Malware Analysis Report

2025-08-05 09:55

Sample ID 231206-x2hr3acc56
Target 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4
SHA256 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4
Tags
dcrat djvu privateloader risepro smokeloader zgrat pu10 backdoor discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4

Threat Level: Known bad

The file 1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader zgrat pu10 backdoor discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan

Detected Djvu ransomware

RisePro

DcRat

PrivateLoader

SmokeLoader

Detect ZGRat V1

Djvu Ransomware

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-06 19:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-06 19:20

Reported

2023-12-07 08:22

Platform

win10-20231129-en

Max time kernel

36s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe"

Signatures

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\B56.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\B56.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\B56.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a59624d6-f1c6-4f19-8770-fc9ec54a0899\\21CD.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\21CD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\345D.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bH4bi22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xC3Qm35.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\B56.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B56.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B56.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
PID 4168 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
PID 4168 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
PID 4168 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
PID 4168 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
PID 4168 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe
PID 3428 wrote to memory of 2764 N/A N/A C:\Windows\system32\cmd.exe
PID 3428 wrote to memory of 2764 N/A N/A C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2764 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3428 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\Temp\B56.exe
PID 3428 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\Temp\B56.exe
PID 3428 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\Temp\B56.exe
PID 3428 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 3428 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 3428 wrote to memory of 4756 N/A N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 4756 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 2368 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Windows\SysWOW64\icacls.exe
PID 2368 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Windows\SysWOW64\icacls.exe
PID 2368 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Windows\SysWOW64\icacls.exe
PID 2368 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 2368 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 2368 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 224 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\Temp\21CD.exe
PID 3428 wrote to memory of 5008 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 3428 wrote to memory of 5008 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 5008 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 5008 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 5008 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 5008 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 5008 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 5008 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2D57.exe C:\Users\Admin\AppData\Local\Temp\2D57.exe
PID 3428 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\Temp\345D.exe
PID 3428 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\Temp\345D.exe
PID 3428 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\Temp\345D.exe
PID 3136 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe
PID 3136 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe
PID 3136 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\21CD.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe
PID 2508 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\345D.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe
PID 2508 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\345D.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe
PID 2508 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\345D.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe
PID 4164 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe
PID 4164 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe
PID 4164 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe
PID 4164 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe
PID 4164 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe

"C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe"

C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe

"C:\Users\Admin\AppData\Local\Temp\1272195eac7d0a3fe2e46305fd7e2d6370debd0e4fd8214bfaf680062036bdf4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 496

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF9D.bat" "

C:\Users\Admin\AppData\Local\Temp\B56.exe

C:\Users\Admin\AppData\Local\Temp\B56.exe

C:\Users\Admin\AppData\Local\Temp\21CD.exe

C:\Users\Admin\AppData\Local\Temp\21CD.exe

C:\Users\Admin\AppData\Local\Temp\21CD.exe

C:\Users\Admin\AppData\Local\Temp\21CD.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a59624d6-f1c6-4f19-8770-fc9ec54a0899" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\21CD.exe

"C:\Users\Admin\AppData\Local\Temp\21CD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\21CD.exe

"C:\Users\Admin\AppData\Local\Temp\21CD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\345D.exe

C:\Users\Admin\AppData\Local\Temp\345D.exe

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe

"C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe

"C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bH4bi22.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bH4bi22.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xC3Qm35.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xC3Qm35.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\2D57.exe

C:\Users\Admin\AppData\Local\Temp\2D57.exe

C:\Users\Admin\AppData\Local\Temp\2D57.exe

C:\Users\Admin\AppData\Local\Temp\2D57.exe

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build3.exe

"C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1648

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 45.222.143.85.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
KR 123.213.233.131:80 brusuax.com tcp
HK 38.47.221.193:34368 tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 85.143.222.45:80 host-host-file8.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
RU 109.107.182.45:80 tcp
KR 123.213.233.131:80 tcp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
US 193.233.132.51:50500 tcp
NL 149.154.167.99:443 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
KR 211.40.39.251:80 tcp
DE 116.202.183.33:25565 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
DE 116.202.183.33:25565 tcp
DE 116.202.183.33:25565 tcp
US 8.8.8.8:53 udp
RU 85.143.222.45:80 tcp
RU 85.143.222.45:80 tcp
RU 85.143.222.45:80 tcp
RU 85.143.222.45:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
KR 211.40.39.251:80 tcp
RU 85.143.222.45:80 tcp
US 8.8.8.8:53 udp
RU 85.143.222.45:80 tcp
GB 96.16.110.114:80 tcp
RU 85.143.222.45:80 tcp

Files

memory/4136-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4168-2-0x0000000000A60000-0x0000000000B60000-memory.dmp

memory/4168-3-0x00000000008D0000-0x00000000008D9000-memory.dmp

memory/4136-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3428-5-0x0000000000E80000-0x0000000000E96000-memory.dmp

memory/4136-9-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF9D.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\B56.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/2520-22-0x0000000000F60000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B56.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/2520-23-0x00000000758C0000-0x0000000075990000-memory.dmp

memory/2520-26-0x00000000756F0000-0x00000000758B2000-memory.dmp

memory/2520-29-0x00000000772E4000-0x00000000772E5000-memory.dmp

memory/2520-25-0x00000000758C0000-0x0000000075990000-memory.dmp

memory/2520-24-0x00000000758C0000-0x0000000075990000-memory.dmp

memory/2520-32-0x0000000000F60000-0x0000000001A2A000-memory.dmp

memory/2520-31-0x00000000727D0000-0x0000000072EBE000-memory.dmp

memory/2520-33-0x0000000008590000-0x0000000008A8E000-memory.dmp

memory/2520-34-0x0000000008130000-0x00000000081C2000-memory.dmp

memory/2520-35-0x0000000003900000-0x000000000390A000-memory.dmp

memory/2520-37-0x0000000008A90000-0x0000000008B9A000-memory.dmp

memory/2520-39-0x0000000008340000-0x000000000837E000-memory.dmp

memory/2520-38-0x00000000082E0000-0x00000000082F2000-memory.dmp

memory/2520-36-0x00000000090A0000-0x00000000096A6000-memory.dmp

memory/2520-40-0x00000000083B0000-0x00000000083FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21CD.exe

MD5 8e921066e727da79d3b5e0bba12bb40e
SHA1 82df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256 ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512 029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b

C:\Users\Admin\AppData\Local\Temp\21CD.exe

MD5 8e921066e727da79d3b5e0bba12bb40e
SHA1 82df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256 ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512 029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b

memory/2368-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2368-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2368-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4756-52-0x0000000002620000-0x000000000273B000-memory.dmp

memory/4756-50-0x0000000002580000-0x000000000261C000-memory.dmp

memory/2368-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21CD.exe

MD5 8e921066e727da79d3b5e0bba12bb40e
SHA1 82df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256 ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512 029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b

C:\Users\Admin\AppData\Local\a59624d6-f1c6-4f19-8770-fc9ec54a0899\21CD.exe

MD5 8e921066e727da79d3b5e0bba12bb40e
SHA1 82df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256 ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512 029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b

C:\Users\Admin\AppData\Local\Temp\21CD.exe

MD5 8e921066e727da79d3b5e0bba12bb40e
SHA1 82df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256 ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512 029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b

memory/2368-65-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3136-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3136-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3136-71-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21CD.exe

MD5 8e921066e727da79d3b5e0bba12bb40e
SHA1 82df9dd35842936dc68f6d7a5c74c0fa2b92a2af
SHA256 ef2497a7973f8d75f759e6be0e81b8ec5b9c1f5c9759ee8f84297e123863862c
SHA512 029ab1da5c7636df1cb1d6eb5a0cc87af3aac0623969fd0205b602954e2c3039dd91e2182216a28722964cb8fa54ac097dab2f7338dd12ad3855ec20d8153d5b

memory/2520-78-0x0000000008BA0000-0x0000000008C06000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 82e8de576b3311d7e87e7f4fa31747e9
SHA1 a173cfc9a9b93bdbe3e9d6c21c5f0e8bdc98c6b7
SHA256 0434af1df9da0494d532ff3749013bc969a84f10473bfe1aab197ffbf55907f8
SHA512 384f203a7159ea935648e8d16434bc3236cdddc21b8e353852f4a975d1582b5c53f7d22ed9772d88e8ec4650a8db34964eabb840c0ae4ecc425ed0790938f002

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 af207fce02ccd72197c25681aba5b26c
SHA1 bf39a079dc359f7ff5f06be728a5946f1833e0fb
SHA256 6dfce12200dadf41850434319a9d3db7c613a09ed0b7e5c584e6c5ad58875d11
SHA512 1e921f0e40a92083366049b1999a36f2e9f8bc5bc6329bf2ba5a755eae6c283efa66ef5471f0ee3cea676b6ddf87da7a211b783a50c762c46991918db85a8b07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fe9925084c9f0f7d25e0970216587c8a
SHA1 dfd1fdc1064d90eba9f84a2575b34e2016830ec2
SHA256 9fd7caab023c6ffad78c9e4b08f74341540369994ffe285fff9007924f735a4c
SHA512 18ecd8d11a3d2ae69f7d7d08505a5a7733405bbceb48197c4efcc57fbf45dbd2c5a3932d2f292754efa4907b7b8180df57b7a9b99bba40677ca5baa14e180da6

memory/224-69-0x0000000002400000-0x0000000002497000-memory.dmp

memory/3136-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3136-79-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D57.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

memory/5008-85-0x000001F954540000-0x000001F95464C000-memory.dmp

memory/2520-89-0x00000000758C0000-0x0000000075990000-memory.dmp

memory/2520-88-0x00000000758C0000-0x0000000075990000-memory.dmp

memory/2520-87-0x00000000758C0000-0x0000000075990000-memory.dmp

memory/5008-91-0x00007FFF3BDD0000-0x00007FFF3C7BC000-memory.dmp

memory/5008-94-0x000001F9549D0000-0x000001F9549E0000-memory.dmp

memory/5008-96-0x000001F956510000-0x000001F95655C000-memory.dmp

memory/5008-95-0x000001F96EF40000-0x000001F96F008000-memory.dmp

memory/5008-93-0x000001F96EE70000-0x000001F96EF38000-memory.dmp

memory/2520-92-0x00000000756F0000-0x00000000758B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D57.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

memory/4128-101-0x0000022EC9F30000-0x0000022ECA014000-memory.dmp

memory/4128-103-0x0000022ECA080000-0x0000022ECA090000-memory.dmp

memory/5008-102-0x00007FFF3BDD0000-0x00007FFF3C7BC000-memory.dmp

memory/3136-112-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-108-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/3136-115-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-119-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-127-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-125-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-129-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-123-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-121-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-135-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-141-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-147-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-149-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-153-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-151-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-145-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-143-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/2520-167-0x0000000009AD0000-0x0000000009C92000-memory.dmp

memory/2520-171-0x000000000A1D0000-0x000000000A6FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\345D.exe

MD5 27694aecc39ca2140bb33c69f9e3da41
SHA1 c48181ccbd8d05cba0ebb06f9a11154ac6407aee
SHA256 a60b6b72b31b9a0da805a8c0d3a7196300b578745602d9e476bc23a61d87c54a
SHA512 2f13e19af4ef04aef2d9f584a4e6267900bc9d1086b4c1299d4223ba7477b1e503e0f3f9408cd85b0f3bb3878a84db464aa101f85b49d33a17fec937afa0ae3e

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe

MD5 fcb57295ecc1626eeeed24bd09fd1d7a
SHA1 3c026229ffda41bd613eed760a5e47148fe9ae2e
SHA256 60e6c9297116d36f8afdcd9b462ebfecf158053916d5754c5d3e05ad33bc652f
SHA512 3173b6a66dbd9045a1a98b13672f75b17fadb0b57e0fb9694d68f9aee1d183025bc8656632b0e8cd06dfda755231ec9f3d9445b206adcb6e4a0984df87c61fa1

C:\Users\Admin\AppData\Local\Temp\345D.exe

MD5 27694aecc39ca2140bb33c69f9e3da41
SHA1 c48181ccbd8d05cba0ebb06f9a11154ac6407aee
SHA256 a60b6b72b31b9a0da805a8c0d3a7196300b578745602d9e476bc23a61d87c54a
SHA512 2f13e19af4ef04aef2d9f584a4e6267900bc9d1086b4c1299d4223ba7477b1e503e0f3f9408cd85b0f3bb3878a84db464aa101f85b49d33a17fec937afa0ae3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bH4bi22.exe

MD5 a944ce66d7d9343827a475f63266e2fc
SHA1 430044bcd1c168e870cde4c242cfaec9337f2b1a
SHA256 43374c43348058a1b88f006de6679ec6ae6084db2f7efb37736f627466ff2f07
SHA512 e418abf30db0c6facec6a5d3c4c28ea82b3ccc68ccc8961fff63306e1ce98d8242d4136f6f179f62b2f10fee0c759dcbf5325cd85b70e375bf59476035603d70

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bH4bi22.exe

MD5 a944ce66d7d9343827a475f63266e2fc
SHA1 430044bcd1c168e870cde4c242cfaec9337f2b1a
SHA256 43374c43348058a1b88f006de6679ec6ae6084db2f7efb37736f627466ff2f07
SHA512 e418abf30db0c6facec6a5d3c4c28ea82b3ccc68ccc8961fff63306e1ce98d8242d4136f6f179f62b2f10fee0c759dcbf5325cd85b70e375bf59476035603d70

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/4164-210-0x0000000002B30000-0x0000000002B61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xC3Qm35.exe

MD5 f792094d7e39e109fa00219cbbdc2e30
SHA1 fec957067137c285a42892206e5bd6652d32140d
SHA256 0861f99f1c6092cf1fbca92e43ff73abaf820f50191e0a6605d6a29b08fc0d37
SHA512 df308cd5190c0162647ab210b003144de9e2c842bbcb58a9a6a903ee67113355184a407e8d0cdc6e282a47666ef74da4dd337bc581cc5d54cdf4b6ab17550390

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xC3Qm35.exe

MD5 f792094d7e39e109fa00219cbbdc2e30
SHA1 fec957067137c285a42892206e5bd6652d32140d
SHA256 0861f99f1c6092cf1fbca92e43ff73abaf820f50191e0a6605d6a29b08fc0d37
SHA512 df308cd5190c0162647ab210b003144de9e2c842bbcb58a9a6a903ee67113355184a407e8d0cdc6e282a47666ef74da4dd337bc581cc5d54cdf4b6ab17550390

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe

MD5 151ca633dc1331fe936d7852275b41c8
SHA1 679aaacecccd1e4a3c0595b8682c68d984017976
SHA256 a93afb60a0b0375f95f9f772440ea9c8bfd91026691c8c91eb40b1661074168a
SHA512 bd9ad2d7427f8df3f26feb4c08f2bb9aa09c1135622369f3be4a55ffe8ace76336788a32cf8b12d4252dc8acbb373708c4f457f2e0929d4222cfcd82dc15ee8a

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 151ca633dc1331fe936d7852275b41c8
SHA1 679aaacecccd1e4a3c0595b8682c68d984017976
SHA256 a93afb60a0b0375f95f9f772440ea9c8bfd91026691c8c91eb40b1661074168a
SHA512 bd9ad2d7427f8df3f26feb4c08f2bb9aa09c1135622369f3be4a55ffe8ace76336788a32cf8b12d4252dc8acbb373708c4f457f2e0929d4222cfcd82dc15ee8a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vt73Jx3.exe

MD5 151ca633dc1331fe936d7852275b41c8
SHA1 679aaacecccd1e4a3c0595b8682c68d984017976
SHA256 a93afb60a0b0375f95f9f772440ea9c8bfd91026691c8c91eb40b1661074168a
SHA512 bd9ad2d7427f8df3f26feb4c08f2bb9aa09c1135622369f3be4a55ffe8ace76336788a32cf8b12d4252dc8acbb373708c4f457f2e0929d4222cfcd82dc15ee8a

memory/3376-222-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bS4hi99.exe

MD5 fcb57295ecc1626eeeed24bd09fd1d7a
SHA1 3c026229ffda41bd613eed760a5e47148fe9ae2e
SHA256 60e6c9297116d36f8afdcd9b462ebfecf158053916d5754c5d3e05ad33bc652f
SHA512 3173b6a66dbd9045a1a98b13672f75b17fadb0b57e0fb9694d68f9aee1d183025bc8656632b0e8cd06dfda755231ec9f3d9445b206adcb6e4a0984df87c61fa1

memory/4164-203-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/2520-198-0x00000000727D0000-0x0000000072EBE000-memory.dmp

memory/4128-139-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-137-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-133-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-131-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-117-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/3136-116-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4128-105-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-106-0x0000022EC9F30000-0x0000022ECA010000-memory.dmp

memory/4128-104-0x00007FFF3BDD0000-0x00007FFF3C7BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2D57.exe.log

MD5 81b6f7911c04d1ce4c04aa863175692e
SHA1 7bbb69e4996c85de335721300fac3725ab17234d
SHA256 fe4c1929c30a9bede91497644aca2a44b8df1dffc7052786139a5674e1c1212a
SHA512 9bca4d0aa3286f426eadb50592447743938684a4ecc0ec1db5be18014c667eb3a26ba36ea4d149a4ef17471c2000368a31646724413b71c9ddfdd77977b97d47

memory/4128-97-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/5008-90-0x000001F96ED90000-0x000001F96EE70000-memory.dmp

memory/2520-86-0x0000000000F60000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D57.exe

MD5 a70d83fb50f0ef7ba20ada80d6f07e9f
SHA1 844f1939d41b23e85886178c2e058a9e56c496e9
SHA256 e62b3949e1092bcb92435ec398caa0c55963deca3dbe79a4808dda3e093622a9
SHA512 9eb598c50f55fe66792193a7827610be801d2f29876e5b3151b0509d097196c45a6dacb26898193362019248bbe8a444c839811e6ecaf8053ac405834e009a25

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\1e65b445-0b99-4bac-8994-46e06f4316b6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\grandUIA1RG1AWOrKijym\information.txt

MD5 48a10c8397504281c3004fa53c3213ca
SHA1 2062abec0501a3226a9cce37fb4775724ef9c5f9
SHA256 5bd2e7bbb4a65b85a900e0431cc90e5c1644161c2cc9f8e6e26efc116b4175d5
SHA512 2ec22f09be6e164a2590120912e999e48890d304b79cc29ff19f211fedefbf1863c683774707ed133d7d685ef98f619549fc8a4e970e1ddce6a2959f5016cce8

memory/2520-1445-0x0000000005F30000-0x0000000005F80000-memory.dmp

memory/2520-1524-0x0000000000F60000-0x0000000001A2A000-memory.dmp

memory/2520-1526-0x00000000756F0000-0x00000000758B2000-memory.dmp

memory/2520-1528-0x00000000758C0000-0x0000000075990000-memory.dmp

memory/2520-1530-0x00000000727D0000-0x0000000072EBE000-memory.dmp

memory/3136-1820-0x0000000000400000-0x0000000000537000-memory.dmp