Analysis Overview
SHA256
5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2
Threat Level: Known bad
The file 5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2 was found to be: Known bad.
Malicious Activity Summary
Vidar
Detect Vidar Stealer
Detect ZGRat V1
SmokeLoader
Amadey
Stealc
Djvu Ransomware
RisePro
ZGRat
Detected Djvu ransomware
Downloads MZ/PE file
Modifies file permissions
Loads dropped DLL
Reads data files stored by FTP clients
Deletes itself
Reads user/profile data of web browsers
.NET Reactor proctector
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-29 04:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-29 04:51
Reported
2024-01-29 04:56
Platform
win7-20231215-en
Max time kernel
294s
Max time network
210s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RisePro
SmokeLoader
Vidar
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f0f9029c-4a2e-4a29-bbb6-78bbd2923866\\6D45.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6D45.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\A11.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\602A.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\602A.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\602A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\602A.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\152A.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E17.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe
"C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe"
C:\Users\Admin\AppData\Local\Temp\602A.exe
C:\Users\Admin\AppData\Local\Temp\602A.exe
C:\Users\Admin\AppData\Local\Temp\6D45.exe
C:\Users\Admin\AppData\Local\Temp\6D45.exe
C:\Users\Admin\AppData\Local\Temp\6D45.exe
C:\Users\Admin\AppData\Local\Temp\6D45.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f0f9029c-4a2e-4a29-bbb6-78bbd2923866" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6D45.exe
"C:\Users\Admin\AppData\Local\Temp\6D45.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6D45.exe
"C:\Users\Admin\AppData\Local\Temp\6D45.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe"
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe"
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1480
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
"C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B93C5019-7B30-4C64-8AD3-6DA1C6F2B561} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\A11.exe
C:\Users\Admin\AppData\Local\Temp\A11.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 96
C:\Users\Admin\AppData\Local\Temp\E17.exe
C:\Users\Admin\AppData\Local\Temp\E17.exe
C:\Users\Admin\AppData\Local\Temp\152A.exe
C:\Users\Admin\AppData\Local\Temp\152A.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 211.171.233.126:80 | habrafa.com | tcp |
| DE | 146.0.41.68:80 | tcp | |
| KR | 211.171.233.126:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | novoscanais.com | udp |
| PT | 194.38.133.167:443 | novoscanais.com | tcp |
| FI | 65.109.243.18:443 | tcp | |
| PT | 194.38.133.167:443 | novoscanais.com | tcp |
| NL | 45.15.156.13:443 | tcp | |
| NL | 45.15.156.13:443 | tcp | |
| FI | 65.109.243.18:443 | 65.109.243.18 | tcp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| FI | 65.109.243.18:443 | 65.109.243.18 | tcp |
| FI | 65.109.243.18:443 | tcp | |
| US | 8.8.8.8:53 | olivehr.co.za | udp |
| ZA | 41.185.8.154:80 | olivehr.co.za | tcp |
| FI | 109.107.182.40:80 | tcp | |
| GB | 92.123.241.137:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 185.196.10.146:80 | tcp |
Files
memory/2496-1-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2496-3-0x0000000000400000-0x000000000085C000-memory.dmp
memory/2496-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2496-5-0x0000000000400000-0x000000000085C000-memory.dmp
memory/1168-4-0x0000000002F10000-0x0000000002F26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\602A.exe
| MD5 | fab1a6d1d2c9bdcbf5f327d10ca9f4de |
| SHA1 | f7b0c90f9f9a7b35e604683e2b9efad1e8b510b3 |
| SHA256 | 4f275520ee0f2de49fffc16cdacde51b307d886cb47fc80609559caf42bc1a26 |
| SHA512 | a1d8a2957a99e0263b95511f522f647ae343c6e483a672edf0d1946ad5c507aec2e3007339179389d69bf112b2e230f62bdb049926ebe722ef5f726f3d633abb |
memory/2748-18-0x0000000002C80000-0x0000000002D80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\602A.exe
| MD5 | 01fb175d82c6078ebfe27f5de4d8d2aa |
| SHA1 | ff655d5908a109af47a62670ff45008cc9e430c4 |
| SHA256 | a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3 |
| SHA512 | c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe |
memory/2748-19-0x0000000000400000-0x0000000002B04000-memory.dmp
memory/2692-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2692-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2752-35-0x0000000004530000-0x000000000464B000-memory.dmp
memory/2752-34-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 2f50ccfc662fcc8e5d236f9c9a9820b7 |
| SHA1 | a9c3f1ffba7438133131493b374efa80cf1ff804 |
| SHA256 | b556a08ca894ed9e858480c61156767b71ffbc7216cb409df5297a42cd511cf6 |
| SHA512 | 419ae07b3f13880c90d0731f12137975ef4c366e35ddc92053432e66ad306ea47a48838b19ccf58e3e52ede744f6c31916ace33ee59aa2e58884db1a39cfa2af |
memory/2692-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2692-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 5870b3730eb3989cd551f9136da65491 |
| SHA1 | 6d051e194d9457fe31c482db3cc3dbeac87a7b4d |
| SHA256 | 4e243f835b25bb440f4656577081bbe5141ed426ba78a2dba6e0e856221a2975 |
| SHA512 | 685d339a527c29689300b4c3af2336588da97c2fc539bb93ae970f53530bfc6e4d99ca6dc7cda1c3b5d65a78e813f3f20033280eaa520617545e031439a63a17 |
\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 24eda8fd2fcf2f355ab91f3dfe501a1d |
| SHA1 | 4433ece653a0648956218aa3270c74c3ccb519a4 |
| SHA256 | 8d63abd82fdee448a52e0f911f9d5b2784f948899e48c5173389fa660d05183e |
| SHA512 | b728d738ef3a356d5f813959ba6cdf37ee2ad9e9c5752f5e8d1bad81156069280dbb61c31074b1f7a556f84332af6a77752f014ca5f00e25e377ba8166838599 |
memory/2752-26-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 95c9499f14bc7149bac0bdb781621646 |
| SHA1 | 98fdac3a7c3712add05c7d9273e30b00216b8a0a |
| SHA256 | 58c4a6f7c9cab89b6992e648f70a543e4fe21830b8dfa9fe6bd43bf1b11c590b |
| SHA512 | 9a1111d479e12cd3615833d08c986fdec356f95d796a2f3313bb3d63d9cf8b44f809729a1824cd418139093ab6a57a49441992965aab869eb6542a7cfc4a7025 |
C:\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 15c91f05c48278f3aa417e009b1f426c |
| SHA1 | 249cbc537a3162893c667c17f5780fadc7c537af |
| SHA256 | 11ee49e92080a3bf0aa77011e511b5811bac2ca2f893032409cfb6d340b8a484 |
| SHA512 | 97b767fabe82d9ee9acf6be21a620d881bc5edc5c15277e848064d7c66d906cd385d5fde8fdd5f096cff34cf2e25617642ed4cdd6f31d33d3b8e906756c71ae9 |
memory/2772-60-0x0000000002C00000-0x0000000002C91000-memory.dmp
memory/2772-63-0x0000000002C00000-0x0000000002C91000-memory.dmp
memory/292-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/292-68-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 6b445877bf1b16f25a49ed1c462a0024 |
| SHA1 | 87f5fbbda548987d896ca8a4a31f112f8b207de6 |
| SHA256 | c61d7a879250ee5e924591c5b571c7004e608f0c76c055dc6e5e0edc0221e2ff |
| SHA512 | 62d60bec3b42a8073a2532e6f12b74ec5d68d00966911dd45a5a28e8f3288e439e7556e4eabee2c9af2c3b4cbbe56969f2cddf485455d095ae1887d3be4473e9 |
\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | fe5820f5cee24e499354aa5d071a0693 |
| SHA1 | fec8069a34466faa2f9b2a695c1400279f04a44f |
| SHA256 | 4d895290869c5ac0329d950caa6c3655c32bc0e17bc85f14c48249b4a5c38dad |
| SHA512 | c9efadf678504874054b56fb62ed980f9ddd01352b1ea374dbe7e4bd6b1a04613268be9969e19c45fb60d6f774077c4aeb456189de42d1a0909564ff8af38c74 |
C:\Users\Admin\AppData\Local\Temp\Cab7233.tmp
| MD5 | 7bac88154885b257f35c45c60cbba016 |
| SHA1 | f1d58819eb64c8b9245b7038296945cde9034ff7 |
| SHA256 | 57466b6cc7133691e4bd4123174a4474397b2b16cfec39c7a66a18e5ab1a39ba |
| SHA512 | fb50fba28f4a2a1a75d4dc417e17f26993fb13fafd074a872f1f8dd30eaf99e2a771f2cd8106d1c99ab6e05b633ace7f8afbe466f24fdc54779faf516be0d7f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65ba538a16745aa5285819322debb2ba |
| SHA1 | f9161b05e8e84e5351215b98494cbce5e4a095f1 |
| SHA256 | 95740421cbc4ab0d88427514297e124186fd0483f1087b9d385a63ee871d5b3b |
| SHA512 | c9987260d034e01a13e0f5ada65115394eaa659a875209464ecc1e43f60c5d4c6166f83e1c78fdded56ae70d89a8e3efbd85f58e2cf02a42963ccfb0898dc10b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
memory/292-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/292-83-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | e4ab38c897dc79e9775af503ce73f8ba |
| SHA1 | 26820173fbe28f76856a889659e10260bed322e6 |
| SHA256 | f1d4ec5081574d5f7d6176cc7a3a112a0507a50bb73c51100861e47f0bc7509d |
| SHA512 | d5279677d8ea4f2af20c896c60709a9fbf3b25a6190ee035e06ea7ce0e76d4cf0dc6af06cf2328191183d22eb917dede3c081adae1bc29b57fbd64e819273955 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 28baf5fd68df59a9964b94cb39ffee77 |
| SHA1 | b3fddc328582ee68eeb23616393db9abb9e27380 |
| SHA256 | c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b |
| SHA512 | 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | fe4d3bdb485693dc204b15dce33e4e1a |
| SHA1 | e41ea3f482a7abe29d5eee7b02fb269b910c17ee |
| SHA256 | eff08c5244d3e4bd734b4374402b612bc5bc9650ed5d4ec2db64b3f3329b6f6f |
| SHA512 | 7e6eb61034a3eba0a35ecbdfa8a15a034b7cd2f3409fb066459474926d978f0af659497569c48eace22eaefbce0ca8e0861af2c084cd36967346a55fdb0b51ed |
C:\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | db74fbf7d62029230d7727729d600a5b |
| SHA1 | eabc56b7e64fda82059349a8749389079201e39f |
| SHA256 | 0bb83776071fbd45b0abdf5e5e00804e2a1333a312d47e981d31b2a2338d69f5 |
| SHA512 | f56025d587ebbe99328c0b9e1dac05a0867ae971a65e5ac699b3e0b632af8982748cdf17a475c1a65e439380e78648d7ab6e762fa37eb85db1c608440924cb86 |
memory/1168-84-0x00000000030A0000-0x00000000030B6000-memory.dmp
memory/2748-85-0x0000000000400000-0x0000000002B04000-memory.dmp
memory/2692-58-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 5d59453a30abc5e258a112e84cf7b557 |
| SHA1 | e9ea9dfd1a9f6f6eaf1aa4418af24f478ed2c947 |
| SHA256 | b436a2f3337c710acad8b446057717ed0980507c1bd3845a586cd79bf0635fb2 |
| SHA512 | dcd50a3ba56bddaacde990f225072a41dfe378483de0b5f9d2b7beb6febbfa9b035acb1c8f5e1f33623189a4491eb131a6425b8fbc8963b65fabfbcc3e64fa8b |
\Users\Admin\AppData\Local\Temp\6D45.exe
| MD5 | 99269fe8c61efe8109e2cd0d95298af8 |
| SHA1 | 60563569cbad0a3d9e3520f5f04c757f7f7b7663 |
| SHA256 | 1b33c7458a93334c9278825bba82c321eb32296e364fcb0c9ea29d064bce88a7 |
| SHA512 | 09a169ebc6f4d534b3ac97be56207b92a25f9ef22aa39467102223967fef0a2473f31b27f5bf9b5fb42f6002f62eb606ecf2647de3b7fb9a0920ef28fa498482 |
C:\Users\Admin\AppData\Local\f0f9029c-4a2e-4a29-bbb6-78bbd2923866\6D45.exe
| MD5 | e6d5b731bd414c8f989e7363de944ecd |
| SHA1 | 17de6b80ce5dd5330965df515f9d78b783d68036 |
| SHA256 | f4d55078931cc42d47f3d2c8b37b63f6fcc91c6415ba206610a0c77f5969ca01 |
| SHA512 | 7ca4b4d9bc1d8e647f32085010d1d0d6c1b6bd289d1ff38bfa14b592144889f7ec56fd081fd3f8c0a51fa5228e324338809e21b757467eafa249925da5d57b4b |
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | 3b0c73c3bc2209f9e1a4da5734b75ff7 |
| SHA1 | 5950fcc4d5a1aa63dd503a313a4b6bf895091753 |
| SHA256 | d4998e96f0f00606eb44756ac1ed6a770dc6c5420f36f1b0e96c5a00f685b8c7 |
| SHA512 | c2f9794f896f07652047067c125488b9023580f8e1343d90f28018c68107470ada74acf042c3e3a421cd38743e259889c9f3f70de5d53c438c890c3c1a864f69 |
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | fc56e8edb50a2f75bcbd98fd51caa5b5 |
| SHA1 | 7d7de4be9b9bf14c26f753990959eda8352ee415 |
| SHA256 | 288ff1cf0ddc9f5222a4715b474e7eb02c31fb45ed3d496a8655a1850d3434e3 |
| SHA512 | 878277aa2699d1da68a05fe6d175f53071b9373eec6f548b6826e95e9fdb477b08d8dbd49781026d01eed6fa3ab16c7bffd7b5a4c3ce7473d8eac1d987332b23 |
memory/880-104-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/1708-108-0x0000000000400000-0x000000000063F000-memory.dmp
memory/292-116-0x0000000000400000-0x0000000000537000-memory.dmp
memory/292-115-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1708-113-0x0000000000400000-0x000000000063F000-memory.dmp
memory/292-112-0x0000000000400000-0x0000000000537000-memory.dmp
memory/880-107-0x0000000000230000-0x000000000025C000-memory.dmp
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | b9bb523212e12ca7bf1a16a493b88114 |
| SHA1 | 277d80f3638b4783fe029ea99bf8898e9e0e708c |
| SHA256 | 384ac8d339d59266fcdab0b7bfbee66da68fa36afe21b2ece7db7ce8d3958834 |
| SHA512 | 18637acbe75cf23890f722061508fad1658d054423e893cd0291922cb20d7489377fe08480089d66625de8909faa90fbffef379867c843cc0b2cd6de3f70f6c7 |
memory/1708-103-0x0000000000400000-0x000000000063F000-memory.dmp
memory/1708-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | efe55157180963b85190f1868ff7d385 |
| SHA1 | d7e3a972f975df765e7724a6e96a14d44fde4ab0 |
| SHA256 | ec546ed677887fd5dcad010ea10fa6ab787ef65942cb1cf462ec89cd143c5211 |
| SHA512 | 35f16251b1f1029b98a4337aa6b83c1d886b17e1d0f10a358127efa286f121e32fd603af7ee7a08f51adeea00bd374c2d4426dde1b85ae751d12c604e6674ba5 |
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | 4529db30633423eac18277874736931c |
| SHA1 | a30768bffa620aaec9b2711d7e2bfd24918cd33d |
| SHA256 | 0b6f69e141b7a4c1b8f8c55c140542f6a45273a051da322b4c91f0bf97d9e7d5 |
| SHA512 | 35e18d2d8f6d1c5356233a50b0543a2dedcb5727ebe4c3d1eed5bdc7d9d22cb52da1cadc80f4cb7b103ddf681db7a1670336ffb74ae9be49e3d23b0c20867e20 |
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | 76830df60b430297f943a4136eaa2a45 |
| SHA1 | 04d90bb53652a7fb5aef5e2976801c516d78e679 |
| SHA256 | 69a5514030751dae3dedec8b4146cb0dec21112387559fa3cbafa7c08d26be4a |
| SHA512 | 3c405205e2f9c7506c7e071aacd8ad522525ece609d12739822ebff6ed3a11bfceef4c52dd9c574bdb4e65155e86852224f0fc88972e9cfbd76f2abab333e118 |
C:\Users\Admin\AppData\Local\Temp\Tar7BA6.tmp
| MD5 | 8c7b045034dd2570b46b74823183f35c |
| SHA1 | 5af91c5d7a76fb51ed96861cc09f969396c2cd68 |
| SHA256 | 4d018418e5cd7ad004c32bca5968e04e8f4d0a306618d0ce4b7057de95af8fc0 |
| SHA512 | e16cd2876f1f731f920a40d5b72ccbaa3d7be158a5f9ea749b1947c95a0bfe4127e09a683ce98eefc2051cd6128069cd1e5d42fa65be44d9393620da2d90c62b |
memory/292-201-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
| MD5 | b236d8fab9cbd26781342f2a71925fda |
| SHA1 | 837072bf4262d405b53cda23f1fc41972c6d5bb9 |
| SHA256 | 6a90007d980aaa6482c0406f6b31f271628d5edad63dc7453d2b7ce5a09206f2 |
| SHA512 | 65734358e17d8ca79e4514d5615e6e6a2153d348fa1d00ca521de009facb7dba37b01387178184137d23afa459c6dde23c9fd17f2e2818fb1f6f51d688b7bd48 |
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
| MD5 | a79fcd7f663730f138514479e5a1dceb |
| SHA1 | 0fa81fb4bc4213597884b909cea00e65fc2a4af9 |
| SHA256 | 1ca82af8e3becb65116fbf334e7c552373f954a4405c847a924660235d2445c3 |
| SHA512 | 540a7ebcc618f4ba64fe61f31410a5d81b2399405a6069d60803b2596f3b889bfd0219511c1b107b6931471c267afda065b640b066ff634f97b6f4eb765e3c31 |
memory/292-230-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
| MD5 | 9f033d7433b20fc2bb8e77f93e3c1584 |
| SHA1 | a08eaa09307cfd1695ac7d2f4d7b74732a5b63db |
| SHA256 | c36a4e6d21ac9beebd5369cdc22d9eac7e457b6bfa6d6577995ada112a515bb1 |
| SHA512 | 69730f767072ff63cda0bbeae79205d3ef23da4eba75c18e4d3059d3a28d838b44ef79f19526af47146110ce2331ba8a9252152474be2270abdaf14c4b1d74db |
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
| MD5 | cf5cfd934886fbefa816ef6965acaddc |
| SHA1 | 2cd7fe7327cba673c0a798ba2e9c498cd5081610 |
| SHA256 | 26052eaa3715b3b8b19fc478c3abffa6f9f0bb26875ee7627d90a59da3b4b67d |
| SHA512 | 862c96edaf3fab4fb0174aa41949b6296c7246de7f29f13cfb357c64035c3aa75ccd7d8105424bf539a26b3ab1385159197f2ff7edd632c9d97f3b52a921f096 |
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | bd67a55b11af81684d17bf3986f36bcb |
| SHA1 | 328cc48302d6b5d348359ae28c0c707a34eaaf81 |
| SHA256 | 3046d9a1d4582bb9ea817604e7604083195a1fee62a672140082ac27858634d6 |
| SHA512 | 310386ce430671fc650710cd4b6ea8231c5471a172c107eb6d31e5b053c665985b5515fc2392da0e2940f965c902b5a03044a5d1f8df0c5bee97d1bd1d934a37 |
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | 03a8ee63660ca468103aa075ecf2c328 |
| SHA1 | 852083da704c1571e599fd32f23b022f55aaf6c6 |
| SHA256 | 2342dd3c1134908a46d69ce2d02e2b74060413cca749e63effce00595086f2e9 |
| SHA512 | 9976b362ff796ab2150baf1200b92915c61da3b55497a348338fd028080dd1a96dde143392bf2c07308ab58f03a2193fd31e50cf5348a481dfb3c41f2f2b832f |
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | f74814d358e1c1c4a4e241e9d8ae465c |
| SHA1 | bcb2a3b24a87e84b38a9e626c6fe95af16f61ece |
| SHA256 | 47b6d5490202a07faef2bf58774cd617f6f4a162edc38aa93e25d5ad2504b867 |
| SHA512 | a52b0c766486a0edc8137c47c78748b0ee88cc61a528beffb1618d213e0197a8b6ec299eaa9ee4e4fe2b97c2eeace8f79f5b099ca0c659cbf2a985a41e1f145d |
\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build2.exe
| MD5 | 11b1ed791adee318876611e1c6b52d08 |
| SHA1 | f3b44cc041e87082c3d31269b1f23b8553397554 |
| SHA256 | c20709479c2203a9d2dda38414f75a26146b5d3c4ceb6f753cd8ead24e7e14a9 |
| SHA512 | 8e35fe8150d595ba0fe78ba6af8dcfd8ab5bdf3c6953fa32a1e487feff4fb5b753ac606e5218f23f930e240f5775e70bd9cec7174484d7da244f5a5a00270ccb |
memory/2388-265-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2388-263-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2392-262-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2392-260-0x0000000000C72000-0x0000000000C83000-memory.dmp
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2388-258-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\1b118ea5-c548-4495-8afc-4f4d3a58dd7f\build3.exe
| MD5 | abbdf4b6976967a33fa628695d7c7044 |
| SHA1 | 8a7743bc5233487715a29590a966707df0a08287 |
| SHA256 | cc72efced3d14f110ee8247aeace4fb3746326576abd3ba557ad1eefa0acc6d2 |
| SHA512 | 5e584c325354c986746bd92991ece7ee582b9255aaa5c30f29ccc86014df66024cb9ddfeb6cd568bdabf92610e1a9ddc46a2abffac43753a3c376120f6ee651d |
memory/1708-268-0x0000000000400000-0x000000000063F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 63aec9a562980f2df3e20c412769f0e3 |
| SHA1 | 9916625aef113893bfec09dfdd5c9230f496c6d9 |
| SHA256 | ef1c56032d935a2af5c6f70eb8e9b0932a05616094a6d230b014fe5ee8452d88 |
| SHA512 | b69c399896891a86f50bee03d1606bb69a8bbfd00ce01fdea97c6d09fdffaa54a9d8b3221497d56d41e988829f7ddaeeb291c53312aa8617c3f430e8528cd5bb |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | d35c806c95b926208b06f305860de044 |
| SHA1 | fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b |
| SHA256 | 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061 |
| SHA512 | cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6 |
memory/2632-279-0x00000000008D0000-0x00000000009D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A11.exe
| MD5 | 76013e1d3ec5c702eaeeded9f395c951 |
| SHA1 | db62fe010b82722b5e62e783b1811b21ab56a341 |
| SHA256 | 4bff603581cc603ddf36d11e26ced832993b8b55d14ffaefb0cac02f6288c213 |
| SHA512 | 46819170b98da048e0b3680084706bcf3a691a822c20db7830efca82eb9264ad2e5dfa4979d88c90362e048433964d7bb175ab39d7268798bf8e193e1f6acebb |
C:\Users\Admin\AppData\Local\Temp\A11.exe
| MD5 | 1537f8732870d2db7bc81a1457fc4cb8 |
| SHA1 | f12339bd4717215205534dad0fce559990c9a54b |
| SHA256 | 239afe82c5a02bc731a50a02d3740a47a3c52640e3f0b27da4132e15c8b6eb1d |
| SHA512 | 0047d0a2862727fcf4b075fec88d380cd6b68c6facbbaf4fa993692622b96ee5a43c47f73c9e020ac3a423cbe653033504b005239e76c1a9d027809b9134346b |
memory/1652-291-0x00000000009E0000-0x0000000001391000-memory.dmp
memory/1652-293-0x00000000009E0000-0x0000000001391000-memory.dmp
memory/1652-298-0x0000000077710000-0x0000000077711000-memory.dmp
memory/1652-303-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1652-337-0x00000000002C0000-0x00000000002C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\A11.exe
| MD5 | dea038b577bd9b3e26ae29c6f18027d8 |
| SHA1 | 36de37dd9cc7ffb2622a302bef64da52fca0c4c5 |
| SHA256 | 2ca4018a719cc12a936055aa04c28a2bdec2cefc66f706f9c058aa86d71290fc |
| SHA512 | eec7f416d5af4f8e0b5b775130ea0b6b923587929216d231b52e3da3ceb4ed7a7a774844c0babe0a557c5c286257c0b5b2ba3e1365078dc4e3136a568682ba23 |
memory/576-339-0x0000000000DE0000-0x00000000012C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E17.exe
| MD5 | f7b58bfd36c7a5b74aa77eccd7ce72d7 |
| SHA1 | a25f78521b805db2a8fa0e6b2544b7afa89dd37f |
| SHA256 | 2a1b50b7442f42ac0ab92cc6c6c8413738a87b212ded89723aa038215c72eaf9 |
| SHA512 | ca78e4631321c1b857f33b77faf53a1282d36f2810e2fbc16dfed2bd3f086695ac01dacbca23e75e0340f905eeb8213255981c1606c1dfd7732273963622b339 |
\Users\Admin\AppData\Local\Temp\A11.exe
| MD5 | 7ed61b7ecadc58ffdc0aea153853c651 |
| SHA1 | 6d6d5f48cfb7cc75e943518a94e7e4e17fe7778f |
| SHA256 | 2dde7e4ee8c5dbc5b515bc15258ac48bdd7222f264134abf64bc18743498bb2e |
| SHA512 | 02ac0ae282e7ff82dc86a7a0ac25ad5096c912b5608764ecb57befcacc473e8c0f9eafda75042e5bf5dbba0d8744fa1e5cb3f4684f1f596eded4c5d7502e73dd |
\Users\Admin\AppData\Local\Temp\A11.exe
| MD5 | 92e3bba1f25cccad452be7e14e21db75 |
| SHA1 | f20724db7387b34941f84dc6e34e9f5899065025 |
| SHA256 | 4c75ecc34302fd8aa0f1f7357217af0434b057560e31503d9c1c3f437c9964e6 |
| SHA512 | c03ee39d5bc32c2437255826802e738ce9b08f7cc35d981f52767e804ae632e3ba2c95eead25ab053b7b70adeba1d8a0ae96079ff9e4c55bafe7eb9898ea463c |
\Users\Admin\AppData\Local\Temp\A11.exe
| MD5 | c1917b478c3c47584bccd19dffb0628a |
| SHA1 | 2962959a81ac3934eab43b61c2d1e2de9a43b77f |
| SHA256 | b8b7a84923b1276c086af7d899c1e338d477eefbe48171a2a685e4c96df2299b |
| SHA512 | 9ba9bbca3607184bc6b228ce3a8332998ac467b130425c61d38472a150a76980b0323060adece067bfa5fa61d11447452793df240beb49b198b405538fa96032 |
\Users\Admin\AppData\Local\Temp\A11.exe
| MD5 | 77d6387cdfac46bcc8aae6d9316935b6 |
| SHA1 | 35d7f162cb19f80ff976fb60520f7278bc44c53e |
| SHA256 | 7933cc1f30fa4e6b572ea92662cc1017f330d97ad191c87f93e986ef19151121 |
| SHA512 | 78fa19bacb122d2918823d453a468d98b26e87acf482148cd509ac62cb759191d15119fb4cf139c11e14de13a86a8bf0c6da2203ecd3db308d4c32913fd85a77 |
memory/1652-302-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1652-300-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1652-297-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1652-296-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1652-292-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1652-289-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\152A.exe
| MD5 | a0a69525c8f9355dda2f7e3b02d1cffd |
| SHA1 | 482dbab7d09369c661d0371c77f91682ae3bef34 |
| SHA256 | 154b5a056b0163dd8261d044c97554e22e10e2c0f7342b4d460daf29a7a9e1d2 |
| SHA512 | 0d1990d3912675ea1e040effdfdc90ef756f9abb92e5c2219633e08f7505aa99094e7f6e4af4c982a79b9b57991860df8180e321193051cd55dbf87ca1d0f840 |
memory/1204-348-0x0000000000070000-0x00000000001A2000-memory.dmp
memory/1204-351-0x0000000073020000-0x000000007370E000-memory.dmp
memory/1204-350-0x0000000002150000-0x000000000221A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\152A.exe
| MD5 | 7f8f3c8f23617d4b393c7788b306cc27 |
| SHA1 | 542f68e9d9c0407011449592bc04430c4bb9600f |
| SHA256 | 33c8b19b6d24f3af862d7b542c5706f05777c767a653dbd71651a9c0f7af3125 |
| SHA512 | ee83c0b0549cb88b9727515e017a3122ceed2e5dab2771861c4c7a60309dd7cfa9ecb863c89f6cbb15e2636c818802f7781c0be51de2e569297da1b3506307c0 |
memory/1652-620-0x00000000009E0000-0x0000000001391000-memory.dmp
memory/576-628-0x0000000000DE0000-0x00000000012C0000-memory.dmp
memory/1204-629-0x0000000073020000-0x000000007370E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a06e0ef319f912cdf6aa6136b52ac3ce |
| SHA1 | 6494d4253abb176b0e6c4c32b52e216d2d7fddfb |
| SHA256 | cb92304fb6fcb5f00cff8368aaef79a9fd06759504631e25e6a10baf12f3f560 |
| SHA512 | dcdade666377c868dd094ac7d78300b55c98b5f6fe76394db994b3aecf58134c0a25664e1ba6afc05885cefb6bcbe5e8c28f4b1167f1a5016ca935bc0ac36205 |
memory/1040-640-0x0000000000230000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 130010140699e0993c60ebf193292ac4 |
| SHA1 | a662dd8f243e122f661a1c6fdef832f2a48376e8 |
| SHA256 | fa9c1400fa3f4c717f8e80ba372ee77e5f10eed72cbfe961c344e84834fe6d64 |
| SHA512 | 9d3fc0130e2b4402a68ff77b5261490501cbeff4085566e97fd7ebbc8cfe0b4d2e246698e56208fdda957546ec6e26c8837e9edd4a2eb533778dda6e0927ae47 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | fc1fe7cf37a2eec52c8215bfee2719df |
| SHA1 | 976bf12d6eb342846e36970529a72d63f86f4083 |
| SHA256 | fa571c717eb71d3d27c224d5c60430a17ad8c50f853bd175c7f475f799370e16 |
| SHA512 | eeef44c2d6d48d940de5dd6aaa097a4915125875a7b4a403105b97feb873217d1a37e1fe8abd3412ac383375e2775dea86665c980ee294ad359208c09537c1d1 |
memory/656-679-0x0000000000920000-0x0000000000A20000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 84b0e4e4a1e7ebd076d931154f6a4783 |
| SHA1 | f566686f98f9f3935e35f6c460a03fa406003222 |
| SHA256 | b844f9b342ddd544fd011f3787856bd9b0993d290a41b4d6418661c690cede0f |
| SHA512 | c6508657b519f1c2087008c58b9e266ea4b8960a0f9c5b8164258fe8391465e33a2abba40d493f428d5c597c470c1ce6596d93e83fe6a3ec222636b903ae25b6 |
memory/2552-721-0x00000000002F0000-0x00000000003F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 24593328c692edaeacd12222b57db1e5 |
| SHA1 | 277a100b97a6843319ee42ccfe2f1c251e202ea6 |
| SHA256 | e13bf89518d5fe340413ff4579d91715aa606bc86e3e69bcd7d800992c445d16 |
| SHA512 | d878ba880ba92fd97546f83f7c6877acb80c7b78fc545c89dc7e0c23099d00004a8b560e27610587258801cacfa15a9120a68b14b0ded58a1ee8811b7b499dfe |
memory/2084-764-0x0000000000870000-0x0000000000970000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 8b6a819c6926597dfa7529b692d7a6cc |
| SHA1 | 50c535e9cca464afd3a589d2231d87ce417d4312 |
| SHA256 | b9cb5501cc2d257e049e1757062523c7f9ee5a85d57d46538fe492125befd26c |
| SHA512 | dfd28b270d99ad89f8ce1df9750b92ff558f73fe2448bf182b5c1c05c7b180bb29175eeaf5a7c918791d64b36167fc1a6044f1aaff838e02e878782f5f6c0ba9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-29 04:51
Reported
2024-01-29 04:56
Platform
win10-20231215-en
Max time kernel
272s
Max time network
294s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Stealc
Vidar
ZGRat
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2e743ac6-deca-4958-9048-212029496756\\D4B6.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D4B6.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\6BAC.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CA16.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CA16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\CA16.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CA16.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EE7A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6BAC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662C.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe
"C:\Users\Admin\AppData\Local\Temp\5133b5ccbc90afe0d4e7b92e3fec18c0863a5d9b05aa1e5ffcb1bea360d8ddc2.exe"
C:\Users\Admin\AppData\Local\Temp\CA16.exe
C:\Users\Admin\AppData\Local\Temp\CA16.exe
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
"C:\Users\Admin\AppData\Local\Temp\D4B6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
"C:\Users\Admin\AppData\Local\Temp\D4B6.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2e743ac6-deca-4958-9048-212029496756" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe"
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1160
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\EE7A.exe
C:\Users\Admin\AppData\Local\Temp\EE7A.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 2008
C:\Users\Admin\AppData\Local\Temp\EA43.exe
C:\Users\Admin\AppData\Local\Temp\EA43.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
"C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe"
C:\Users\Admin\AppData\Local\Temp\5E7B.exe
C:\Users\Admin\AppData\Local\Temp\5E7B.exe
C:\Users\Admin\AppData\Local\Temp\662C.exe
C:\Users\Admin\AppData\Local\Temp\662C.exe
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 932
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 17.118.160.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 25.79.12.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| KR | 14.33.209.147:80 | habrafa.com | tcp |
| DE | 146.0.41.68:80 | tcp | |
| KR | 14.33.209.147:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 147.209.33.14.in-addr.arpa | udp |
| DE | 88.198.191.199:2920 | 88.198.191.199 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.191.198.88.in-addr.arpa | udp |
| DE | 88.198.191.199:2920 | 88.198.191.199 | tcp |
| US | 8.8.8.8:53 | novoscanais.com | udp |
| PT | 194.38.133.167:443 | novoscanais.com | tcp |
| DE | 88.198.191.199:2920 | 88.198.191.199 | tcp |
| DE | 88.198.191.199:2920 | 88.198.191.199 | tcp |
| US | 8.8.8.8:53 | 167.133.38.194.in-addr.arpa | udp |
| AM | 92.246.138.149:80 | tcp | |
| ZA | 41.185.8.154:80 | tcp | |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| IT | 185.196.10.34:80 | tcp | |
| FI | 109.107.182.40:80 | tcp | |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| IT | 185.196.10.34:80 | tcp | |
| N/A | 45.15.156.13:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.67.211.25:443 | tcp | |
| N/A | 88.221.134.147:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.67.129.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 176.97.69.235:443 | tcp | |
| N/A | 88.221.134.147:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.67.149.126:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 185.196.10.146:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 52.142.223.178:80 | tcp | |
| N/A | 172.67.129.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| IT | 185.196.10.34:80 | 185.196.10.34 | tcp |
Files
memory/5108-3-0x0000000000400000-0x000000000085C000-memory.dmp
memory/5108-2-0x0000000000990000-0x000000000099B000-memory.dmp
memory/5108-1-0x0000000000BC0000-0x0000000000CC0000-memory.dmp
memory/3364-4-0x0000000000D10000-0x0000000000D26000-memory.dmp
memory/5108-5-0x0000000000400000-0x000000000085C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CA16.exe
| MD5 | f8ac4c53560d6a04583eda524e76f3df |
| SHA1 | f25fe6b6bc16bc700037eb9f1228b622e333437b |
| SHA256 | b5be8b28b8588c0516dcebcd2da8c13ad5c4ae33500501439b684c81a393d035 |
| SHA512 | ee85fe22c02a585cb5f8ba5d4b5369c52c98b93bdaa1dd782d409fab6dcd7ea19633d541480252dfd48cf9ff19618d0c4f533620634fb2c5ec06514db7854b9e |
memory/3288-16-0x0000000002CC0000-0x0000000002DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CA16.exe
| MD5 | 661750f7729c4ce10e65dc35646dd491 |
| SHA1 | caf83e4c4468a27f59c625b2eac9211103b2e0ac |
| SHA256 | aa7a8a86745823dcef352b8395101835184abfabe854e4978a7a0628cf1c293a |
| SHA512 | 8823bcd3520f7824ce210f51c7cc346e33c6cb475688b653fcf4c8560f252f0779c2b2640740a82198afd5bb7dd34df1812b93a16ad871c6ddca546084755979 |
memory/3288-17-0x0000000000400000-0x0000000002B04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
| MD5 | c6c1b7f368b2e8d1ffa22ae677a9e0fc |
| SHA1 | ac3b0f542388302682093bde47c4005e7e00f942 |
| SHA256 | 5a50cfc9452a9db8ab49ec5c5685639f801aa6a7d1a2bddeb79df17e7477e1bf |
| SHA512 | b337463d23f12e1d2223d3506a453ad05bc0a354ab5101b369d6658bb4a4c01caf4cf6efeda26aa3b64aba90323021036ee0a1fa109cbd1565a9523221e49925 |
memory/2408-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2408-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2408-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4572-27-0x0000000004920000-0x0000000004A3B000-memory.dmp
memory/2408-26-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
| MD5 | e3772c066e72cc86777e4a7801382836 |
| SHA1 | 5522405e667a57ba89b077eb3322cb1052f7fc70 |
| SHA256 | 6930a114d1bfcec5ac434cc30195c62c721bf3a08f61fcd0bf9b4281d45e151e |
| SHA512 | 4f70f5bdc595a283aed22ff2d70ca920784e76e8106005d8cdc3c2cf097493ca48366777c99eabd684323ff1b77a8f9bc78b0db13cc2ee18926aa97864e71a9f |
memory/4572-24-0x0000000002CE0000-0x0000000002D75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
| MD5 | 0ba0c7ccb164433c8f38efb7b6d37c30 |
| SHA1 | d228b42eb073bf964bb2ef0cb62bd1ce9014da95 |
| SHA256 | 6a2ddaac6d829863a62c8152ec7c40e0fe5bdd7e76a51def4d0897452be7ea17 |
| SHA512 | a5a358a598f3af6bc86792b7c08b8a4eb8597415b3b517c4777d37125ecbdde6612d53d795058e62e49dce5c249246b3bb3dabfb40e0e0ddf781bc636f2bd626 |
C:\Users\Admin\AppData\Local\2e743ac6-deca-4958-9048-212029496756\D4B6.exe
| MD5 | e7b8e4caeda74527d4deb4091158c3a9 |
| SHA1 | f1feab73214b10830e14ff2cfc17590c3ea219df |
| SHA256 | ae9990a139c9c7ade25361daaa434b5f43c92da7104cce23c9242813ca61b995 |
| SHA512 | d6e61509a26c262f4d853b0d8bf419fc04632b9150ad49e0b9e2126c5cb459bf5bb828b5f00fde809ab0a10b8fe26f70599375adefb241679a0d7ff8d6d31074 |
memory/4240-47-0x0000000002B90000-0x0000000002C2F000-memory.dmp
memory/3296-49-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3296-48-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 7d576d4bc1ab42ce0b548c882c3246aa |
| SHA1 | 273b7a0f69d37d28ed1155b46e4d54950eb02ae9 |
| SHA256 | 44fa984e9b6b45f04d146b2e98663824f1b53adc45a53fb4ddd9780664eea907 |
| SHA512 | ad5dbba1983df113337be747d5b58453ed0324f33dbd9dc9c8d3770e43a6f9e48e097e156348f7368500ee184d80a79d18893b81158361ed92bfbe9b197686ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 28baf5fd68df59a9964b94cb39ffee77 |
| SHA1 | b3fddc328582ee68eeb23616393db9abb9e27380 |
| SHA256 | c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b |
| SHA512 | 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | da642d13993c47f847bb6a4a9ef47e4a |
| SHA1 | a571783510ce5627e50ebf492030b8d82a1e100a |
| SHA256 | 392ca4f1de48bb9c54a7a59d65e3fa258864ab0b84571b83fb3d12ee6be2197f |
| SHA512 | 76434d5a848de8c8e78d2c157953fba7015792d95b855ba5fdd977bf56ed9956a802fb9009c10cd0f402836dae73dcf0a3e651e79ceb8d3a841d9e4377ab330e |
memory/3296-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3296-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3296-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
| MD5 | eb8878ef85bb94b06e02b65fd5f5eac8 |
| SHA1 | 99384c4c25cb0cf7435c0fe1d19d312e1a5ea7d6 |
| SHA256 | 4d8519c14ec5a661b980efb61349283389c426f3e1234204fee78ff1b68e7980 |
| SHA512 | dbf68b18a138bd6279c5c96d0ef38d5d3e5586ba0987b7f8fdba6382685dbdb2d239c31c8a9dcbc5676874155bcad8a1c936f23fce0b12f9e7d40c25db72efd1 |
memory/2408-41-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D4B6.exe
| MD5 | 027d19c82b36a7faa8bef470ca6db13e |
| SHA1 | f96142ac0dcd0ac5c1721fe77c9d501b1f645657 |
| SHA256 | eba137f6fede9441954078effc1ab36396398a7079fc7e428c0a684f4f378569 |
| SHA512 | 9c31f7909764e1265fcd29a670eb5411d55409070d1740b10aea6653fe5203f038b9c15889e57ceab26b2678bcc582d2600957353b6275b6a1b9f19ec75cf1af |
memory/3364-56-0x0000000002C60000-0x0000000002C76000-memory.dmp
memory/3288-57-0x0000000000400000-0x0000000002B04000-memory.dmp
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
| MD5 | fdaa6252ee44f2129d0dbd537f0cfea1 |
| SHA1 | 7d412a0054c31b8cda8f02df80d615e1a5e57c6f |
| SHA256 | 0e9a42ca0e56ccf1a8552263dbc604934137932beffb4ecc29108150eea62a4a |
| SHA512 | c27782f3a06773ce9979eb449c94ba05032f2fdf86b1ef61bf4baf0439b08611ee62226f916ac595eb7316859b097f17176f266309fb7c491684100ada6b9f8d |
memory/3296-77-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3252-81-0x0000000000400000-0x000000000063F000-memory.dmp
memory/3296-80-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3296-79-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3252-73-0x0000000000400000-0x000000000063F000-memory.dmp
memory/4960-71-0x00000000006B0000-0x00000000006DC000-memory.dmp
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
| MD5 | 4190ef544273f89a977588ae6d411d39 |
| SHA1 | e5b42142f250d73f218f7c6c81444447d80798d6 |
| SHA256 | ba09db2f1a3e2d8c18017368129ea65f89a2e6bdcca530dedeeb6fa1ef37739a |
| SHA512 | 5394c35501c43606e4737468395ca4e3cd1eff848b3117dcb0a210cfbc04a74e8bac6683efa361541d7d3727e1d2e5ba50ad9bc4fdac7d7f669e428221928cf6 |
memory/4960-69-0x00000000006E0000-0x00000000007E0000-memory.dmp
memory/3252-68-0x0000000000400000-0x000000000063F000-memory.dmp
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build2.exe
| MD5 | f7fd1c1cb1e9bacb9f039b76f70b1a2d |
| SHA1 | 30346d6a12e53abb7eefe73513f1a57ef1da63e8 |
| SHA256 | 95df36447ae6c9db4f5243439c3b818c787f2e09be215b283e48f7736a1a5b08 |
| SHA512 | 7b343cd0b44a799b2a2dba876f8d12cbe83e4df0f43338c3a28ea7de20c60d24d1fdd714482e822b3372e9a4853ec51a99f872f358f239036cbf9102aba5207c |
memory/3296-94-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA43.exe
| MD5 | dcfe9fa385f178fc27373b7789e364f1 |
| SHA1 | 1501dd1eca1bc8776bd8cce43de14fc3f9d92f9f |
| SHA256 | e60d4c1edc6c9b1824bfd62fca5f4bd37abfdc60605a2e31806b032700798034 |
| SHA512 | 9e32351fd2671d1491bc2f8f0e5c6b21cce5552fe1d626523dcac68ca89be8af6881efda9c9c27a8adfc5aa860458ce911a7968e7a24c095f7db71e89b6d3c21 |
memory/3536-102-0x00000000027F0000-0x0000000002800000-memory.dmp
memory/3536-105-0x00000000028A0000-0x0000000002938000-memory.dmp
memory/3536-106-0x00000000027F0000-0x0000000002800000-memory.dmp
memory/3536-104-0x0000000004C90000-0x000000000518E000-memory.dmp
memory/2644-109-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2644-112-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2644-121-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2644-120-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-119-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-118-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-117-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-116-0x0000000001320000-0x0000000001360000-memory.dmp
memory/3536-115-0x0000000071B20000-0x000000007220E000-memory.dmp
memory/3536-114-0x0000000002950000-0x0000000004950000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EE7A.exe
| MD5 | c292cd199f0553fe2ff286b7b6121a97 |
| SHA1 | f68555fe5a4010e0f86519862fead7833c964fb0 |
| SHA256 | 3b0ed3b49cc29644880ece0a02acdfacb3e632b8ee156c51a334ec202d51e6d8 |
| SHA512 | 1550887d69cf78358a4d46377bc52009e81a980eafa30fb380ad8ed29cf89c622f950771a69fb16a2f2412354948105472a34fc82e1499d7ffc043d05df0598d |
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
| MD5 | 108c6bcd9737c2341d24fcb73f3e8307 |
| SHA1 | 8d51a0e0f6a12225c3d164ff082557d3a2d2b9fd |
| SHA256 | 57cce2e161c2efd529146ecc91a13e15681573489fd4fc2652219782e338b4c7 |
| SHA512 | b8db77b8bd44c75f5158c6caa9675923d71f1babdd2ec0399e557d40c5f37e3d8c18b4ebb3b3512a55c231ece9468a4200b7fef8fe75f34dd099242b148733f3 |
memory/3804-137-0x0000000002630000-0x000000000266A000-memory.dmp
memory/3804-136-0x0000000004A90000-0x0000000004AA0000-memory.dmp
memory/3804-139-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-141-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-142-0x0000000004A90000-0x0000000004AA0000-memory.dmp
memory/3252-140-0x0000000000400000-0x000000000063F000-memory.dmp
memory/3804-146-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-148-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-144-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-150-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-152-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-156-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-160-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-162-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-164-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-166-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-168-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-170-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-172-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-158-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-174-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-154-0x0000000002630000-0x0000000002663000-memory.dmp
memory/3804-135-0x0000000071AF0000-0x00000000721DE000-memory.dmp
memory/3804-134-0x00000000020B0000-0x00000000020EA000-memory.dmp
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
| MD5 | 5353a77304faab9f9f728478dfb2e4c0 |
| SHA1 | 093cf431323d2ce37eed4563c49a2a782b29c61a |
| SHA256 | 4823875621fe13cc5c34db2f2e67c4fa39bd989d5f6fb329dd17d0fe849150ab |
| SHA512 | 44ab2ce8e38aaf3fb205541c8609c18ba3e58f8a02a1f7b235feadd38b93e24e74b89640857fdc2815cab3d9b05f08ce031a556d0f53707e65e46080c0a5bb46 |
memory/3804-183-0x00000000026B0000-0x00000000046B0000-memory.dmp
memory/3296-131-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4164-185-0x0000000000400000-0x000000000062E000-memory.dmp
memory/3804-186-0x0000000071AF0000-0x00000000721DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EE7A.exe
| MD5 | 98928680962465db0441d79ac92ee211 |
| SHA1 | 9a0963be4c5a34e46cdde8d93b4353a23166ed74 |
| SHA256 | 753856475e231e8edf3ad63454793ccc5aaf7eb1019a136e7323403906578897 |
| SHA512 | d6d0caa1f1ccd10fecc4a42e2503cac1c83df9e1cca9f536fe37484d5a2d0d5a419a2eeebd47ae5239d6eef0b4b3fcce88f02d4a5d73242417a6dc810be53d52 |
memory/3536-103-0x00000000027F0000-0x0000000002800000-memory.dmp
memory/3536-101-0x00000000027F0000-0x0000000002800000-memory.dmp
memory/3536-100-0x0000000071B20000-0x000000007220E000-memory.dmp
memory/3536-99-0x0000000002800000-0x0000000002898000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA43.exe
| MD5 | 53f528940ed6a08d09f160462178c738 |
| SHA1 | 8b05a8d6ba28d4b590768b2e6451ee0024bf533e |
| SHA256 | 10cf30a93c56931e387c6aa4425c1eb5a018144235ccd76d2636d086ba028570 |
| SHA512 | a3d6036a16dc61de14c4aed1ac591d6f09bacf083db25c5ae2f0ab2d7c104f985c54632e707210b5b54db28679cdbf61afc17917b65113a466191a5dc1eb3c20 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | d6cc628895bfa2bef52485a263498282 |
| SHA1 | 9b508cc5c290e54bfaf20774cf4e137cecfe9d1a |
| SHA256 | 71ffe94b03188a7010a0e498ada9dc5e3ee3219af76180daadf6f4135c770793 |
| SHA512 | 02fffa4f5bf17c6092af7a47abcd4cadf1c702bccf5d33c4376d7ead7ebf669aee9673df84c83797c06276a5d3fff1e3c4a8932b3ca32f3a0c768c4acd196b91 |
memory/4164-247-0x0000000000400000-0x000000000062E000-memory.dmp
memory/3536-248-0x0000000002950000-0x0000000004950000-memory.dmp
memory/2644-249-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-251-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-250-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-253-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-252-0x0000000001320000-0x0000000001360000-memory.dmp
memory/2644-256-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | ec53c171d4688780e6865859c096c1ba |
| SHA1 | af120aa7517902cfd3704f03020b43d4bf67fae0 |
| SHA256 | ff45f98a0f9240762f4651445bb374a77c332c994a8694a2db34fdbf470bb1cc |
| SHA512 | a1f7c2c541499ae6352554bf49a27122cc393b432e105f3515a1126f3073b280515e83c6f7a0351a39cd6b7034d9cce1110790f12a7e920928ba436a77c848f3 |
memory/2560-267-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3416-265-0x0000000000850000-0x0000000000854000-memory.dmp
memory/3416-262-0x0000000000879000-0x000000000088A000-memory.dmp
C:\Users\Admin\AppData\Local\aaf3cd37-d000-41ab-b8e7-8e49e961bb3b\build3.exe
| MD5 | 52b4912f48a2042bb8c3c7ae21b4bc43 |
| SHA1 | 5e09e9b0c4f18a647d738bcbe7d5247fb0df42c3 |
| SHA256 | e1bc4b35d60a949db64f0d50f3903ed570582dc6d52c8318b820b58b886ef1e3 |
| SHA512 | bf8f6b60c2380b667ea9ec321a304454e76915e7297ba92d9d752be174b01659946a130bc19d9258c57340c7dbd75db4c969773109b2e2a5b70b713b890c33fe |
C:\Users\Admin\AppData\Local\Temp\5E7B.exe
| MD5 | feeba16f45322a354efe226bdf52ec3a |
| SHA1 | 8d6e9df069acb2969fdeb0b9dbbafe5ca9f65b9f |
| SHA256 | 462771fa672f3b63f6a78b911f64352687302e1280a9ed916fefa32f6ce3748a |
| SHA512 | 846254a81cb2f645ff0d6ae15ca1302708cb1f3d262925718588e9579cb3aa1540ed151879fa4131ee30940ba93b5028bb1ff49c4bfa85c1218f04fdc96c945c |
C:\Users\Admin\AppData\Local\Temp\5E7B.exe
| MD5 | 98f655e43e8b10a92559f27b49647178 |
| SHA1 | c82d4914bbf71adac73fa2c16f3a7d2315be8d11 |
| SHA256 | 406c5f59b53d8b6a4c61f5a7f78a035c6bc0c977575dd9bb2877e5722d06326d |
| SHA512 | 6c9c5f52196ed72a7a89352fc5f5e1140a1bfb2990f7193058e5ab4f897f9e526f2084d0f6ba67654c04c8d0d2c26fb9f0b48338a55b9769af9eab59e8253da6 |
memory/4596-279-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/4596-282-0x0000000000E10000-0x00000000017C1000-memory.dmp
memory/4596-277-0x0000000000E10000-0x00000000017C1000-memory.dmp
memory/4596-291-0x0000000000D80000-0x0000000000DC0000-memory.dmp
memory/4596-290-0x0000000000D80000-0x0000000000DC0000-memory.dmp
memory/4596-289-0x0000000000D80000-0x0000000000DC0000-memory.dmp
memory/4596-288-0x0000000000D80000-0x0000000000DC0000-memory.dmp
memory/4596-287-0x0000000000E10000-0x00000000017C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\662C.exe
| MD5 | 2602fb05270f903b50c0c6ec9a2822a7 |
| SHA1 | e0ccc78a0d6c9e2d3384d52f5a585c3df9f1db78 |
| SHA256 | 884a9de14df286b42a33a998cddea9bf8dd759665f3e146a356ba578b03d97ff |
| SHA512 | ca1aa7bcdf0fa186a68c161a96bb5d94aefa1c0d043781d80a319671fdfb916ec68db7f41ab3454a8c3b45e87de40cae24440db9452480f052d2966c22a54028 |
memory/2804-296-0x0000000000970000-0x0000000000E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\662C.exe
| MD5 | 739717948a1b97e062be86c5fd77530c |
| SHA1 | e2f0ab9db17bea919d9947243f4a3bbdbcfd95f3 |
| SHA256 | af157c6d0299f2c8e6ebd252b9f7d7514cacfe9bd047223cf6dcba5fc8b03b09 |
| SHA512 | 6559ea5fa2be5f8ff87da10d99b55b7791c485f75c6c2334c8e74424214139131590b869001092c6ffea8b79b23d3f203425b829310851a0ed91dcf25ab319ef |
memory/2356-302-0x0000000000CC0000-0x0000000000DF2000-memory.dmp
memory/2356-304-0x0000000005600000-0x00000000056CA000-memory.dmp
memory/2356-303-0x0000000071A50000-0x000000007213E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
| MD5 | f408e54d593e520b02c0c1d27e6f3193 |
| SHA1 | 41db799e95663f167535933c7dde25b8f3d0bcb2 |
| SHA256 | 7a477e4f5244051fd389ee1459a4f3e12e2cc7cd40d22a35f7c024cdb631995f |
| SHA512 | a20599827ff26de131b97764450bb8b50af612bc6e157a94d7135be6fa34fc93e6fed32381d1eb4ff833525ef71741cd176ef96e270547a2cec88724bb1b0857 |
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
| MD5 | 0d6763a44e17aac0916a7884d9d5f5b6 |
| SHA1 | bb8955048fc510d1bf9a68f57b50f72bb37e6e73 |
| SHA256 | 4f9d9e62dbeb74593cd69dec006b8f9ded905f6a0a20f3b76588b122bbe7b043 |
| SHA512 | 6f5e7c06a57e2b09e580717cc70d6c0023adfe6b8d4ef3ae3374a26814f30b2f02fa85478b1822bdeb18262c5bea4d239d1a23ed5d07f6f9b141389df6d8472b |
memory/2356-1239-0x00000000055D0000-0x00000000055D1000-memory.dmp
memory/2356-1238-0x00000000055F0000-0x0000000005600000-memory.dmp
memory/2356-1240-0x0000000005700000-0x0000000005760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
| MD5 | 47ace0a33e6701a20461ecd8ef0c1f5b |
| SHA1 | 98c6f8beb8b2a49a66a1a232e6eeb2266aa4e0cf |
| SHA256 | c743b13d9e9bcfe26417286db4f531b1c49c2f40859dbddd45fbbc4f51719df3 |
| SHA512 | bbfd1170aa7cbfb718db65a1c1a95b514f2f72b6cf77eb5dd4a8de4998b97b019b6b2fb628984d43317b65ef897950a4c9e78aa2a6c71315bafd8b0084b710e8 |
C:\Users\Admin\AppData\Local\Temp\6BAC.exe
| MD5 | d1b3d3354afd856b0d3fbfa2952669e4 |
| SHA1 | 7d975d91ffeeae388ef275da4db3c6739b57f3c2 |
| SHA256 | bb0fdd3ed0d08d89690b6d929a84c201bd143255c77c20d30b318c9cb002d103 |
| SHA512 | f13c69cb266313cf93bb04d172e0bcc4957dde125655d9ca0c9e59241187a36d3a7737c48dcf4e6a515ae8a000a23292336f4bda7149aad8c942110fa2370583 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 6fd9c2d697597ca4774fc2e2c96f49bf |
| SHA1 | 341697c769f716477974493addd870bc4ce4a0a4 |
| SHA256 | ed60bf019e6abc119fbdaaeb7ebf0e32d48352e0203af787ef070cb73ff0ee21 |
| SHA512 | 2f9849ccc798789b58b9e4a03476c4814db58ec8b7d0b1ed6b9bbafdf9f6f68b718be0e4be8580099eab7a92af3eba2f59ea6fdba40a96503691e33333875635 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | fb9ad0566454d006af82713ca33638f2 |
| SHA1 | b6999af4ee85e6164176d6066fea9486a6e01c61 |
| SHA256 | 87970300644ddc7a2e6587f34369087d6e721fae343fcad6086c5efca3566054 |
| SHA512 | cdc94cdf38458e665f91e9d56aa9847e7544e1c8a91c3d3968cd5537a3e45334f6d56bbfbfd92a21efaf73140b00694bcbdff498601a76f5b9370c189bb6b6fe |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | a8dce9c62ec4b66fb57ae21da4d5ad27 |
| SHA1 | 1d7094c4435f655813e90624f34add7efa6c038e |
| SHA256 | f87338cf56fe4520de313cc937c4f84b00b7d78a75f4b7322f9888f6009bc3d3 |
| SHA512 | bac29a3371e94e28323a82f5d2dca5dab59b36ac09c0d82eb4337b7195ad487fd77f55566eca41261b008adef8ca76ef346a0d606ee86fe7763b3ff90e842f1c |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 34a6ae3a7475777568c4fbc526de4400 |
| SHA1 | 5984fe9334294ff842f381cd80705f54d9e4d4d4 |
| SHA256 | 9a0bfe6e46543b8af7e72c6911ec5459d181dc3aac07ef8f0c7b53dbec820406 |
| SHA512 | 310b35fd233f96156293d3023b176cc0c791566aa3b568d759acc6bc793c496c15f5f3f30917a70f247979393c3c784a0eb746d8b040a561a8907388b5b3ecbc |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 5695b39734d1f480039f231bf13fc2bd |
| SHA1 | 4245d114aa661ddecbb5d6e03f5f82e5e51b8a8e |
| SHA256 | 7adf65cff5b3ffaca85800bbf065d5114e38dbc9364aab71a017913a288c1143 |
| SHA512 | 433514ccd8a210b2a29fb124962d6e75ccf448f6c7cf14b58a5beff4bf0ba056f3ec0ca278e4183decbf51df8a5c37563f07f3d774b630c87251d022fa18f429 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 7ce4118d504b75d8f4e0a3cba85a5281 |
| SHA1 | 7162f93ee602be38ee2cc8d11a51072335e096e2 |
| SHA256 | d29df9947ca1c5fd3f19d7281656cb42358d5b0f4e24bc82d23f8a8f85719168 |
| SHA512 | 4f4087b7a7fc3251fa730b3e47e7c678eed41e8a518b2a2bda09c6c3c2f7b706589f18e9743c81256dcd5a81e165912174e5902cdd76a640aa51073e78c9ddc5 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 7c6919a92a49aff3f3b294e64268bf48 |
| SHA1 | 31d26063e1a2e26220d05837e09b8269fc21c496 |
| SHA256 | 06f818b983973fc4ce99ea5ca3a7b0e4dfc00f6188314c9642cd1ff681b672d3 |
| SHA512 | 27723903c574c233ab0c80af08d0cc29c444209125aa14861c58a2d9e7f435f4c955bd9989c29fcc422f508a9f4901193a79a76c328c08e48c2ea7367b93c4c2 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | b1512c2bd6a1235de62d3cdcee82114f |
| SHA1 | 896055cdf9c77dde22b28ff1260be3379c7bacc2 |
| SHA256 | e6cdcef6c01b6822958a7a4a9bf52bd656597a753971d12bab975aafbfa24870 |
| SHA512 | 608386f77824984f2ab4e4d2a8847c103e1a73b899dade21688e57d3929668ad735a5800a5208154be65b4d4ccba7c5e5c875ae6bc54304a8bb696c4ef268d80 |
C:\Users\Admin\AppData\Local\Temp\559217417236
| MD5 | 035295afe87d6f4e9819c02015928902 |
| SHA1 | ed58d44e899d7f4efce7acb5c5d1fd3ae1b0fa54 |
| SHA256 | fd0769ccb22466b9c4095c1f12723a7b20a1002756863701a11286ae04b1a212 |
| SHA512 | 14244ebca1beb85f66c22fea681de8b0885f0050e02fda13fc3e6a5c742a14eb811a7c6a21162de0fb05976e6e18481c6b00dff027c77836a98b02cf891f5acf |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 8f9adedeaec300d93d2ec40bbb6960c9 |
| SHA1 | b865a21673e9fda9e5523f1b0438544e6ca86ce7 |
| SHA256 | 8e3343b847910b0efaaeb0194bc09bcfbc4d3e97be84f0856f2c1ed259eb2e51 |
| SHA512 | a7f97f57e4fda3b00ba17dd9806db7e33a738c2f21884afb896d8ffcaf26dc56d5f10c63a05809a64cc69323a65feec779201a238ab2a8cd4c59425920947118 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | d9942b4000184bed94ba0b4ce66a5600 |
| SHA1 | fde3e515a412782687684d8685a7cdebbba385a2 |
| SHA256 | e86b884579a5df8489973cd50a3cb2f35d07741dac85735eb665f42c9eb4fb65 |
| SHA512 | 2e0bccd6d31a7477cad3b05469db4cfd9f51b6c47650a18981f61badb04416b74aeeb85c454bb2b3832da1df12609fa438d4376f1ed86fc8c6d2d94f74b78a2b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dctooux.exe.log
| MD5 | ffe7bf10728fcdc9cfc28d6c2320a6f8 |
| SHA1 | af407275e9830d40889da2e672d2e6af118c8cb8 |
| SHA256 | 72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522 |
| SHA512 | 766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | cf5d0bd1046a42b9739762cdc56891f2 |
| SHA1 | 86367e05e9d9942640ca7bc961295f060f46a4db |
| SHA256 | 038904890fed919e259beec967f26a140fa6a6d42bd09707c295ae7601c55623 |
| SHA512 | f06bfefb2c5f0454d79a8f8a6e6943bc67cef7a58b9ed5c3eab286289523c8d5a568a0fd7e67a86587f3c7bb4bbd4303de716685d9a8f108aff2a5d1da9d8993 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 4838c8a5fc9b7a1fd78c2e5d2527e517 |
| SHA1 | cedd5985c539de702d3bf47f23643b22b047b861 |
| SHA256 | d16c85cb59fed5c80d79c78bf60d8d16f6bf9f0b01b999dc7b2e52a0b490cb2d |
| SHA512 | 0d397d78dd1ec16accd97d933e87850ba4eade86e462287ca307d8729063cbf0850282f3a00d747d9147b9e4ea1809b52358c24adbe4e10d5c700b98e1ce6a87 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 58d5a4054fb2b552c02250a2ba355421 |
| SHA1 | cad1c48f5cff5d6bdabedaf9a3ff1961ee650a71 |
| SHA256 | 49b524dbe9797e4a8905bca4b74da0f7aac977b07a5f72c66e7f3d22597a86e7 |
| SHA512 | 182092ae43d0ba0fb8035ab92ac07aae902593bc8f0900c51dfb2629e8958faf1e1d89bf3e8f897f4cc971e49ebc8b224004defdcd717cc2b382eabd5f87f60a |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | cdb400cbbc0550c8810cfa1a7f4ebd72 |
| SHA1 | f9dc7693b4da360dba8071eb442f686e5ae8c75f |
| SHA256 | 513079729f8a8412889ce337fee7fba422f2b8307260557cc3586b6577c8d988 |
| SHA512 | e475ecb2fb948239273747aff406854aa7c5c2dba5ccf529541c4a1c58acb1c450baba57c9d8a0559880503f05cac80c75dec4df63b13cdffd4495eb6e01c195 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | f1e0ebb0ed514bad7df8757377325098 |
| SHA1 | 52643f7d49cdbf5013f31f4155c38fbf8c7d7f0b |
| SHA256 | d90e507895a9e90aadf86c36e5ba893936857be5c5db89e863269b3202f8d137 |
| SHA512 | 2790bebeedf7271e61bf0dea1dfd942b48975da8e3ce87e8b8ddd523ca0fbeb91d038b274d132c752d7ccdc93c944473610a1bff893e7c6746122698eddd645d |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 73b20c2cf391f2616e422bb8f9857cfc |
| SHA1 | 6d715fc5e0a46a17873884279b05afe6bf1f4e04 |
| SHA256 | 480229ee32582530507226c8f9d24a04fa1e1511d5c015a698b51506706a6543 |
| SHA512 | aba9efb76431aadc9d0029006ef732638a19413a10f096443bdea203bb2536ed1c8867c4f63047a26ebe21399b8bbfa5ce5dd1bf677f3c58206acd3af800a49c |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | 25886e3a659696d8937dfea37a6a120c |
| SHA1 | 064ec790ffbd5d3995b058426d2e09567b8152ed |
| SHA256 | ca3ee494dbde5ba5a97aece9c20d903ba8e38ba7dd0f7b47f1cb59d0de93c1c2 |
| SHA512 | c690bb35c7d0cd77a3133359432020f72042ac8e4880dbf0bf45f267cba44493c4aa2e011e4da8d6b6db4fe1aeb320e6c896b778654551e9218897f5b3a407e7 |
C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
| MD5 | a2887aa2e1b5264abbbe4cce4839b4df |
| SHA1 | 9a501b740c9b9a7d8b2230d67d5a94d502c0a884 |
| SHA256 | a3aa6c0b016421385e086b94ce308ba0b8c7e7b215bb880c43c2256a6de3b6b0 |
| SHA512 | a88797b8c162ef3e2b2f376b59312d758db8830706595dc1139eda9f3f2585932dd1468e59e9ec3352577c709007164832cca923f7468945f1ff6032c2361cbc |