Analysis Overview
SHA256
3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a
Threat Level: Known bad
The file 3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Detected Djvu ransomware
Detect ZGRat V1
Djvu Ransomware
ZGRat
DcRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Drops startup file
Deletes itself
Themida packer
Modifies file permissions
Checks computer location settings
Checks BIOS information in registry
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-08 17:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-08 17:14
Reported
2023-12-08 17:17
Platform
win10v2004-20231130-en
Max time kernel
38s
Max time network
132s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\02dfcc31-22dd-4866-b979-8aeda9b2f020\\B4BC.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\A27C.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\A27C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\A27C.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A27C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BE43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BE43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C70E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\02dfcc31-22dd-4866-b979-8aeda9b2f020\\B4BC.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\C70E.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\A27C.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A27C.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3636 set thread context of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe |
| PID 2608 set thread context of 4296 | N/A | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | C:\Users\Admin\AppData\Local\Temp\B4BC.exe |
| PID 3024 set thread context of 448 | N/A | C:\Users\Admin\AppData\Local\Temp\B4BC.exe | C:\Users\Admin\AppData\Local\Temp\B4BC.exe |
| PID 3920 set thread context of 508 | N/A | C:\Users\Admin\AppData\Local\Temp\BE43.exe | C:\Users\Admin\AppData\Local\Temp\BE43.exe |
| PID 3548 set thread context of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\B4BC.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BE43.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A27C.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
"C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"
C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe
"C:\Users\Admin\AppData\Local\Temp\3b7485ad0c468862f394dd4d1dd0448382020431ba01760b0745e3c256926d0a.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 4416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 328
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\97AC.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A3D.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\A27C.exe
C:\Users\Admin\AppData\Local\Temp\A27C.exe
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\02dfcc31-22dd-4866-b979-8aeda9b2f020" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
"C:\Users\Admin\AppData\Local\Temp\B4BC.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
"C:\Users\Admin\AppData\Local\Temp\B4BC.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 448 -ip 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 568
C:\Users\Admin\AppData\Local\Temp\BE43.exe
C:\Users\Admin\AppData\Local\Temp\BE43.exe
C:\Users\Admin\AppData\Local\Temp\BE43.exe
C:\Users\Admin\AppData\Local\Temp\BE43.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe
C:\Users\Admin\AppData\Local\Temp\C70E.exe
C:\Users\Admin\AppData\Local\Temp\C70E.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pZ252VG.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4pZ252VG.exe
C:\Users\Admin\AppData\Local\Temp\2BEE.exe
C:\Users\Admin\AppData\Local\Temp\2BEE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 188.114.97.2:443 | edarululoom.com | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 58.151.148.90:80 | brusuax.com | tcp |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | 90.148.151.58.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.221.47.38.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 185.196.8.238:80 | 185.196.8.238 | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.8.196.185.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 109.107.182.45:80 | 109.107.182.45 | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.182.107.109.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
Files
memory/3636-1-0x0000000000AB0000-0x0000000000BB0000-memory.dmp
memory/3636-2-0x0000000002490000-0x0000000002499000-memory.dmp
memory/4416-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4416-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3248-5-0x0000000002B10000-0x0000000002B26000-memory.dmp
memory/4416-8-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\97AC.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\9A3D.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\9A3D.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\A27C.exe
| MD5 | a3dea4c1f895c2729505cb4712ad469d |
| SHA1 | fdfeebab437bf7f97fb848cd67abec9409adb3b2 |
| SHA256 | acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd |
| SHA512 | 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4 |
C:\Users\Admin\AppData\Local\Temp\A27C.exe
| MD5 | a3dea4c1f895c2729505cb4712ad469d |
| SHA1 | fdfeebab437bf7f97fb848cd67abec9409adb3b2 |
| SHA256 | acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd |
| SHA512 | 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4 |
memory/3756-25-0x0000000000140000-0x0000000000C0A000-memory.dmp
memory/3756-26-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/3756-27-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/3756-28-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/3756-29-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/3756-30-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/3756-31-0x00000000772B4000-0x00000000772B6000-memory.dmp
memory/3756-34-0x0000000000140000-0x0000000000C0A000-memory.dmp
memory/3756-35-0x0000000007F80000-0x0000000008524000-memory.dmp
memory/3756-36-0x0000000007AB0000-0x0000000007B42000-memory.dmp
memory/3756-37-0x00000000053A0000-0x00000000053AA000-memory.dmp
memory/3756-38-0x0000000008B50000-0x0000000009168000-memory.dmp
memory/3756-39-0x0000000008530000-0x000000000863A000-memory.dmp
memory/3756-40-0x0000000007CB0000-0x0000000007CC2000-memory.dmp
memory/3756-41-0x0000000007E20000-0x0000000007E5C000-memory.dmp
memory/3756-42-0x0000000007E60000-0x0000000007EAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
| MD5 | e27247ec600dabb644c82302d61b711e |
| SHA1 | e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3 |
| SHA256 | 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e |
| SHA512 | d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054 |
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
| MD5 | e27247ec600dabb644c82302d61b711e |
| SHA1 | e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3 |
| SHA256 | 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e |
| SHA512 | d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054 |
memory/2608-51-0x00000000024E0000-0x0000000002580000-memory.dmp
memory/4296-50-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
| MD5 | e27247ec600dabb644c82302d61b711e |
| SHA1 | e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3 |
| SHA256 | 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e |
| SHA512 | d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054 |
memory/4296-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2608-52-0x0000000002580000-0x000000000269B000-memory.dmp
memory/4296-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4296-54-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\02dfcc31-22dd-4866-b979-8aeda9b2f020\B4BC.exe
| MD5 | e27247ec600dabb644c82302d61b711e |
| SHA1 | e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3 |
| SHA256 | 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e |
| SHA512 | d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054 |
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
| MD5 | e27247ec600dabb644c82302d61b711e |
| SHA1 | e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3 |
| SHA256 | 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e |
| SHA512 | d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054 |
memory/4296-64-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3024-67-0x0000000002500000-0x000000000259C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B4BC.exe
| MD5 | e27247ec600dabb644c82302d61b711e |
| SHA1 | e7fe7d032d2d5f3ebd2feb232745a6837ad0d5a3 |
| SHA256 | 97b604727ac944fa6d842ab8ab819cd8db0a8beddcf5edece60dbb27ff16cf4e |
| SHA512 | d5b0d317afbf017f3e6419350fa9fc5dafbd48c8d0bd08b993227a14b2f60bfe59fecf25153e2708088daf6b7b66f8d92c95c238d555f24cdeda86caebf7b054 |
memory/448-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/448-71-0x0000000000400000-0x0000000000537000-memory.dmp
memory/448-73-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BE43.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
C:\Users\Admin\AppData\Local\Temp\BE43.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
memory/3920-80-0x0000014937080000-0x00000149371D0000-memory.dmp
memory/3920-81-0x0000014939050000-0x0000014939130000-memory.dmp
memory/3920-82-0x0000014939130000-0x00000149391F8000-memory.dmp
memory/3920-84-0x0000014938F80000-0x0000014938F90000-memory.dmp
memory/3920-83-0x00007FF98A220000-0x00007FF98ACE1000-memory.dmp
memory/3920-85-0x0000014951900000-0x00000149519C8000-memory.dmp
memory/3920-86-0x0000014938EE0000-0x0000014938F2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BE43.exe
| MD5 | 7f5108b2158d537f11fd88886c1c047c |
| SHA1 | c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883 |
| SHA256 | da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8 |
| SHA512 | b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1 |
memory/508-87-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/508-91-0x000001EE819F0000-0x000001EE81AD4000-memory.dmp
memory/3756-93-0x0000000000140000-0x0000000000C0A000-memory.dmp
memory/3920-92-0x00007FF98A220000-0x00007FF98ACE1000-memory.dmp
memory/3756-94-0x0000000076F80000-0x0000000077070000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BE43.exe.log
| MD5 | 9f5d0107d96d176b1ffcd5c7e7a42dc9 |
| SHA1 | de83788e2f18629555c42a3e6fada12f70457141 |
| SHA256 | d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097 |
| SHA512 | 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61 |
memory/3756-95-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/3756-99-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/508-100-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-98-0x000001EE81B30000-0x000001EE81B40000-memory.dmp
memory/508-97-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-96-0x00007FF98A220000-0x00007FF98ACE1000-memory.dmp
memory/508-102-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-104-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-110-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-112-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-114-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-108-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-116-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-106-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-120-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-122-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-118-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-124-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-126-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-128-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/3756-133-0x00000000086E0000-0x0000000008746000-memory.dmp
memory/508-135-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-137-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-139-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-141-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-132-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-143-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
memory/508-130-0x000001EE819F0000-0x000001EE81AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C70E.exe
| MD5 | 4cfe5852a1362c02aaf9908665f4f0c0 |
| SHA1 | eeaf622cc64ae02e1a628c145b3033660ba01564 |
| SHA256 | 732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8 |
| SHA512 | 7554aa50a40611091cb8e0735678da767170f1d94ace112253974a0e8492b372d40e09e8355b2046a251b81728d1b6130fe04f62dc55fe81ff1dd7cd7809a8ad |
C:\Users\Admin\AppData\Local\Temp\C70E.exe
| MD5 | 4cfe5852a1362c02aaf9908665f4f0c0 |
| SHA1 | eeaf622cc64ae02e1a628c145b3033660ba01564 |
| SHA256 | 732c972b120ed0c3d375eb811225e133945c56a0744ebd78e137af2446756fd8 |
| SHA512 | 7554aa50a40611091cb8e0735678da767170f1d94ace112253974a0e8492b372d40e09e8355b2046a251b81728d1b6130fe04f62dc55fe81ff1dd7cd7809a8ad |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe
| MD5 | 1dddbb01cade6760d5bb2568385e10a3 |
| SHA1 | 3d4fd37cd03f6380194493de831ce85a9f06e55d |
| SHA256 | 7d840ef49904ab8884a175940fabf3312096dca7ce660b32db921a03967528b0 |
| SHA512 | 633337b9d67446336fdb131a377932ccc688452563927d81cfe5b6c6d5989c85e7bd8f071fb399028886cca0f7289a71e62bdbd4c9262bebc9d8b96246574f6b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe
| MD5 | 3dfe7bd2fb7971a272b3ea5204254bba |
| SHA1 | e4015da07f896a2045445f643900dec852794478 |
| SHA256 | 29ad51e32cc63efe52927221ad30b46b7df58d592c4a99b75f402f4095c1bd7a |
| SHA512 | d1e03c615ee13efaaa25feda7b4fb566e0206b3071c26059e171754d17916cdc0dab99e3dd2608bd1e6dd9d1011143f75db92b2be4012568e8b6402c0bae2508 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe
| MD5 | 774714c1eaede5846259c8a7fd64623f |
| SHA1 | 58d8b5e28fdee352f75a0b1be36be44ec46002c5 |
| SHA256 | dd0e46c58dce01ae2aa160cb6ec1d3403bfbf1171712bfa40e79280f1fd03005 |
| SHA512 | 717ae04097a52fb36c360da5459a39b1e5bb3dff7d8b3d3446faeedd06472f4730340a9cd5e3ba3fdaebee9ad5132e6cf409463532f5296874d5e6ac8302b1ad |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe
| MD5 | b7824568d5bfe2ea41d327860621e65c |
| SHA1 | 520b3a77fb1085adcdfb724c1ab925bb130f321c |
| SHA256 | ae05cfafd5d0c6fc27c9853367951274521d4ab95e5ec38669781a7f46aa725c |
| SHA512 | 570bae7ad549d69ea2e493e77b0c1f4bd49f2a02b9c8132764a9a920633d7df9894026dc434d6b80b69003e5250464fc3b53b983e391957f56614b22a01803af |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1qC43uE0.exe
| MD5 | b7824568d5bfe2ea41d327860621e65c |
| SHA1 | 520b3a77fb1085adcdfb724c1ab925bb130f321c |
| SHA256 | ae05cfafd5d0c6fc27c9853367951274521d4ab95e5ec38669781a7f46aa725c |
| SHA512 | 570bae7ad549d69ea2e493e77b0c1f4bd49f2a02b9c8132764a9a920633d7df9894026dc434d6b80b69003e5250464fc3b53b983e391957f56614b22a01803af |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Re9Xk52.exe
| MD5 | 774714c1eaede5846259c8a7fd64623f |
| SHA1 | 58d8b5e28fdee352f75a0b1be36be44ec46002c5 |
| SHA256 | dd0e46c58dce01ae2aa160cb6ec1d3403bfbf1171712bfa40e79280f1fd03005 |
| SHA512 | 717ae04097a52fb36c360da5459a39b1e5bb3dff7d8b3d3446faeedd06472f4730340a9cd5e3ba3fdaebee9ad5132e6cf409463532f5296874d5e6ac8302b1ad |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ta4xZ73.exe
| MD5 | 3dfe7bd2fb7971a272b3ea5204254bba |
| SHA1 | e4015da07f896a2045445f643900dec852794478 |
| SHA256 | 29ad51e32cc63efe52927221ad30b46b7df58d592c4a99b75f402f4095c1bd7a |
| SHA512 | d1e03c615ee13efaaa25feda7b4fb566e0206b3071c26059e171754d17916cdc0dab99e3dd2608bd1e6dd9d1011143f75db92b2be4012568e8b6402c0bae2508 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oe9XV72.exe
| MD5 | 1dddbb01cade6760d5bb2568385e10a3 |
| SHA1 | 3d4fd37cd03f6380194493de831ce85a9f06e55d |
| SHA256 | 7d840ef49904ab8884a175940fabf3312096dca7ce660b32db921a03967528b0 |
| SHA512 | 633337b9d67446336fdb131a377932ccc688452563927d81cfe5b6c6d5989c85e7bd8f071fb399028886cca0f7289a71e62bdbd4c9262bebc9d8b96246574f6b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe
| MD5 | 521e4cd38d0ba9e19d7766fbc01713db |
| SHA1 | a22dcf847737c84315be5fbc69197128d1d380e5 |
| SHA256 | 919daabecdb7a855a8ea4ba6df86a2c8f382eaa8519327e7540e2af36988cc7a |
| SHA512 | b98d9caf035bb36761f1b524528d2ce5fc0643dc7efac79e942631fc0bd4312ac0d735f34f56566f66b85f3fd3a1e7cd3af5725daac1d9cd3b5854ab207c8326 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3vT82iQ.exe
| MD5 | 521e4cd38d0ba9e19d7766fbc01713db |
| SHA1 | a22dcf847737c84315be5fbc69197128d1d380e5 |
| SHA256 | 919daabecdb7a855a8ea4ba6df86a2c8f382eaa8519327e7540e2af36988cc7a |
| SHA512 | b98d9caf035bb36761f1b524528d2ce5fc0643dc7efac79e942631fc0bd4312ac0d735f34f56566f66b85f3fd3a1e7cd3af5725daac1d9cd3b5854ab207c8326 |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
memory/4452-403-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3756-401-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/3756-399-0x0000000076F80000-0x0000000077070000-memory.dmp
memory/4452-1000-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3756-1004-0x0000000005570000-0x00000000055C0000-memory.dmp