Analysis Overview
SHA256
069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c
Threat Level: Known bad
The file 069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Detected Djvu ransomware
DcRat
ZGRat
Detect ZGRat V1
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Themida packer
Executes dropped EXE
Deletes itself
Modifies file permissions
Checks BIOS information in registry
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-08 16:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-08 16:33
Reported
2023-12-08 16:36
Platform
win10v2004-20231130-en
Max time kernel
31s
Max time network
142s
Command Line
Signatures
DcRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\AEEF.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\AEEF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\AEEF.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEEF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C41E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C41E.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\af99b8f0-5d61-4591-bce7-7ad268a67838\\C41E.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\C41E.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AEEF.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEEF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 376 set thread context of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe |
| PID 408 set thread context of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\C41E.exe | C:\Users\Admin\AppData\Local\Temp\C41E.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C41E.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
"C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe"
C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
"C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3684 -ip 3684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 328
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3A2.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5E6.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\AEEF.exe
C:\Users\Admin\AppData\Local\Temp\AEEF.exe
C:\Users\Admin\AppData\Local\Temp\C41E.exe
C:\Users\Admin\AppData\Local\Temp\C41E.exe
C:\Users\Admin\AppData\Local\Temp\C41E.exe
C:\Users\Admin\AppData\Local\Temp\C41E.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\af99b8f0-5d61-4591-bce7-7ad268a67838" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\C41E.exe
"C:\Users\Admin\AppData\Local\Temp\C41E.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\C41E.exe
"C:\Users\Admin\AppData\Local\Temp\C41E.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3728 -ip 3728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 568
C:\Users\Admin\AppData\Local\Temp\D1BB.exe
C:\Users\Admin\AppData\Local\Temp\D1BB.exe
C:\Users\Admin\AppData\Local\Temp\D1BB.exe
C:\Users\Admin\AppData\Local\Temp\D1BB.exe
C:\Users\Admin\AppData\Local\Temp\D8B2.exe
C:\Users\Admin\AppData\Local\Temp\D8B2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 104.21.42.224:443 | edarululoom.com | tcp |
| US | 8.8.8.8:53 | 224.42.21.104.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BG | 95.158.162.200:80 | brusuax.com | tcp |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | udp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| FR | 216.58.204.67:80 | tcp | |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 185.196.8.238:80 | tcp | |
| US | 8.8.8.8:53 | 238.8.196.185.in-addr.arpa | udp |
| RU | 109.107.182.45:80 | tcp | |
| US | 8.8.8.8:53 | 45.182.107.109.in-addr.arpa | udp |
| US | 38.47.221.193:34368 | tcp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | 193.221.47.38.in-addr.arpa | udp |
| N/A | 188.114.96.2:443 | tcp | |
| GB | 96.17.178.181:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.181:80 | tcp |
Files
memory/376-1-0x0000000000BB0000-0x0000000000CB0000-memory.dmp
memory/376-2-0x00000000009A0000-0x00000000009A9000-memory.dmp
memory/3684-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3684-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3684-5-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3352-6-0x0000000002850000-0x0000000002866000-memory.dmp
memory/3684-9-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A3A2.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\A5E6.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\A5E6.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\AEEF.exe
| MD5 | a3dea4c1f895c2729505cb4712ad469d |
| SHA1 | fdfeebab437bf7f97fb848cd67abec9409adb3b2 |
| SHA256 | acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd |
| SHA512 | 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4 |
C:\Users\Admin\AppData\Local\Temp\AEEF.exe
| MD5 | a3dea4c1f895c2729505cb4712ad469d |
| SHA1 | fdfeebab437bf7f97fb848cd67abec9409adb3b2 |
| SHA256 | acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd |
| SHA512 | 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4 |
memory/4476-26-0x0000000000920000-0x00000000013EA000-memory.dmp
memory/4476-27-0x0000000075730000-0x0000000075820000-memory.dmp
memory/4476-28-0x0000000075730000-0x0000000075820000-memory.dmp
memory/4476-29-0x0000000075730000-0x0000000075820000-memory.dmp
memory/4476-30-0x0000000075730000-0x0000000075820000-memory.dmp
memory/4476-31-0x0000000075730000-0x0000000075820000-memory.dmp
memory/4476-33-0x0000000076FF4000-0x0000000076FF6000-memory.dmp
memory/4476-35-0x0000000000920000-0x00000000013EA000-memory.dmp
memory/4476-37-0x0000000008320000-0x00000000083B2000-memory.dmp
memory/4476-36-0x0000000008830000-0x0000000008DD4000-memory.dmp
memory/4476-38-0x00000000039F0000-0x00000000039FA000-memory.dmp
memory/4476-39-0x0000000009400000-0x0000000009A18000-memory.dmp
memory/4476-40-0x0000000008DE0000-0x0000000008EEA000-memory.dmp
memory/4476-41-0x0000000008300000-0x0000000008312000-memory.dmp
memory/4476-42-0x00000000084F0000-0x000000000852C000-memory.dmp
memory/4476-43-0x0000000008640000-0x000000000868C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C41E.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
C:\Users\Admin\AppData\Local\Temp\C41E.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/408-49-0x0000000002540000-0x00000000025D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C41E.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/4788-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/408-51-0x0000000002600000-0x000000000271B000-memory.dmp
memory/4788-50-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4788-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4788-55-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\af99b8f0-5d61-4591-bce7-7ad268a67838\C41E.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/4788-65-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C41E.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/3728-71-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3728-74-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3728-72-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C41E.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/1060-68-0x0000000002470000-0x0000000002506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D1BB.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
C:\Users\Admin\AppData\Local\Temp\D1BB.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
memory/3496-81-0x000001E271AB0000-0x000001E271C00000-memory.dmp
memory/3496-82-0x000001E2740A0000-0x000001E274180000-memory.dmp
memory/3496-83-0x000001E2741C0000-0x000001E274288000-memory.dmp
memory/3496-84-0x00007FFE8D8D0000-0x00007FFE8E391000-memory.dmp
memory/3496-85-0x000001E274D10000-0x000001E274DD8000-memory.dmp
memory/4476-86-0x0000000000920000-0x00000000013EA000-memory.dmp
memory/4476-88-0x0000000075730000-0x0000000075820000-memory.dmp
memory/3496-89-0x000001E2741B0000-0x000001E2741C0000-memory.dmp
memory/3496-87-0x000001E273950000-0x000001E27399C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D1BB.exe.log
| MD5 | 9f5d0107d96d176b1ffcd5c7e7a42dc9 |
| SHA1 | de83788e2f18629555c42a3e6fada12f70457141 |
| SHA256 | d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097 |
| SHA512 | 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61 |
memory/3496-96-0x00007FFE8D8D0000-0x00007FFE8E391000-memory.dmp
memory/4476-97-0x0000000075730000-0x0000000075820000-memory.dmp
memory/4476-95-0x0000000075730000-0x0000000075820000-memory.dmp
memory/4956-94-0x00000268DA220000-0x00000268DA304000-memory.dmp
memory/4956-100-0x00000268DA210000-0x00000268DA220000-memory.dmp
memory/4956-101-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-105-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-107-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-103-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-115-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-113-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-119-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-117-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-121-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-129-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-131-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-137-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-139-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-135-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-133-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-127-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-125-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-123-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-143-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-141-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-111-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-109-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-99-0x00000268DA220000-0x00000268DA300000-memory.dmp
memory/4956-98-0x00007FFE8D8D0000-0x00007FFE8E391000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D1BB.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
memory/4956-90-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D8B2.exe
| MD5 | 513aa632bf7aa2516aabe52119a2abbe |
| SHA1 | e67c64f74897bf65f6b2c89eddb835abe5c710a0 |
| SHA256 | 27ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c |
| SHA512 | 43785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619 |
C:\Users\Admin\AppData\Local\Temp\D8B2.exe
| MD5 | 513aa632bf7aa2516aabe52119a2abbe |
| SHA1 | e67c64f74897bf65f6b2c89eddb835abe5c710a0 |
| SHA256 | 27ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c |
| SHA512 | 43785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
| MD5 | 1b7d97ddffcc642acb8afdb3ee8e7a67 |
| SHA1 | f5fdaf01bcba97776866453ae942935d053cc5b2 |
| SHA256 | ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80 |
| SHA512 | 832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
| MD5 | 98efc21960f30d2137e7bf23232cd1a4 |
| SHA1 | 1cd24234ce828ad84f5f6d631185b951360395f5 |
| SHA256 | 166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec |
| SHA512 | b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
| MD5 | fa2d7fd895f22a69c0357cad768e575e |
| SHA1 | 0946228fa05c06686152edee6bbbce886da8fff6 |
| SHA256 | 480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828 |
| SHA512 | 37d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
| MD5 | fa2d7fd895f22a69c0357cad768e575e |
| SHA1 | 0946228fa05c06686152edee6bbbce886da8fff6 |
| SHA256 | 480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828 |
| SHA512 | 37d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
| MD5 | 98efc21960f30d2137e7bf23232cd1a4 |
| SHA1 | 1cd24234ce828ad84f5f6d631185b951360395f5 |
| SHA256 | 166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec |
| SHA512 | b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
| MD5 | f5e9e33bef789205e7d531fce3966042 |
| SHA1 | 47f429e262d4374f9081bf4c743823748e8dabc6 |
| SHA256 | 00aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669 |
| SHA512 | 6e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
| MD5 | f5e9e33bef789205e7d531fce3966042 |
| SHA1 | 47f429e262d4374f9081bf4c743823748e8dabc6 |
| SHA256 | 00aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669 |
| SHA512 | 6e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
| MD5 | 1b7d97ddffcc642acb8afdb3ee8e7a67 |
| SHA1 | f5fdaf01bcba97776866453ae942935d053cc5b2 |
| SHA256 | ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80 |
| SHA512 | 832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
| MD5 | 4733ffc0d6513f203d024b107aff474e |
| SHA1 | c51125c0b46883870e6af4cdf13748344229d6ed |
| SHA256 | f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209 |
| SHA512 | be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
memory/2340-334-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4476-332-0x0000000075730000-0x0000000075820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
| MD5 | 4733ffc0d6513f203d024b107aff474e |
| SHA1 | c51125c0b46883870e6af4cdf13748344229d6ed |
| SHA256 | f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209 |
| SHA512 | be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf |
memory/2340-1458-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4476-1468-0x00000000092A0000-0x0000000009306000-memory.dmp
memory/3352-1467-0x00000000076C0000-0x00000000076D0000-memory.dmp