Malware Analysis Report

2025-08-05 09:55

Sample ID 231208-t21fbsbagr
Target 069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c
SHA256 069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c
Tags
dcrat djvu smokeloader zgrat up3 backdoor discovery evasion infostealer persistence ransomware rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c

Threat Level: Known bad

The file 069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader zgrat up3 backdoor discovery evasion infostealer persistence ransomware rat themida trojan

Djvu Ransomware

Detected Djvu ransomware

DcRat

ZGRat

Detect ZGRat V1

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Themida packer

Executes dropped EXE

Deletes itself

Modifies file permissions

Checks BIOS information in registry

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 16:33

Reported

2023-12-08 16:36

Platform

win10v2004-20231130-en

Max time kernel

31s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe"

Signatures

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AEEF.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AEEF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AEEF.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AEEF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\af99b8f0-5d61-4591-bce7-7ad268a67838\\C41E.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C41E.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\AEEF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AEEF.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
PID 376 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
PID 376 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
PID 376 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
PID 376 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
PID 376 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe
PID 3352 wrote to memory of 1084 N/A N/A C:\Windows\system32\cmd.exe
PID 3352 wrote to memory of 1084 N/A N/A C:\Windows\system32\cmd.exe
PID 1084 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1084 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3352 wrote to memory of 3816 N/A N/A C:\Windows\system32\cmd.exe
PID 3352 wrote to memory of 3816 N/A N/A C:\Windows\system32\cmd.exe
PID 3816 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3816 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3352 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\AEEF.exe
PID 3352 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\AEEF.exe
PID 3352 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\AEEF.exe
PID 3352 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 3352 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 3352 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 408 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Users\Admin\AppData\Local\Temp\C41E.exe
PID 4788 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Windows\SysWOW64\icacls.exe
PID 4788 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Windows\SysWOW64\icacls.exe
PID 4788 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\C41E.exe C:\Windows\SysWOW64\icacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe

"C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe"

C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe

"C:\Users\Admin\AppData\Local\Temp\069b33dd85960262ad3e9adc23db48c92ede3087e612d3cd0407ebfa224c8c7c.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A3A2.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5E6.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\AEEF.exe

C:\Users\Admin\AppData\Local\Temp\AEEF.exe

C:\Users\Admin\AppData\Local\Temp\C41E.exe

C:\Users\Admin\AppData\Local\Temp\C41E.exe

C:\Users\Admin\AppData\Local\Temp\C41E.exe

C:\Users\Admin\AppData\Local\Temp\C41E.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\af99b8f0-5d61-4591-bce7-7ad268a67838" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\C41E.exe

"C:\Users\Admin\AppData\Local\Temp\C41E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C41E.exe

"C:\Users\Admin\AppData\Local\Temp\C41E.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3728 -ip 3728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 568

C:\Users\Admin\AppData\Local\Temp\D1BB.exe

C:\Users\Admin\AppData\Local\Temp\D1BB.exe

C:\Users\Admin\AppData\Local\Temp\D1BB.exe

C:\Users\Admin\AppData\Local\Temp\D1BB.exe

C:\Users\Admin\AppData\Local\Temp\D8B2.exe

C:\Users\Admin\AppData\Local\Temp\D8B2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 104.21.42.224:443 edarululoom.com tcp
US 8.8.8.8:53 224.42.21.104.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
BG 95.158.162.200:80 brusuax.com tcp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
FR 216.58.204.67:80 tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 185.196.8.238:80 tcp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
RU 109.107.182.45:80 tcp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
N/A 188.114.96.2:443 tcp
GB 96.17.178.181:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.181:80 tcp

Files

memory/376-1-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

memory/376-2-0x00000000009A0000-0x00000000009A9000-memory.dmp

memory/3684-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3684-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3684-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3352-6-0x0000000002850000-0x0000000002866000-memory.dmp

memory/3684-9-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A3A2.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A5E6.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A5E6.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\AEEF.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

C:\Users\Admin\AppData\Local\Temp\AEEF.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/4476-26-0x0000000000920000-0x00000000013EA000-memory.dmp

memory/4476-27-0x0000000075730000-0x0000000075820000-memory.dmp

memory/4476-28-0x0000000075730000-0x0000000075820000-memory.dmp

memory/4476-29-0x0000000075730000-0x0000000075820000-memory.dmp

memory/4476-30-0x0000000075730000-0x0000000075820000-memory.dmp

memory/4476-31-0x0000000075730000-0x0000000075820000-memory.dmp

memory/4476-33-0x0000000076FF4000-0x0000000076FF6000-memory.dmp

memory/4476-35-0x0000000000920000-0x00000000013EA000-memory.dmp

memory/4476-37-0x0000000008320000-0x00000000083B2000-memory.dmp

memory/4476-36-0x0000000008830000-0x0000000008DD4000-memory.dmp

memory/4476-38-0x00000000039F0000-0x00000000039FA000-memory.dmp

memory/4476-39-0x0000000009400000-0x0000000009A18000-memory.dmp

memory/4476-40-0x0000000008DE0000-0x0000000008EEA000-memory.dmp

memory/4476-41-0x0000000008300000-0x0000000008312000-memory.dmp

memory/4476-42-0x00000000084F0000-0x000000000852C000-memory.dmp

memory/4476-43-0x0000000008640000-0x000000000868C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C41E.exe

MD5 02ed1045d708d2fb13a1d1051f5de42a
SHA1 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA256 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA512 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9

C:\Users\Admin\AppData\Local\Temp\C41E.exe

MD5 02ed1045d708d2fb13a1d1051f5de42a
SHA1 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA256 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA512 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9

memory/408-49-0x0000000002540000-0x00000000025D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C41E.exe

MD5 02ed1045d708d2fb13a1d1051f5de42a
SHA1 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA256 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA512 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9

memory/4788-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/408-51-0x0000000002600000-0x000000000271B000-memory.dmp

memory/4788-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4788-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4788-55-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\af99b8f0-5d61-4591-bce7-7ad268a67838\C41E.exe

MD5 02ed1045d708d2fb13a1d1051f5de42a
SHA1 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA256 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA512 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9

memory/4788-65-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C41E.exe

MD5 02ed1045d708d2fb13a1d1051f5de42a
SHA1 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA256 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA512 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9

memory/3728-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3728-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3728-72-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C41E.exe

MD5 02ed1045d708d2fb13a1d1051f5de42a
SHA1 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA256 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA512 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9

memory/1060-68-0x0000000002470000-0x0000000002506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D1BB.exe

MD5 7f5108b2158d537f11fd88886c1c047c
SHA1 c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256 da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512 b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1

C:\Users\Admin\AppData\Local\Temp\D1BB.exe

MD5 7f5108b2158d537f11fd88886c1c047c
SHA1 c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256 da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512 b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1

memory/3496-81-0x000001E271AB0000-0x000001E271C00000-memory.dmp

memory/3496-82-0x000001E2740A0000-0x000001E274180000-memory.dmp

memory/3496-83-0x000001E2741C0000-0x000001E274288000-memory.dmp

memory/3496-84-0x00007FFE8D8D0000-0x00007FFE8E391000-memory.dmp

memory/3496-85-0x000001E274D10000-0x000001E274DD8000-memory.dmp

memory/4476-86-0x0000000000920000-0x00000000013EA000-memory.dmp

memory/4476-88-0x0000000075730000-0x0000000075820000-memory.dmp

memory/3496-89-0x000001E2741B0000-0x000001E2741C0000-memory.dmp

memory/3496-87-0x000001E273950000-0x000001E27399C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D1BB.exe.log

MD5 9f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1 de83788e2f18629555c42a3e6fada12f70457141
SHA256 d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA512 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

memory/3496-96-0x00007FFE8D8D0000-0x00007FFE8E391000-memory.dmp

memory/4476-97-0x0000000075730000-0x0000000075820000-memory.dmp

memory/4476-95-0x0000000075730000-0x0000000075820000-memory.dmp

memory/4956-94-0x00000268DA220000-0x00000268DA304000-memory.dmp

memory/4956-100-0x00000268DA210000-0x00000268DA220000-memory.dmp

memory/4956-101-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-105-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-107-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-103-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-115-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-113-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-119-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-117-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-121-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-129-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-131-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-137-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-139-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-135-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-133-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-127-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-125-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-123-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-143-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-141-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-111-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-109-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-99-0x00000268DA220000-0x00000268DA300000-memory.dmp

memory/4956-98-0x00007FFE8D8D0000-0x00007FFE8E391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D1BB.exe

MD5 7f5108b2158d537f11fd88886c1c047c
SHA1 c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256 da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512 b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1

memory/4956-90-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8B2.exe

MD5 513aa632bf7aa2516aabe52119a2abbe
SHA1 e67c64f74897bf65f6b2c89eddb835abe5c710a0
SHA256 27ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c
SHA512 43785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619

C:\Users\Admin\AppData\Local\Temp\D8B2.exe

MD5 513aa632bf7aa2516aabe52119a2abbe
SHA1 e67c64f74897bf65f6b2c89eddb835abe5c710a0
SHA256 27ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c
SHA512 43785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe

MD5 1b7d97ddffcc642acb8afdb3ee8e7a67
SHA1 f5fdaf01bcba97776866453ae942935d053cc5b2
SHA256 ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80
SHA512 832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe

MD5 98efc21960f30d2137e7bf23232cd1a4
SHA1 1cd24234ce828ad84f5f6d631185b951360395f5
SHA256 166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec
SHA512 b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe

MD5 fa2d7fd895f22a69c0357cad768e575e
SHA1 0946228fa05c06686152edee6bbbce886da8fff6
SHA256 480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828
SHA512 37d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe

MD5 fa2d7fd895f22a69c0357cad768e575e
SHA1 0946228fa05c06686152edee6bbbce886da8fff6
SHA256 480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828
SHA512 37d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe

MD5 98efc21960f30d2137e7bf23232cd1a4
SHA1 1cd24234ce828ad84f5f6d631185b951360395f5
SHA256 166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec
SHA512 b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe

MD5 f5e9e33bef789205e7d531fce3966042
SHA1 47f429e262d4374f9081bf4c743823748e8dabc6
SHA256 00aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669
SHA512 6e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe

MD5 f5e9e33bef789205e7d531fce3966042
SHA1 47f429e262d4374f9081bf4c743823748e8dabc6
SHA256 00aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669
SHA512 6e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe

MD5 1b7d97ddffcc642acb8afdb3ee8e7a67
SHA1 f5fdaf01bcba97776866453ae942935d053cc5b2
SHA256 ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80
SHA512 832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe

MD5 4733ffc0d6513f203d024b107aff474e
SHA1 c51125c0b46883870e6af4cdf13748344229d6ed
SHA256 f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209
SHA512 be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

memory/2340-334-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4476-332-0x0000000075730000-0x0000000075820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe

MD5 4733ffc0d6513f203d024b107aff474e
SHA1 c51125c0b46883870e6af4cdf13748344229d6ed
SHA256 f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209
SHA512 be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf

memory/2340-1458-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4476-1468-0x00000000092A0000-0x0000000009306000-memory.dmp

memory/3352-1467-0x00000000076C0000-0x00000000076D0000-memory.dmp