Analysis Overview
SHA256
142aacbf783038ea4b2a7f2d9433b1309b413330e702b8a90e300eea1bbed4c8
Threat Level: Known bad
The file 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
RisePro
Detect ZGRat V1
Detected Djvu ransomware
DcRat
ZGRat
SmokeLoader
PrivateLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks BIOS information in registry
Drops startup file
Themida packer
Modifies file permissions
Deletes itself
Checks whether UAC is enabled
Looks up external IP address via web service
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-07 18:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-07 18:01
Reported
2023-12-07 18:03
Platform
win7-20231201-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f5a2415f-68be-463a-9279-19b58785f5a1\\8920.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8920.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
PrivateLoader
RisePro
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6D17.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6D17.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\6D17.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f5a2415f-68be-463a-9279-19b58785f5a1\\8920.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8920.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\DB37.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6D17.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D17.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2088 set thread context of 2364 | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe |
| PID 1864 set thread context of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\8920.exe | C:\Users\Admin\AppData\Local\Temp\8920.exe |
| PID 2616 set thread context of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\8920.exe | C:\Users\Admin\AppData\Local\Temp\8920.exe |
| PID 2956 set thread context of 584 | N/A | C:\Users\Admin\AppData\Local\Temp\937D.exe | C:\Users\Admin\AppData\Local\Temp\937D.exe |
| PID 1916 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe | C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\937D.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6D17.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"
C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\61A0.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6421.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\6D17.exe
C:\Users\Admin\AppData\Local\Temp\6D17.exe
C:\Users\Admin\AppData\Local\Temp\8920.exe
C:\Users\Admin\AppData\Local\Temp\8920.exe
C:\Users\Admin\AppData\Local\Temp\8920.exe
C:\Users\Admin\AppData\Local\Temp\8920.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f5a2415f-68be-463a-9279-19b58785f5a1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\8920.exe
"C:\Users\Admin\AppData\Local\Temp\8920.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\8920.exe
"C:\Users\Admin\AppData\Local\Temp\8920.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\937D.exe
C:\Users\Admin\AppData\Local\Temp\937D.exe
C:\Users\Admin\AppData\Local\Temp\937D.exe
C:\Users\Admin\AppData\Local\Temp\937D.exe
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
"C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe"
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
"C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe"
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe
"C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe"
C:\Users\Admin\AppData\Local\Temp\DB37.exe
C:\Users\Admin\AppData\Local\Temp\DB37.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1436
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 172.67.167.33:443 | edarululoom.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| HK | 38.47.221.193:34368 | tcp | |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| US | 185.196.8.238:80 | 185.196.8.238 | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| BA | 185.12.79.25:80 | zexeq.com | tcp |
| BA | 185.12.79.25:80 | zexeq.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 109.107.182.45:80 | 109.107.182.45 | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | genesiscarat.com | udp |
| RU | 92.118.112.94:443 | genesiscarat.com | tcp |
| RU | 92.118.112.94:443 | genesiscarat.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 95.217.240.71:443 | 95.217.240.71 | tcp |
| FI | 95.217.240.71:443 | 95.217.240.71 | tcp |
| FI | 95.217.240.71:443 | 95.217.240.71 | tcp |
| FI | 95.217.240.71:443 | 95.217.240.71 | tcp |
| US | 193.233.132.51:50500 | tcp |
Files
memory/2364-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2364-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2088-4-0x0000000000D12000-0x0000000000D25000-memory.dmp
memory/2088-6-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2364-5-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1200-7-0x0000000002D20000-0x0000000002D36000-memory.dmp
memory/2364-8-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61A0.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\61A0.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\6421.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\6D17.exe
| MD5 | a3dea4c1f895c2729505cb4712ad469d |
| SHA1 | fdfeebab437bf7f97fb848cd67abec9409adb3b2 |
| SHA256 | acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd |
| SHA512 | 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4 |
memory/2800-36-0x0000000000060000-0x0000000000B2A000-memory.dmp
memory/2800-37-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-39-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-38-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-40-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-41-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-42-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-43-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-44-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-45-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-46-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-47-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-48-0x00000000768C0000-0x0000000076907000-memory.dmp
memory/2800-49-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-50-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-51-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-52-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-53-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-54-0x00000000768C0000-0x0000000076907000-memory.dmp
memory/2800-55-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-56-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-57-0x00000000768C0000-0x0000000076907000-memory.dmp
memory/2800-58-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-59-0x00000000768C0000-0x0000000076907000-memory.dmp
memory/2800-60-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-61-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-62-0x00000000768C0000-0x0000000076907000-memory.dmp
memory/2800-65-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-66-0x00000000770F0000-0x00000000770F2000-memory.dmp
memory/2800-68-0x0000000000060000-0x0000000000B2A000-memory.dmp
memory/2800-69-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2800-70-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2800-71-0x0000000001090000-0x00000000010D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
C:\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
memory/1864-78-0x0000000002080000-0x0000000002111000-memory.dmp
memory/2892-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2800-81-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/2892-85-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
memory/1864-88-0x0000000002180000-0x000000000229B000-memory.dmp
memory/2800-89-0x00000000768C0000-0x0000000076907000-memory.dmp
memory/2800-90-0x00000000765D0000-0x00000000766E0000-memory.dmp
memory/1864-83-0x0000000002080000-0x0000000002111000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
memory/2892-91-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2892-92-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\f5a2415f-68be-463a-9279-19b58785f5a1\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
memory/2892-113-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
memory/2616-115-0x0000000000220000-0x00000000002B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
memory/2616-118-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8920.exe
| MD5 | be9ca8b74e26dc78f01bd22f50525146 |
| SHA1 | f51371b66f0220158cc2208ab9f55fa87763dd0a |
| SHA256 | d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b |
| SHA512 | 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00 |
memory/892-123-0x0000000000400000-0x0000000000537000-memory.dmp
memory/892-124-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2a111a3869f046f785ce4ee1e7058390 |
| SHA1 | 2cdef9efd2cbad5d9eb0827417cb6dbf405e14f6 |
| SHA256 | 24c5ad6ae2289c147167a3c73ed7fa556434389ed46591172e5652aaa20b3c4c |
| SHA512 | df8bc23e88741f87e7ee59bb9a6a6b8a78f4b43965af892c64f95c6554867edbe2c242ae9ff799512bf99ee43fb37233aa85b64b75e04417f1ef3681bb6814d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0772d19dd244b195a8c6e9e3ee14015d |
| SHA1 | dac6279c89f774991af2f0e8c6cb78063ca4d5a6 |
| SHA256 | 0393acc6e5d120983277d2962c2438d163f2c5f71799f2343e632b2b058373a3 |
| SHA512 | ba00d0bc32b4aef522765a61a3f0dbdbbcae082de7a9a7cea0ae81f5da928b736d010e073f2ec9170bcffbd27e8bd319e00f40fd8910c3c62082ac348a2cca06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 4605a165da62fbfcb953bc95f5c60588 |
| SHA1 | 26d10dc22baeb6f19358ef50076b4f4cecfd625e |
| SHA256 | ead04e8f3c9d951dd3a34014d9c2afc30055f16d191ae52e4b91c39513e5c5b3 |
| SHA512 | 2c344c11cd766538df0edd82c67922365a7cce6718e505dbf6a45f8bcbb53b85b8222ac9dda90dcfbd9490371d668a85d2358e9b5a2af7f1ef113a6c19b0fb4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7df0d7bd8b545f25f1111b1e97618f0 |
| SHA1 | 0e11a848704f0ae858ec17ff58117afe8ad13fc2 |
| SHA256 | cab1b126fadd73cfc92df95da78def379077cd9c133c8524c8ce2336c37e3db6 |
| SHA512 | 4f5ac389439f72484b26f0725e9fce52b8f9410636fe15454edc365fb9e84e471fffdbbed37379c9ed3a7ee7c0352d3106083e725f33ffed2ea98361a4b10fd6 |
C:\Users\Admin\AppData\Local\Temp\Cab91D4.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/892-137-0x0000000000400000-0x0000000000537000-memory.dmp
memory/892-138-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\937D.exe
| MD5 | f9f5b4125a5b08bc86343cb6f2d04e63 |
| SHA1 | 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2 |
| SHA256 | 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39 |
| SHA512 | 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798 |
C:\Users\Admin\AppData\Local\Temp\937D.exe
| MD5 | f9f5b4125a5b08bc86343cb6f2d04e63 |
| SHA1 | 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2 |
| SHA256 | 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39 |
| SHA512 | 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798 |
C:\Users\Admin\AppData\Local\Temp\937D.exe
| MD5 | f9f5b4125a5b08bc86343cb6f2d04e63 |
| SHA1 | 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2 |
| SHA256 | 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39 |
| SHA512 | 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798 |
memory/2956-144-0x0000000000A60000-0x0000000000B48000-memory.dmp
memory/2956-145-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/2956-147-0x000000001AF10000-0x000000001AF90000-memory.dmp
memory/2956-148-0x0000000002120000-0x00000000021FE000-memory.dmp
memory/2956-149-0x000000001ADB0000-0x000000001AE90000-memory.dmp
memory/2956-150-0x000000001B3B0000-0x000000001B478000-memory.dmp
memory/2956-151-0x000000001B480000-0x000000001B548000-memory.dmp
memory/2956-152-0x0000000000670000-0x00000000006BC000-memory.dmp
memory/892-156-0x0000000000400000-0x0000000000537000-memory.dmp
memory/892-158-0x0000000000400000-0x0000000000537000-memory.dmp
memory/892-159-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\937D.exe
| MD5 | f9f5b4125a5b08bc86343cb6f2d04e63 |
| SHA1 | 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2 |
| SHA256 | 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39 |
| SHA512 | 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798 |
memory/584-161-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/584-163-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/584-165-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/584-167-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\937D.exe
| MD5 | f9f5b4125a5b08bc86343cb6f2d04e63 |
| SHA1 | 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2 |
| SHA256 | 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39 |
| SHA512 | 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798 |
memory/584-169-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/2956-172-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/2800-174-0x0000000074140000-0x000000007482E000-memory.dmp
memory/584-175-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/584-178-0x000000001B270000-0x000000001B2F0000-memory.dmp
memory/584-177-0x00000000007B0000-0x0000000000894000-memory.dmp
memory/2800-176-0x0000000001090000-0x00000000010D0000-memory.dmp
memory/584-182-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-180-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-184-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-188-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-190-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-194-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-196-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-192-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-198-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-200-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-202-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-204-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-186-0x00000000007B0000-0x0000000000890000-memory.dmp
memory/584-179-0x00000000007B0000-0x0000000000890000-memory.dmp
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
memory/1916-298-0x0000000002BC0000-0x0000000002CC0000-memory.dmp
memory/1916-299-0x0000000000260000-0x0000000000291000-memory.dmp
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
memory/2700-303-0x0000000000400000-0x0000000000644000-memory.dmp
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\Temp\DB37.exe
| MD5 | 6eafae4c4d7096a3146fb41361b88e88 |
| SHA1 | a974e4d9c0445079939cfbcef9d64dd9233b9181 |
| SHA256 | f91b309f90e29ac6938c6156c6692c74e982297a8da0496c47c8510291887409 |
| SHA512 | d6ddd6ac49158dcbcd5b6a4f4765cee09080e2581723577d890ab7f1a22e273a9a8ee2aa1359c1f2af4a43ab8d2e74a8f98a473ba63ee400061d2c01cc5a0578 |
C:\Users\Admin\AppData\Local\Temp\DB37.exe
| MD5 | 6eafae4c4d7096a3146fb41361b88e88 |
| SHA1 | a974e4d9c0445079939cfbcef9d64dd9233b9181 |
| SHA256 | f91b309f90e29ac6938c6156c6692c74e982297a8da0496c47c8510291887409 |
| SHA512 | d6ddd6ac49158dcbcd5b6a4f4765cee09080e2581723577d890ab7f1a22e273a9a8ee2aa1359c1f2af4a43ab8d2e74a8f98a473ba63ee400061d2c01cc5a0578 |
C:\Users\Admin\AppData\Local\Temp\DB37.exe
| MD5 | 6eafae4c4d7096a3146fb41361b88e88 |
| SHA1 | a974e4d9c0445079939cfbcef9d64dd9233b9181 |
| SHA256 | f91b309f90e29ac6938c6156c6692c74e982297a8da0496c47c8510291887409 |
| SHA512 | d6ddd6ac49158dcbcd5b6a4f4765cee09080e2581723577d890ab7f1a22e273a9a8ee2aa1359c1f2af4a43ab8d2e74a8f98a473ba63ee400061d2c01cc5a0578 |
C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe
| MD5 | eb16dcdaa3a2c8c7d2b5c85af7a91341 |
| SHA1 | 6e8f0dc3b2fe92bef40fddc1401f398923303c8a |
| SHA256 | 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414 |
| SHA512 | 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe
| MD5 | eb16dcdaa3a2c8c7d2b5c85af7a91341 |
| SHA1 | 6e8f0dc3b2fe92bef40fddc1401f398923303c8a |
| SHA256 | 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414 |
| SHA512 | 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe
| MD5 | eb16dcdaa3a2c8c7d2b5c85af7a91341 |
| SHA1 | 6e8f0dc3b2fe92bef40fddc1401f398923303c8a |
| SHA256 | 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414 |
| SHA512 | 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe
| MD5 | eb16dcdaa3a2c8c7d2b5c85af7a91341 |
| SHA1 | 6e8f0dc3b2fe92bef40fddc1401f398923303c8a |
| SHA256 | 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414 |
| SHA512 | 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a |
C:\Users\Admin\AppData\Local\Temp\Tar4B3.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe
| MD5 | e99659abcb427d00a9271c2796a98184 |
| SHA1 | 7c80842db9c0cf9fe814a61eff86f5ba02720cfc |
| SHA256 | fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976 |
| SHA512 | bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe
| MD5 | e99659abcb427d00a9271c2796a98184 |
| SHA1 | 7c80842db9c0cf9fe814a61eff86f5ba02720cfc |
| SHA256 | fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976 |
| SHA512 | bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe
| MD5 | e99659abcb427d00a9271c2796a98184 |
| SHA1 | 7c80842db9c0cf9fe814a61eff86f5ba02720cfc |
| SHA256 | fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976 |
| SHA512 | bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe
| MD5 | e99659abcb427d00a9271c2796a98184 |
| SHA1 | 7c80842db9c0cf9fe814a61eff86f5ba02720cfc |
| SHA256 | fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976 |
| SHA512 | bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe
| MD5 | ee3f589a0c7d63229a037488144b88cf |
| SHA1 | 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf |
| SHA256 | 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3 |
| SHA512 | dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe
| MD5 | d786005943e737b82adefe9d4f3d63a0 |
| SHA1 | 16e51832749e4922e7427d877c106900bb422fc8 |
| SHA256 | 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc |
| SHA512 | 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe
| MD5 | d786005943e737b82adefe9d4f3d63a0 |
| SHA1 | 16e51832749e4922e7427d877c106900bb422fc8 |
| SHA256 | 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc |
| SHA512 | 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe
| MD5 | d786005943e737b82adefe9d4f3d63a0 |
| SHA1 | 16e51832749e4922e7427d877c106900bb422fc8 |
| SHA256 | 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc |
| SHA512 | 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe
| MD5 | d786005943e737b82adefe9d4f3d63a0 |
| SHA1 | 16e51832749e4922e7427d877c106900bb422fc8 |
| SHA256 | 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc |
| SHA512 | 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe
| MD5 | ee3f589a0c7d63229a037488144b88cf |
| SHA1 | 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf |
| SHA256 | 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3 |
| SHA512 | dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe
| MD5 | ee3f589a0c7d63229a037488144b88cf |
| SHA1 | 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf |
| SHA256 | 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3 |
| SHA512 | dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe
| MD5 | ee3f589a0c7d63229a037488144b88cf |
| SHA1 | 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf |
| SHA256 | 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3 |
| SHA512 | dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | d786005943e737b82adefe9d4f3d63a0 |
| SHA1 | 16e51832749e4922e7427d877c106900bb422fc8 |
| SHA256 | 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc |
| SHA512 | 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6aabe4a4161b1eb33ae61368d45719f4 |
| SHA1 | 015988db1025678872a2614a395c076c18525f34 |
| SHA256 | 3c6ccf0215e7d860353d61f896da4cc64105d9121902ef75462fe70c7f730480 |
| SHA512 | f692a81226a93533a16eb941c0723ced8c04b6ad38124c0c3d1fb6bb5dd6b762cc629414e391b1822356e09ecc82ddfb3fc08b6d3bd85482993bfaa2722b1757 |
\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | d786005943e737b82adefe9d4f3d63a0 |
| SHA1 | 16e51832749e4922e7427d877c106900bb422fc8 |
| SHA256 | 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc |
| SHA512 | 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 135a43cc2ef062f5dca4749bb3155171 |
| SHA1 | 42524f85f8eafc8559544437c48a81d6ff06a325 |
| SHA256 | aa8167d5e97a07b2dbecc580572eeb575deec7b1ace6d25c00c7c093096bcb0c |
| SHA512 | 1579aef8076707d5c4e12a55138f11fdbd7a9c0000e22c55223f43f969d0ecb4f358b989514d7134e58c428a7e116e26420222634516578e1fa4b6a71333c1da |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | 946af660d15a2f3a63a2c5c83c9bf6b1 |
| SHA1 | b0b9cb337ac35d85ed882a212e1e6afb30c3ca56 |
| SHA256 | dc9c5ce1876361a715a06746bc5c62201d0ed9bac257b7b984451d4864abe17c |
| SHA512 | 0a0287638406793fe86595dca81158970b4f0ce76cb7de040888757e79219b03eb8880fd31ea85005888aa6cb7e68c987f5fd74782848155ba479e4980914422 |
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe
| MD5 | f5f946c85bbcd85d14e984c5b2d9fdda |
| SHA1 | dfd3e685b41e62d30395205ee9c6038081b9e875 |
| SHA256 | 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22 |
| SHA512 | 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-07 18:01
Reported
2023-12-07 18:03
Platform
win10v2004-20231127-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2284 set thread context of 1404 | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"
C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.117.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 85.143.222.45:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 45.222.143.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.3.125.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.28.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.3.125.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/2284-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmp
memory/2284-2-0x00000000027A0000-0x00000000027A9000-memory.dmp
memory/1404-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1404-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3144-5-0x0000000002DB0000-0x0000000002DC6000-memory.dmp
memory/1404-7-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4108-12-0x000001E343480000-0x000001E343490000-memory.dmp
memory/4108-28-0x000001E343580000-0x000001E343590000-memory.dmp
memory/4108-44-0x000001E34BB70000-0x000001E34BB71000-memory.dmp
memory/4108-45-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-46-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-47-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-48-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-49-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-50-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-51-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-52-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-53-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-54-0x000001E34BB90000-0x000001E34BB91000-memory.dmp
memory/4108-56-0x000001E34B7B0000-0x000001E34B7B1000-memory.dmp
memory/4108-55-0x000001E34B7C0000-0x000001E34B7C1000-memory.dmp
memory/4108-58-0x000001E34B7C0000-0x000001E34B7C1000-memory.dmp
memory/4108-61-0x000001E34B7B0000-0x000001E34B7B1000-memory.dmp
memory/4108-64-0x000001E34B6F0000-0x000001E34B6F1000-memory.dmp
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | 2054bc73b7290fc5ec47f67255d2b09f |
| SHA1 | 258b6bf3792d65b58a2ee92820f0e450e8bfbef6 |
| SHA256 | 41c015ad6b7ed18e73a5ae2eef492029b8d0cc73fd669ac4b4e4132000438373 |
| SHA512 | 6629609dd8ee244f30d711c43dfd338b1cb1c3cf9f411332ffaf5e3dbc40db72f1d69404dd9090ca8154c99f734f37dc01c63faa4bddf0815c526c585f37a2b6 |
memory/4108-76-0x000001E34B8F0000-0x000001E34B8F1000-memory.dmp
memory/4108-78-0x000001E34B900000-0x000001E34B901000-memory.dmp
memory/4108-79-0x000001E34B900000-0x000001E34B901000-memory.dmp
memory/4108-80-0x000001E34BA10000-0x000001E34BA11000-memory.dmp