b3372e9a4853ec51a99f872f358f239036cbf9102aba5207c

memory/3296-94-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA43.exe

MD5 dcfe9fa385f178fc27373b7789e364f1
SHA1 1501dd1eca1bc8776bd8cce43de14fc3f9d92f9f
SHA256 e60d4c1edc6c9b1824bfd62fca5f4bd37abfdc60605a2e31806b032700798034
SHA512 9e32351fd2671d1491bc2f8f0e5c6b21cce5552fe1d626523dcac68ca89be8af6881efda9c9c27a8adfc5aa860458ce911a7968e7a24c095f7db71e89b6d3c21

memory/3536-102-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/3536-105-0x00000000028A0000-0x0000000002938000-memory.dmp

memory/3536-106-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/3536-104-0x0000000004C90000-0x000000000518E000-memory.dmp

memory/2644-109-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2644-112-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2644-121-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2644-120-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-119-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-118-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-117-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-116-0x0000000001320000-0x0000000001360000-memory.dmp

memory/3536-115-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/3536-114-0x0000000002950000-0x0000000004950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE7A.exe

MD5 c292cd199f0553fe2ff286b7b6121a97
SHA1 f68555fe5a4010e0f86519862fead7833c964fb0
SHA256 3b0ed3b49cc29644880ece0a02acdfacb3e632b8ee156c51a334ec202d51e6d8
SHA512 1550887d69cf78358a4d46377bc52009e81a980eafa30fb380ad8ed29cf89c622f950771a69fb16a2f2412354948105472a34fc82e1499d7ffc043d05df0598d

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe

MD5 108c6bcd9737c2341d24fcb73f3e8307
SHA1 8d51a0e0f6a12225c3d164ff082557d3a2d2b9fd
SHA256 57cce2e161c2efd529146ecc91a13e15681573489fd4fc2652219782e338b4c7
SHA512 b8db77b8bd44c75f5158c6caa9675923d71f1babdd2ec0399e557d40c5f37e3d8c18b4ebb3b3512a55c231ece9468a4200b7fef8fe75f34dd099242b148733f3

memory/3804-137-0x0000000002630000-0x000000000266A000-memory.dmp

memory/3804-136-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/3804-139-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-141-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-142-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/3252-140-0x0000000000400000-0x000000000063F000-memory.dmp

memory/3804-146-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-148-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-144-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-150-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-152-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-156-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-160-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-162-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-164-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-166-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-168-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-170-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-172-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-158-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-174-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-154-0x0000000002630000-0x0000000002663000-memory.dmp

memory/3804-135-0x0000000071AF0000-0x00000000721DE000-memory.dmp

memory/3804-134-0x00000000020B0000-0x00000000020EA000-memory.dmp

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe

MD5 5353a77304faab9f9f728478dfb2e4c0
SHA1 093cf431323d2ce37eed4563c49a2a782b29c61a
SHA256 4823875621fe13cc5c34db2f2e67c4fa39bd989d5f6fb329dd17d0fe849150ab
SHA512 44ab2ce8e38aaf3fb205541c8609c18ba3e58f8a02a1f7b235feadd38b93e24e74b89640857fdc2815cab3d9b05f08ce031a556d0f53707e65e46080c0a5bb46

memory/3804-183-0x00000000026B0000-0x00000000046B0000-memory.dmp

memory/3296-131-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4164-185-0x0000000000400000-0x000000000062E000-memory.dmp

memory/3804-186-0x0000000071AF0000-0x00000000721DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE7A.exe

MD5 98928680962465db0441d79ac92ee211
SHA1 9a0963be4c5a34e46cdde8d93b4353a23166ed74
SHA256 753856475e231e8edf3ad63454793ccc5aaf7eb1019a136e7323403906578897
SHA512 d6d0caa1f1ccd10fecc4a42e2503cac1c83df9e1cca9f536fe37484d5a2d0d5a419a2eeebd47ae5239d6eef0b4b3fcce88f02d4a5d73242417a6dc810be53d52

memory/3536-103-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/3536-101-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/3536-100-0x0000000071B20000-0x000000007220E000-memory.dmp

memory/3536-99-0x0000000002800000-0x0000000002898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA43.exe

MD5 53f528940ed6a08d09f160462178c738
SHA1 8b05a8d6ba28d4b590768b2e6451ee0024bf533e
SHA256 10cf30a93c56931e387c6aa4425c1eb5a018144235ccd76d2636d086ba028570
SHA512 a3d6036a16dc61de14c4aed1ac591d6f09bacf083db25c5ae2f0ab2d7c104f985c54632e707210b5b54db28679cdbf61afc17917b65113a466191a5dc1eb3c20

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 d6cc628895bfa2bef52485a263498282
SHA1 9b508cc5c290e54bfaf20774cf4e137cecfe9d1a
SHA256 71ffe94b03188a7010a0e498ada9dc5e3ee3219af76180daadf6f4135c770793
SHA512 02fffa4f5bf17c6092af7a47abcd4cadf1c702bccf5d33c4376d7ead7ebf669aee9673df84c83797c06276a5d3fff1e3c4a8932b3ca32f3a0c768c4acd196b91

memory/4164-247-0x0000000000400000-0x000000000062E000-memory.dmp

memory/3536-248-0x0000000002950000-0x0000000004950000-memory.dmp

memory/2644-249-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-251-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-250-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-253-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-252-0x0000000001320000-0x0000000001360000-memory.dmp

memory/2644-256-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 ec53c171d4688780e6865859c096c1ba
SHA1 af120aa7517902cfd3704f03020b43d4bf67fae0
SHA256 ff45f98a0f9240762f4651445bb374a77c332c994a8694a2db34fdbf470bb1cc
SHA512 a1f7c2c541499ae6352554bf49a27122cc393b432e105f3515a1126f3073b280515e83c6f7a0351a39cd6b7034d9cce1110790f12a7e920928ba436a77c848f3

memory/2560-267-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3416-265-0x0000000000850000-0x0000000000854000-memory.dmp

memory/3416-262-0x0000000000879000-0x000000000088A000-memory.dmp

C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe

MD5 52b4912f48a2042bb8c3c7ae21b4bc43
SHA1 5e09e9b0c4f18a647d738bcbe7d5247fb0df42c3
SHA256 e1bc4b35d60a949db64f0d50f3903ed570582dc6d52c8318b820b58b886ef1e3
SHA512 bf8f6b60c2380b667ea9ec321a304454e76915e7297ba92d9d752be174b01659946a130bc19d9258c57340c7dbd75db4c969773109b2e2a5b70b713b890c33fe

C:\Users\Admin\AppData\Local\Temp\5E7B.exe

MD5 feeba16f45322a354efe226bdf52ec3a
SHA1 8d6e9df069acb2969fdeb0b9dbbafe5ca9f65b9f
SHA256 462771fa672f3b63f6a78b911f64352687302e1280a9ed916fefa32f6ce3748a
SHA512 846254a81cb2f645ff0d6ae15ca1302708cb1f3d262925718588e9579cb3aa1540ed151879fa4131ee30940ba93b5028bb1ff49c4bfa85c1218f04fdc96c945c

C:\Users\Admin\AppData\Local\Temp\5E7B.exe

MD5 98f655e43e8b10a92559f27b49647178
SHA1 c82d4914bbf71adac73fa2c16f3a7d2315be8d11
SHA256 406c5f59b53d8b6a4c61f5a7f78a035c6bc0c977575dd9bb2877e5722d06326d
SHA512 6c9c5f52196ed72a7a89352fc5f5e1140a1bfb2990f7193058e5ab4f897f9e526f2084d0f6ba67654c04c8d0d2c26fb9f0b48338a55b9769af9eab59e8253da6

memory/4596-279-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4596-282-0x0000000000E10000-0x00000000017C1000-memory.dmp

memory/4596-277-0x0000000000E10000-0x00000000017C1000-memory.dmp

memory/4596-291-0x0000000000D80000-0x0000000000DC0000-memory.dmp

memory/4596-290-0x0000000000D80000-0x0000000000DC0000-memory.dmp

memory/4596-289-0x0000000000D80000-0x0000000000DC0000-memory.dmp

memory/4596-288-0x0000000000D80000-0x0000000000DC0000-memory.dmp

memory/4596-287-0x0000000000E10000-0x00000000017C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\662C.exe

MD5 2602fb05270f903b50c0c6ec9a2822a7
SHA1 e0ccc78a0d6c9e2d3384d52f5a585c3df9f1db78
SHA256 884a9de14df286b42a33a998cddea9bf8dd759665f3e146a356ba578b03d97ff
SHA512 ca1aa7bcdf0fa186a68c161a96bb5d94aefa1c0d043781d80a319671fdfb916ec68db7f41ab3454a8c3b45e87de40cae24440db9452480f052d2966c22a54028

memory/2804-296-0x0000000000970000-0x0000000000E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\662C.exe

MD5 739717948a1b97e062be86c5fd77530c
SHA1 e2f0ab9db17bea919d9947243f4a3bbdbcfd95f3
SHA256 af157c6d0299f2c8e6ebd252b9f7d7514cacfe9bd047223cf6dcba5fc8b03b09
SHA512 6559ea5fa2be5f8ff87da10d99b55b7791c485f75c6c2334c8e74424214139131590b869001092c6ffea8b79b23d3f203425b829310851a0ed91dcf25ab319ef

memory/2356-302-0x0000000000CC0000-0x0000000000DF2000-memory.dmp

memory/2356-304-0x0000000005600000-0x00000000056CA000-memory.dmp

memory/2356-303-0x0000000071A50000-0x000000007213E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

MD5 f408e54d593e520b02c0c1d27e6f3193
SHA1 41db799e95663f167535933c7dde25b8f3d0bcb2
SHA256 7a477e4f5244051fd389ee1459a4f3e12e2cc7cd40d22a35f7c024cdb631995f
SHA512 a20599827ff26de131b97764450bb8b50af612bc6e157a94d7135be6fa34fc93e6fed32381d1eb4ff833525ef71741cd176ef96e270547a2cec88724bb1b0857

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

MD5 0d6763a44e17aac0916a7884d9d5f5b6
SHA1 bb8955048fc510d1bf9a68f57b50f72bb37e6e73
SHA256 4f9d9e62dbeb74593cd69dec006b8f9ded905f6a0a20f3b76588b122bbe7b043
SHA512 6f5e7c06a57e2b09e580717cc70d6c0023adfe6b8d4ef3ae3374a26814f30b2f02fa85478b1822bdeb18262c5bea4d239d1a23ed5d07f6f9b141389df6d8472b

memory/2356-1239-0x00000000055D0000-0x00000000055D1000-memory.dmp

memory/2356-1238-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/2356-1240-0x0000000005700000-0x0000000005760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

MD5 47ace0a33e6701a20461ecd8ef0c1f5b
SHA1 98c6f8beb8b2a49a66a1a232e6eeb2266aa4e0cf
SHA256 c743b13d9e9bcfe26417286db4f531b1c49c2f40859dbddd45fbbc4f51719df3
SHA512 bbfd1170aa7cbfb718db65a1c1a95b514f2f72b6cf77eb5dd4a8de4998b97b019b6b2fb628984d43317b65ef897950a4c9e78aa2a6c71315bafd8b0084b710e8

C:\Users\Admin\AppData\Local\Temp\6BAC.exe

MD5 d1b3d3354afd856b0d3fbfa2952669e4
SHA1 7d975d91ffeeae388ef275da4db3c6739b57f3c2
SHA256 bb0fdd3ed0d08d89690b6d929a84c201bd143255c77c20d30b318c9cb002d103
SHA512 f13c69cb266313cf93bb04d172e0bcc4957dde125655d9ca0c9e59241187a36d3a7737c48dcf4e6a515ae8a000a23292336f4bda7149aad8c942110fa2370583

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 6fd9c2d697597ca4774fc2e2c96f49bf
SHA1 341697c769f716477974493addd870bc4ce4a0a4
SHA256 ed60bf019e6abc119fbdaaeb7ebf0e32d48352e0203af787ef070cb73ff0ee21
SHA512 2f9849ccc798789b58b9e4a03476c4814db58ec8b7d0b1ed6b9bbafdf9f6f68b718be0e4be8580099eab7a92af3eba2f59ea6fdba40a96503691e33333875635

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 fb9ad0566454d006af82713ca33638f2
SHA1 b6999af4ee85e6164176d6066fea9486a6e01c61
SHA256 87970300644ddc7a2e6587f34369087d6e721fae343fcad6086c5efca3566054
SHA512 cdc94cdf38458e665f91e9d56aa9847e7544e1c8a91c3d3968cd5537a3e45334f6d56bbfbfd92a21efaf73140b00694bcbdff498601a76f5b9370c189bb6b6fe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 a8dce9c62ec4b66fb57ae21da4d5ad27
SHA1 1d7094c4435f655813e90624f34add7efa6c038e
SHA256 f87338cf56fe4520de313cc937c4f84b00b7d78a75f4b7322f9888f6009bc3d3
SHA512 bac29a3371e94e28323a82f5d2dca5dab59b36ac09c0d82eb4337b7195ad487fd77f55566eca41261b008adef8ca76ef346a0d606ee86fe7763b3ff90e842f1c

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 34a6ae3a7475777568c4fbc526de4400
SHA1 5984fe9334294ff842f381cd80705f54d9e4d4d4
SHA256 9a0bfe6e46543b8af7e72c6911ec5459d181dc3aac07ef8f0c7b53dbec820406
SHA512 310b35fd233f96156293d3023b176cc0c791566aa3b568d759acc6bc793c496c15f5f3f30917a70f247979393c3c784a0eb746d8b040a561a8907388b5b3ecbc

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 5695b39734d1f480039f231bf13fc2bd
SHA1 4245d114aa661ddecbb5d6e03f5f82e5e51b8a8e
SHA256 7adf65cff5b3ffaca85800bbf065d5114e38dbc9364aab71a017913a288c1143
SHA512 433514ccd8a210b2a29fb124962d6e75ccf448f6c7cf14b58a5beff4bf0ba056f3ec0ca278e4183decbf51df8a5c37563f07f3d774b630c87251d022fa18f429

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 7ce4118d504b75d8f4e0a3cba85a5281
SHA1 7162f93ee602be38ee2cc8d11a51072335e096e2
SHA256 d29df9947ca1c5fd3f19d7281656cb42358d5b0f4e24bc82d23f8a8f85719168
SHA512 4f4087b7a7fc3251fa730b3e47e7c678eed41e8a518b2a2bda09c6c3c2f7b706589f18e9743c81256dcd5a81e165912174e5902cdd76a640aa51073e78c9ddc5

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 7c6919a92a49aff3f3b294e64268bf48
SHA1 31d26063e1a2e26220d05837e09b8269fc21c496
SHA256 06f818b983973fc4ce99ea5ca3a7b0e4dfc00f6188314c9642cd1ff681b672d3
SHA512 27723903c574c233ab0c80af08d0cc29c444209125aa14861c58a2d9e7f435f4c955bd9989c29fcc422f508a9f4901193a79a76c328c08e48c2ea7367b93c4c2

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 b1512c2bd6a1235de62d3cdcee82114f
SHA1 896055cdf9c77dde22b28ff1260be3379c7bacc2
SHA256 e6cdcef6c01b6822958a7a4a9bf52bd656597a753971d12bab975aafbfa24870
SHA512 608386f77824984f2ab4e4d2a8847c103e1a73b899dade21688e57d3929668ad735a5800a5208154be65b4d4ccba7c5e5c875ae6bc54304a8bb696c4ef268d80

C:\Users\Admin\AppData\Local\Temp\559217417236

MD5 035295afe87d6f4e9819c02015928902
SHA1 ed58d44e899d7f4efce7acb5c5d1fd3ae1b0fa54
SHA256 fd0769ccb22466b9c4095c1f12723a7b20a1002756863701a11286ae04b1a212
SHA512 14244ebca1beb85f66c22fea681de8b0885f0050e02fda13fc3e6a5c742a14eb811a7c6a21162de0fb05976e6e18481c6b00dff027c77836a98b02cf891f5acf

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 8f9adedeaec300d93d2ec40bbb6960c9
SHA1 b865a21673e9fda9e5523f1b0438544e6ca86ce7
SHA256 8e3343b847910b0efaaeb0194bc09bcfbc4d3e97be84f0856f2c1ed259eb2e51
SHA512 a7f97f57e4fda3b00ba17dd9806db7e33a738c2f21884afb896d8ffcaf26dc56d5f10c63a05809a64cc69323a65feec779201a238ab2a8cd4c59425920947118

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 d9942b4000184bed94ba0b4ce66a5600
SHA1 fde3e515a412782687684d8685a7cdebbba385a2
SHA256 e86b884579a5df8489973cd50a3cb2f35d07741dac85735eb665f42c9eb4fb65
SHA512 2e0bccd6d31a7477cad3b05469db4cfd9f51b6c47650a18981f61badb04416b74aeeb85c454bb2b3832da1df12609fa438d4376f1ed86fc8c6d2d94f74b78a2b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dctooux.exe.log

MD5 ffe7bf10728fcdc9cfc28d6c2320a6f8
SHA1 af407275e9830d40889da2e672d2e6af118c8cb8
SHA256 72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522
SHA512 766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 cf5d0bd1046a42b9739762cdc56891f2
SHA1 86367e05e9d9942640ca7bc961295f060f46a4db
SHA256 038904890fed919e259beec967f26a140fa6a6d42bd09707c295ae7601c55623
SHA512 f06bfefb2c5f0454d79a8f8a6e6943bc67cef7a58b9ed5c3eab286289523c8d5a568a0fd7e67a86587f3c7bb4bbd4303de716685d9a8f108aff2a5d1da9d8993

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 4838c8a5fc9b7a1fd78c2e5d2527e517
SHA1 cedd5985c539de702d3bf47f23643b22b047b861
SHA256 d16c85cb59fed5c80d79c78bf60d8d16f6bf9f0b01b999dc7b2e52a0b490cb2d
SHA512 0d397d78dd1ec16accd97d933e87850ba4eade86e462287ca307d8729063cbf0850282f3a00d747d9147b9e4ea1809b52358c24adbe4e10d5c700b98e1ce6a87

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 58d5a4054fb2b552c02250a2ba355421
SHA1 cad1c48f5cff5d6bdabedaf9a3ff1961ee650a71
SHA256 49b524dbe9797e4a8905bca4b74da0f7aac977b07a5f72c66e7f3d22597a86e7
SHA512 182092ae43d0ba0fb8035ab92ac07aae902593bc8f0900c51dfb2629e8958faf1e1d89bf3e8f897f4cc971e49ebc8b224004defdcd717cc2b382eabd5f87f60a

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 cdb400cbbc0550c8810cfa1a7f4ebd72
SHA1 f9dc7693b4da360dba8071eb442f686e5ae8c75f
SHA256 513079729f8a8412889ce337fee7fba422f2b8307260557cc3586b6577c8d988
SHA512 e475ecb2fb948239273747aff406854aa7c5c2dba5ccf529541c4a1c58acb1c450baba57c9d8a0559880503f05cac80c75dec4df63b13cdffd4495eb6e01c195

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 f1e0ebb0ed514bad7df8757377325098
SHA1 52643f7d49cdbf5013f31f4155c38fbf8c7d7f0b
SHA256 d90e507895a9e90aadf86c36e5ba893936857be5c5db89e863269b3202f8d137
SHA512 2790bebeedf7271e61bf0dea1dfd942b48975da8e3ce87e8b8ddd523ca0fbeb91d038b274d132c752d7ccdc93c944473610a1bff893e7c6746122698eddd645d

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 73b20c2cf391f2616e422bb8f9857cfc
SHA1 6d715fc5e0a46a17873884279b05afe6bf1f4e04
SHA256 480229ee32582530507226c8f9d24a04fa1e1511d5c015a698b51506706a6543
SHA512 aba9efb76431aadc9d0029006ef732638a19413a10f096443bdea203bb2536ed1c8867c4f63047a26ebe21399b8bbfa5ce5dd1bf677f3c58206acd3af800a49c

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 25886e3a659696d8937dfea37a6a120c
SHA1 064ec790ffbd5d3995b058426d2e09567b8152ed
SHA256 ca3ee494dbde5ba5a97aece9c20d903ba8e38ba7dd0f7b47f1cb59d0de93c1c2
SHA512 c690bb35c7d0cd77a3133359432020f72042ac8e4880dbf0bf45f267cba44493c4aa2e011e4da8d6b6db4fe1aeb320e6c896b778654551e9218897f5b3a407e7

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 a2887aa2e1b5264abbbe4cce4839b4df
SHA1 9a501b740c9b9a7d8b2230d67d5a94d502c0a884
SHA256 a3aa6c0b016421385e086b94ce308ba0b8c7e7b215bb880c43c2256a6de3b6b0
SHA512 a88797b8c162ef3e2b2f376b59312d758db8830706595dc1139eda9f3f2585932dd1468e59e9ec3352577c709007164832cca923f7468945f1ff6032c2361cbc