Analysis Overview
SHA256
4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124
Threat Level: Known bad
The file 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124 was found to be: Known bad.
Malicious Activity Summary
DcRat
Detected Djvu ransomware
Detect ZGRat V1
ZGRat
SmokeLoader
Djvu Ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Executes dropped EXE
Checks BIOS information in registry
Modifies file permissions
Themida packer
Deletes itself
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-08 16:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-08 16:34
Reported
2023-12-08 16:36
Platform
win10v2004-20231130-en
Max time kernel
30s
Max time network
152s
Command Line
Signatures
DcRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\A038.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\A038.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\A038.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A038.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFCA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFCA.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\25111b4e-3e11-490e-8473-ed0f6cb06d72\\AFCA.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\AFCA.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\A038.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A038.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4756 set thread context of 436 | N/A | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe |
| PID 3408 set thread context of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\AFCA.exe | C:\Users\Admin\AppData\Local\Temp\AFCA.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe
"C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe"
C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe
"C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 328
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\956A.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\A038.exe
C:\Users\Admin\AppData\Local\Temp\A038.exe
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\25111b4e-3e11-490e-8473-ed0f6cb06d72" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
"C:\Users\Admin\AppData\Local\Temp\AFCA.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4048 -ip 4048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 568
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
"C:\Users\Admin\AppData\Local\Temp\AFCA.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\B9CD.exe
C:\Users\Admin\AppData\Local\Temp\B9CD.exe
C:\Users\Admin\AppData\Local\Temp\B9CD.exe
C:\Users\Admin\AppData\Local\Temp\B9CD.exe
C:\Users\Admin\AppData\Local\Temp\C2F6.exe
C:\Users\Admin\AppData\Local\Temp\C2F6.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 188.114.97.2:443 | edarululoom.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| MX | 187.156.96.226:80 | brusuax.com | tcp |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | 226.96.156.187.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 109.107.182.45:80 | tcp | |
| US | 38.47.221.193:34368 | tcp | |
| US | 185.196.8.238:80 | tcp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | 193.221.47.38.in-addr.arpa | udp |
| GB | 96.17.178.206:80 | tcp | |
| GB | 96.17.178.206:80 | tcp | |
| GB | 96.17.178.206:80 | tcp | |
| GB | 96.17.178.206:80 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| GB | 96.17.178.206:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 188.114.96.2:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.206:80 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 34.117.59.81:443 | tcp |
Files
memory/4756-1-0x0000000000AD0000-0x0000000000BD0000-memory.dmp
memory/4756-2-0x0000000000AB0000-0x0000000000AB9000-memory.dmp
memory/436-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/436-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3164-5-0x0000000003150000-0x0000000003166000-memory.dmp
memory/436-8-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\956A.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\A038.exe
| MD5 | a3dea4c1f895c2729505cb4712ad469d |
| SHA1 | fdfeebab437bf7f97fb848cd67abec9409adb3b2 |
| SHA256 | acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd |
| SHA512 | 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4 |
C:\Users\Admin\AppData\Local\Temp\A038.exe
| MD5 | a3dea4c1f895c2729505cb4712ad469d |
| SHA1 | fdfeebab437bf7f97fb848cd67abec9409adb3b2 |
| SHA256 | acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd |
| SHA512 | 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4 |
memory/1612-21-0x00000000003D0000-0x0000000000E9A000-memory.dmp
memory/1612-22-0x0000000077740000-0x0000000077830000-memory.dmp
memory/1612-23-0x0000000077740000-0x0000000077830000-memory.dmp
memory/1612-24-0x0000000077740000-0x0000000077830000-memory.dmp
memory/1612-25-0x0000000077740000-0x0000000077830000-memory.dmp
memory/1612-27-0x0000000077740000-0x0000000077830000-memory.dmp
memory/1612-29-0x0000000077A74000-0x0000000077A76000-memory.dmp
memory/1612-30-0x00000000003D0000-0x0000000000E9A000-memory.dmp
memory/1612-31-0x0000000007F00000-0x00000000084A4000-memory.dmp
memory/1612-32-0x0000000007A30000-0x0000000007AC2000-memory.dmp
memory/1612-33-0x0000000005360000-0x000000000536A000-memory.dmp
memory/1612-36-0x0000000007C20000-0x0000000007C32000-memory.dmp
memory/1612-37-0x0000000007C90000-0x0000000007CCC000-memory.dmp
memory/1612-38-0x0000000007CD0000-0x0000000007D1C000-memory.dmp
memory/1612-35-0x0000000007DA0000-0x0000000007EAA000-memory.dmp
memory/1612-34-0x0000000008AD0000-0x00000000090E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/3408-45-0x0000000002520000-0x00000000025BE000-memory.dmp
memory/2084-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3408-47-0x00000000025C0000-0x00000000026DB000-memory.dmp
memory/2084-49-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/2084-50-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\25111b4e-3e11-490e-8473-ed0f6cb06d72\AFCA.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/2084-60-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
memory/4048-66-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4048-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4048-67-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3792-65-0x0000000002530000-0x00000000025C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AFCA.exe
| MD5 | 02ed1045d708d2fb13a1d1051f5de42a |
| SHA1 | 5aec30f57c3f3ddfa951bfeeafcd96f0675020c3 |
| SHA256 | 40dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7 |
| SHA512 | 8b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9 |
C:\Users\Admin\AppData\Local\Temp\B9CD.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
memory/1160-77-0x000001FE19EB0000-0x000001FE19F90000-memory.dmp
memory/1160-79-0x00007FFF6B030000-0x00007FFF6BAF1000-memory.dmp
memory/1160-81-0x000001FE32750000-0x000001FE32818000-memory.dmp
memory/1160-80-0x000001FE19EA0000-0x000001FE19EB0000-memory.dmp
memory/1160-82-0x000001FE19D60000-0x000001FE19DAC000-memory.dmp
memory/1160-78-0x000001FE32680000-0x000001FE32748000-memory.dmp
memory/1160-76-0x000001FE17ED0000-0x000001FE18020000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B9CD.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
C:\Users\Admin\AppData\Local\Temp\B9CD.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
memory/3956-89-0x00007FFF6B030000-0x00007FFF6BAF1000-memory.dmp
memory/3956-90-0x0000015A2E8F0000-0x0000015A2E900000-memory.dmp
memory/3956-96-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-100-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-108-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-116-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-126-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-134-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-132-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-130-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-128-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-124-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-122-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-120-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-118-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-114-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-112-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-110-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-106-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-104-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-102-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-98-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-94-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-92-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-91-0x0000015A30180000-0x0000015A30260000-memory.dmp
memory/3956-88-0x0000015A30180000-0x0000015A30264000-memory.dmp
memory/1160-87-0x00007FFF6B030000-0x00007FFF6BAF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\B9CD.exe.log
| MD5 | 9f5d0107d96d176b1ffcd5c7e7a42dc9 |
| SHA1 | de83788e2f18629555c42a3e6fada12f70457141 |
| SHA256 | d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097 |
| SHA512 | 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61 |
memory/3956-83-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C2F6.exe
| MD5 | 513aa632bf7aa2516aabe52119a2abbe |
| SHA1 | e67c64f74897bf65f6b2c89eddb835abe5c710a0 |
| SHA256 | 27ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c |
| SHA512 | 43785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
| MD5 | 1b7d97ddffcc642acb8afdb3ee8e7a67 |
| SHA1 | f5fdaf01bcba97776866453ae942935d053cc5b2 |
| SHA256 | ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80 |
| SHA512 | 832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe
| MD5 | 1b7d97ddffcc642acb8afdb3ee8e7a67 |
| SHA1 | f5fdaf01bcba97776866453ae942935d053cc5b2 |
| SHA256 | ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80 |
| SHA512 | 832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
| MD5 | f5e9e33bef789205e7d531fce3966042 |
| SHA1 | 47f429e262d4374f9081bf4c743823748e8dabc6 |
| SHA256 | 00aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669 |
| SHA512 | 6e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
| MD5 | 98efc21960f30d2137e7bf23232cd1a4 |
| SHA1 | 1cd24234ce828ad84f5f6d631185b951360395f5 |
| SHA256 | 166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec |
| SHA512 | b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
| MD5 | fa2d7fd895f22a69c0357cad768e575e |
| SHA1 | 0946228fa05c06686152edee6bbbce886da8fff6 |
| SHA256 | 480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828 |
| SHA512 | 37d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe
| MD5 | fa2d7fd895f22a69c0357cad768e575e |
| SHA1 | 0946228fa05c06686152edee6bbbce886da8fff6 |
| SHA256 | 480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828 |
| SHA512 | 37d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe
| MD5 | 98efc21960f30d2137e7bf23232cd1a4 |
| SHA1 | 1cd24234ce828ad84f5f6d631185b951360395f5 |
| SHA256 | 166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec |
| SHA512 | b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe
| MD5 | f5e9e33bef789205e7d531fce3966042 |
| SHA1 | 47f429e262d4374f9081bf4c743823748e8dabc6 |
| SHA256 | 00aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669 |
| SHA512 | 6e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3 |
C:\Users\Admin\AppData\Local\Temp\C2F6.exe
| MD5 | 513aa632bf7aa2516aabe52119a2abbe |
| SHA1 | e67c64f74897bf65f6b2c89eddb835abe5c710a0 |
| SHA256 | 27ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c |
| SHA512 | 43785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619 |
memory/1612-460-0x0000000077740000-0x0000000077830000-memory.dmp
memory/1612-462-0x0000000077740000-0x0000000077830000-memory.dmp
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
memory/2264-471-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
| MD5 | 4733ffc0d6513f203d024b107aff474e |
| SHA1 | c51125c0b46883870e6af4cdf13748344229d6ed |
| SHA256 | f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209 |
| SHA512 | be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf |
memory/1612-465-0x0000000077740000-0x0000000077830000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe
| MD5 | 4733ffc0d6513f203d024b107aff474e |
| SHA1 | c51125c0b46883870e6af4cdf13748344229d6ed |
| SHA256 | f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209 |
| SHA512 | be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf |
memory/1612-455-0x00000000003D0000-0x0000000000E9A000-memory.dmp
memory/1612-1193-0x0000000077740000-0x0000000077830000-memory.dmp
memory/1612-1205-0x0000000077740000-0x0000000077830000-memory.dmp
memory/2264-1203-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1612-1209-0x0000000001620000-0x0000000001686000-memory.dmp