Malware Analysis Report

2025-08-05 09:54

Sample ID 231208-vr8vdsbcfp
Target 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a
SHA256 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a
Tags
dcrat djvu smokeloader zgrat up3 backdoor discovery evasion infostealer persistence ransomware rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a

Threat Level: Known bad

The file 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a was found to be: Known bad.

Malicious Activity Summary

dcrat djvu smokeloader zgrat up3 backdoor discovery evasion infostealer persistence ransomware rat themida trojan

SmokeLoader

Detected Djvu ransomware

Detect ZGRat V1

Djvu Ransomware

ZGRat

DcRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Drops startup file

Deletes itself

Themida packer

Modifies file permissions

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 17:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 17:14

Reported

2023-12-08 17:17

Platform

win10v2004-20231130-en

Max time kernel

38s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\02dfcc31-22dd-4866-b979-8aeda9b2f020\\B4BC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B4BC.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\A27C.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\A27C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\A27C.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B4BC.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\02dfcc31-22dd-4866-b979-8aeda9b2f020\\B4BC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B4BC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C70E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\A27C.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A27C.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A27C.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3636 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
PID 3636 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
PID 3636 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
PID 3636 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
PID 3636 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
PID 3636 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
PID 3248 wrote to memory of 3052 N/A N/A C:\Windows\system32\cmd.exe
PID 3248 wrote to memory of 3052 N/A N/A C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3052 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3248 wrote to memory of 1744 N/A N/A C:\Windows\system32\cmd.exe
PID 3248 wrote to memory of 1744 N/A N/A C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1744 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3248 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27C.exe
PID 3248 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27C.exe
PID 3248 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27C.exe
PID 3248 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3248 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3248 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 2608 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 4296 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Windows\SysWOW64\icacls.exe
PID 4296 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Windows\SysWOW64\icacls.exe
PID 4296 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Windows\SysWOW64\icacls.exe
PID 4296 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 4296 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 4296 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3024 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\B4BC.exe C:\Users\Admin\AppData\Local\Temp\B4BC.exe
PID 3248 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3248 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3920 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3920 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3920 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3920 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3920 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3920 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\BE43.exe C:\Users\Admin\AppData\Local\Temp\BE43.exe
PID 3248 wrote to memory of 1692 N/A N/A C:\Users\Admin\AppData\Local\Temp\C70E.exe
PID 3248 wrote to memory of 1692 N/A N/A C:\Users\Admin\AppData\Local\Temp\C70E.exe
PID 3248 wrote to memory of 1692 N/A N/A C:\Users\Admin\AppData\Local\Temp\C70E.exe
PID 1692 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\C70E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe
PID 1692 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\C70E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe
PID 1692 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\C70E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe
PID 888 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe
PID 888 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe
PID 888 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe
PID 3256 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe

"C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"

C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe

"C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97AC.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A3D.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\A27C.exe

C:\Users\Admin\AppData\Local\Temp\A27C.exe

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\02dfcc31-22dd-4866-b979-8aeda9b2f020" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

"C:\Users\Admin\AppData\Local\Temp\B4BC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

"C:\Users\Admin\AppData\Local\Temp\B4BC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 448 -ip 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 568

C:\Users\Admin\AppData\Local\Temp\BE43.exe

C:\Users\Admin\AppData\Local\Temp\BE43.exe

C:\Users\Admin\AppData\Local\Temp\BE43.exe

C:\Users\Admin\AppData\Local\Temp\BE43.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe

C:\Users\Admin\AppData\Local\Temp\C70E.exe

C:\Users\Admin\AppData\Local\Temp\C70E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pZ252VG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pZ252VG.exe

C:\Users\Admin\AppData\Local\Temp\2BEE.exe

C:\Users\Admin\AppData\Local\Temp\2BEE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 188.114.97.2:443 edarululoom.com tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 58.151.148.90:80 brusuax.com tcp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 90.148.151.58.in-addr.arpa udp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 188.114.96.2:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 185.196.8.238:80 185.196.8.238 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp

Files

memory/3636-1-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/3636-2-0x0000000002490000-0x0000000002499000-memory.dmp

memory/4416-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4416-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3248-5-0x0000000002B10000-0x0000000002B26000-memory.dmp

memory/4416-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\97AC.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\9A3D.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\9A3D.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A27C.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

C:\Users\Admin\AppData\Local\Temp\A27C.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/3756-25-0x0000000000140000-0x0000000000C0A000-memory.dmp

memory/3756-26-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/3756-27-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/3756-28-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/3756-29-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/3756-30-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/3756-31-0x00000000772B4000-0x00000000772B6000-memory.dmp

memory/3756-34-0x0000000000140000-0x0000000000C0A000-memory.dmp

memory/3756-35-0x0000000007F80000-0x0000000008524000-memory.dmp

memory/3756-36-0x0000000007AB0000-0x0000000007B42000-memory.dmp

memory/3756-37-0x00000000053A0000-0x00000000053AA000-memory.dmp

memory/3756-38-0x0000000008B50000-0x0000000009168000-memory.dmp

memory/3756-39-0x0000000008530000-0x000000000863A000-memory.dmp

memory/3756-40-0x0000000007CB0000-0x0000000007CC2000-memory.dmp

memory/3756-41-0x0000000007E20000-0x0000000007E5C000-memory.dmp

memory/3756-42-0x0000000007E60000-0x0000000007EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

MD5 e27247ec600dabb644c82302d61b711e
SHA1 e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA256 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512 d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

MD5 e27247ec600dabb644c82302d61b711e
SHA1 e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA256 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512 d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054

memory/2608-51-0x00000000024E0000-0x0000000002580000-memory.dmp

memory/4296-50-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

MD5 e27247ec600dabb644c82302d61b711e
SHA1 e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA256 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512 d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054

memory/4296-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-52-0x0000000002580000-0x000000000269B000-memory.dmp

memory/4296-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4296-54-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\02dfcc31-22dd-4866-b979-8aeda9b2f020\B4BC.exe

MD5 e27247ec600dabb644c82302d61b711e
SHA1 e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA256 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512 d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

MD5 e27247ec600dabb644c82302d61b711e
SHA1 e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA256 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512 d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054

memory/4296-64-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3024-67-0x0000000002500000-0x000000000259C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4BC.exe

MD5 e27247ec600dabb644c82302d61b711e
SHA1 e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3
SHA256 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e
SHA512 d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054

memory/448-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/448-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/448-73-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE43.exe

MD5 7f5108b2158d537f11fd88886c1c047c
SHA1 c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256 da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512 b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1

C:\Users\Admin\AppData\Local\Temp\BE43.exe

MD5 7f5108b2158d537f11fd88886c1c047c
SHA1 c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256 da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512 b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1

memory/3920-80-0x0000014937080000-0x00000149371D0000-memory.dmp

memory/3920-81-0x0000014939050000-0x0000014939130000-memory.dmp

memory/3920-82-0x0000014939130000-0x00000149391F8000-memory.dmp

memory/3920-84-0x0000014938F80000-0x0000014938F90000-memory.dmp

memory/3920-83-0x00007FF98A220000-0x00007FF98ACE1000-memory.dmp

memory/3920-85-0x0000014951900000-0x00000149519C8000-memory.dmp

memory/3920-86-0x0000014938EE0000-0x0000014938F2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE43.exe

MD5 7f5108b2158d537f11fd88886c1c047c
SHA1 c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256 da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512 b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1

memory/508-87-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/508-91-0x000001EE819F0000-0x000001EE81AD4000-memory.dmp

memory/3756-93-0x0000000000140000-0x0000000000C0A000-memory.dmp

memory/3920-92-0x00007FF98A220000-0x00007FF98ACE1000-memory.dmp

memory/3756-94-0x0000000076F80000-0x0000000077070000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BE43.exe.log

MD5 9f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1 de83788e2f18629555c42a3e6fada12f70457141
SHA256 d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA512 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

memory/3756-95-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/3756-99-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/508-100-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-98-0x000001EE81B30000-0x000001EE81B40000-memory.dmp

memory/508-97-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-96-0x00007FF98A220000-0x00007FF98ACE1000-memory.dmp

memory/508-102-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-104-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-110-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-112-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-114-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-108-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-116-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-106-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-120-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-122-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-118-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-124-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-126-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-128-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/3756-133-0x00000000086E0000-0x0000000008746000-memory.dmp

memory/508-135-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-137-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-139-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-141-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-132-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-143-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

memory/508-130-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C70E.exe

MD5 4cfe5852a1362c02aaf9908665f4f0c0
SHA1 eeaf622cc64ae02e1a628c145b3033660ba01564
SHA256 732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
SHA512 7554aa50a40611091cb8e0735678da767170f1d94ace112253974a0e8492b372d40e09e8355b2046a251b81728d1b6130fe04f62dc55fe81ff1dd7cd7809a8ad

C:\Users\Admin\AppData\Local\Temp\C70E.exe

MD5 4cfe5852a1362c02aaf9908665f4f0c0
SHA1 eeaf622cc64ae02e1a628c145b3033660ba01564
SHA256 732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8
SHA512 7554aa50a40611091cb8e0735678da767170f1d94ace112253974a0e8492b372d40e09e8355b2046a251b81728d1b6130fe04f62dc55fe81ff1dd7cd7809a8ad

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe

MD5 1dddbb01cade6760d5bb2568385e10a3
SHA1 3d4fd37cd03f6380194493de831ce85a9f06e55d
SHA256 7d840ef49904ab8884a175940fabf3312096dca7ce660b32db921a03967528b0
SHA512 633337b9d67446336fdb131a377932ccc688452563927d81cfe5b6c6d5989c85e7bd8f071fb399028886cca0f7289a71e62bdbd4c9262bebc9d8b96246574f6b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe

MD5 3dfe7bd2fb7971a272b3ea5204254bba
SHA1 e4015da07f896a2045445f643900dec852794478
SHA256 29ad51e32cc63efe52927221ad30b46b7df58d592c4a99b75f402f4095c1bd7a
SHA512 d1e03c615ee13efaaa25feda7b4fb566e0206b3071c26059e171754d17916cdc0dab99e3dd2608bd1e6dd9d1011143f75db92b2be4012568e8b6402c0bae2508

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe

MD5 774714c1eaede5846259c8a7fd64623f
SHA1 58d8b5e28fdee352f75a0b1be36be44ec46002c5
SHA256 dd0e46c58dce01ae2aa160cb6ec1d3403bfbf1171712bfa40e79280f1fd03005
SHA512 717ae04097a52fb36c360da5459a39b1e5bb3dff7d8b3d3446faeedd06472f4730340a9cd5e3ba3fdaebee9ad5132e6cf409463532f5296874d5e6ac8302b1ad

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe

MD5 b7824568d5bfe2ea41d327860621e65c
SHA1 520b3a77fb1085adcdfb724c1ab925bb130f321c
SHA256 ae05cfafd5d0c6fc27c9853367951274521d4ab95e5ec38669781a7f46aa725c
SHA512 570bae7ad549d69ea2e493e77b0c1f4bd49f2a02b9c8132764a9a920633d7df9894026dc434d6b80b69003e5250464fc3b53b983e391957f56614b22a01803af

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe

MD5 b7824568d5bfe2ea41d327860621e65c
SHA1 520b3a77fb1085adcdfb724c1ab925bb130f321c
SHA256 ae05cfafd5d0c6fc27c9853367951274521d4ab95e5ec38669781a7f46aa725c
SHA512 570bae7ad549d69ea2e493e77b0c1f4bd49f2a02b9c8132764a9a920633d7df9894026dc434d6b80b69003e5250464fc3b53b983e391957f56614b22a01803af

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe

MD5 774714c1eaede5846259c8a7fd64623f
SHA1 58d8b5e28fdee352f75a0b1be36be44ec46002c5
SHA256 dd0e46c58dce01ae2aa160cb6ec1d3403bfbf1171712bfa40e79280f1fd03005
SHA512 717ae04097a52fb36c360da5459a39b1e5bb3dff7d8b3d3446faeedd06472f4730340a9cd5e3ba3fdaebee9ad5132e6cf409463532f5296874d5e6ac8302b1ad

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe

MD5 3dfe7bd2fb7971a272b3ea5204254bba
SHA1 e4015da07f896a2045445f643900dec852794478
SHA256 29ad51e32cc63efe52927221ad30b46b7df58d592c4a99b75f402f4095c1bd7a
SHA512 d1e03c615ee13efaaa25feda7b4fb566e0206b3071c26059e171754d17916cdc0dab99e3dd2608bd1e6dd9d1011143f75db92b2be4012568e8b6402c0bae2508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe

MD5 1dddbb01cade6760d5bb2568385e10a3
SHA1 3d4fd37cd03f6380194493de831ce85a9f06e55d
SHA256 7d840ef49904ab8884a175940fabf3312096dca7ce660b32db921a03967528b0
SHA512 633337b9d67446336fdb131a377932ccc688452563927d81cfe5b6c6d5989c85e7bd8f071fb399028886cca0f7289a71e62bdbd4c9262bebc9d8b96246574f6b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe

MD5 521e4cd38d0ba9e19d7766fbc01713db
SHA1 a22dcf847737c84315be5fbc69197128d1d380e5
SHA256 919daabecdb7a855a8ea4ba6df86a2c8f382eaa8519327e7540e2af36988cc7a
SHA512 b98d9caf035bb36761f1b524528d2ce5fc0643dc7efac79e942631fc0bd4312ac0d735f34f56566f66b85f3fd3a1e7cd3af5725daac1d9cd3b5854ab207c8326

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe

MD5 521e4cd38d0ba9e19d7766fbc01713db
SHA1 a22dcf847737c84315be5fbc69197128d1d380e5
SHA256 919daabecdb7a855a8ea4ba6df86a2c8f382eaa8519327e7540e2af36988cc7a
SHA512 b98d9caf035bb36761f1b524528d2ce5fc0643dc7efac79e942631fc0bd4312ac0d735f34f56566f66b85f3fd3a1e7cd3af5725daac1d9cd3b5854ab207c8326

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

memory/4452-403-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3756-401-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/3756-399-0x0000000076F80000-0x0000000077070000-memory.dmp

memory/4452-1000-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3756-1004-0x0000000005570000-0x00000000055C0000-memory.dmp