Analysis Overview
SHA256
8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58
Threat Level: Known bad
The file 8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Djvu Ransomware
ZGRat
RedLine
Detected Djvu ransomware
RisePro
Detect ZGRat V1
Detects DLL dropped by Raspberry Robin.
DcRat
PrivateLoader
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Drops startup file
Deletes itself
Modifies file permissions
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Executes dropped EXE
Checks BIOS information in registry
Themida packer
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates physical storage devices
Unsigned PE
Program crash
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
outlook_win_path
outlook_office_path
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Checks processor information in registry
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 05:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 05:05
Reported
2023-12-11 05:10
Platform
win7-20231130-en
Max time kernel
30s
Max time network
199s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2032 set thread context of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"
C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7A4E.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\81ED.bat" "
C:\Users\Admin\AppData\Local\Temp\D167.exe
C:\Users\Admin\AppData\Local\Temp\D167.exe
C:\Users\Admin\AppData\Local\Temp\16D.exe
C:\Users\Admin\AppData\Local\Temp\16D.exe
C:\Users\Admin\AppData\Local\Temp\16D.exe
C:\Users\Admin\AppData\Local\Temp\16D.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\04b9cc7f-43de-45ae-ba56-1af5527a9bf3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\16D.exe
"C:\Users\Admin\AppData\Local\Temp\16D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\16D.exe
"C:\Users\Admin\AppData\Local\Temp\16D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\2EE3.exe
C:\Users\Admin\AppData\Local\Temp\2EE3.exe
C:\Users\Admin\AppData\Local\Temp\2EE3.exe
C:\Users\Admin\AppData\Local\Temp\2EE3.exe
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe
"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe"
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe
"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1452
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe
"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe"
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe
"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "412955830-2106039015104744157427168583-1255834076-1158100537-1479764714311912355"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
C:\Users\Admin\AppData\Local\Temp\A1F0.exe
C:\Users\Admin\AppData\Local\Temp\A1F0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xp358sR.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xp358sR.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe
C:\Users\Admin\AppData\Local\Temp\11E2.exe
C:\Users\Admin\AppData\Local\Temp\11E2.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {B7F80C6A-1BBE-4F11-8565-BBD8353B540D} S-1-5-21-2058106572-1146578376-825901627-1000:LPKQNNGV\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\BA52.exe
C:\Users\Admin\AppData\Local\Temp\BA52.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\C135.exe
C:\Users\Admin\AppData\Local\Temp\C135.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\is-T4OF5.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T4OF5.tmp\tuc3.tmp" /SL5="$106B6,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\FDAA.exe
C:\Users\Admin\AppData\Local\Temp\FDAA.exe
C:\Users\Admin\AppData\Local\Temp\11C7.exe
C:\Users\Admin\AppData\Local\Temp\11C7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 172.67.167.33:443 | edarululoom.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| IR | 2.180.10.7:80 | tcp | |
| US | 38.47.221.193:34368 | tcp | |
| DE | 144.76.136.153:443 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| IR | 2.180.10.7:80 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 109.107.182.45:80 | 109.107.182.45 | tcp |
| RU | 185.172.128.19:80 | tcp | |
| GB | 96.17.179.205:80 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 81.19.131.34:80 | tcp |
Files
memory/1992-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2032-5-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2032-4-0x0000000000C82000-0x0000000000C96000-memory.dmp
memory/1992-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1992-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1388-7-0x0000000002E90000-0x0000000002EA6000-memory.dmp
memory/1992-8-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7A4E.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\D167.exe
| MD5 | 6c7bf19d82d1f23ef56d4c25f4e741eb |
| SHA1 | 64b0285118c890f231352b2fde4a7d62104f8777 |
| SHA256 | 4296084c8b32e5645eae69ada641ea04611da97d1668b4793bd5140ac6f1454a |
| SHA512 | 6cf0b20a35e8380830e85ab9002f9ac03f5623ed5b45ef541afad35619da8e8694f7e27da34d17d3b81a614a207f8efa15e66b3718d0328a7468002c91270eba |
memory/2752-52-0x0000000076450000-0x0000000076497000-memory.dmp
memory/2752-54-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-57-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-60-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-64-0x0000000076450000-0x0000000076497000-memory.dmp
memory/2752-69-0x0000000077E60000-0x0000000077E62000-memory.dmp
memory/2752-70-0x0000000000260000-0x0000000000BE4000-memory.dmp
memory/2752-71-0x0000000074EB0000-0x000000007559E000-memory.dmp
memory/2752-68-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-67-0x0000000076450000-0x0000000076497000-memory.dmp
memory/2752-72-0x0000000007BC0000-0x0000000007C00000-memory.dmp
memory/2752-66-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-65-0x0000000076450000-0x0000000076497000-memory.dmp
memory/2752-63-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-62-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-55-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-53-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-51-0x0000000000260000-0x0000000000BE4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16D.exe
| MD5 | 165e369c9562b3d347c94ab6fd2390a3 |
| SHA1 | 43d9e13195d788f732bd2d6dd7d50a78a8fe7f29 |
| SHA256 | 78f2bd6fa54f035b872dd5558b6252b042eec44108f6866db78c4407ee5223f3 |
| SHA512 | 3e506729989ad394c13a9435e08a23953611a3446c78b6e106c6ba82472ca0ca695fcc25022b3fd617469744f0097ef6af7b0e5c0de37d92e6412727416e293b |
memory/3032-79-0x0000000000230000-0x00000000002C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16D.exe
| MD5 | 92b2330b59a2fdb6fe40150eb7dfb649 |
| SHA1 | bb18cee1a6f6fbd1a64f4c57ca6b42c66fc3d763 |
| SHA256 | ff495c627165740428480cb496eb3c73ed8f716b74ce4ce5e965b7ead244e4c0 |
| SHA512 | 3bf8d3c19d4122fa610266959edc96256381ea0195ce315fe7ce669953541b1cc8f1d65306f899845f5629e3b269f2ebf9427bc63afed2165a5d61b6938be468 |
\Users\Admin\AppData\Local\Temp\16D.exe
| MD5 | ba3a6e8b895de6a5f2a2b411516ecf50 |
| SHA1 | cccd00e468094c84dabe47db6de1cabd45d08a40 |
| SHA256 | 17d4aad8bbe94709e38f9ed68185d7a67b64e2fef1cc36f72a9a6b8f355f73ee |
| SHA512 | 4de728f64e2f1c0a407df81ca3520acaea84d4d2c47885c6a8df87c3c72a59e5048cb784f58ff266e7f6ac3bdaf336e11571502b0c2126091851e67b45cf6081 |
memory/3032-84-0x0000000000230000-0x00000000002C1000-memory.dmp
memory/2240-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2240-93-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2752-92-0x0000000076450000-0x0000000076497000-memory.dmp
memory/2752-91-0x0000000000260000-0x0000000000BE4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16D.exe
| MD5 | 5e84ee64b7e05a6e1c95dcecbc38a12b |
| SHA1 | 44322c4ba04775123db432437b20e82fdac5dfa9 |
| SHA256 | 0de6482c78e628abf21a5c2f452a41b76fb91a16ef2dea21f2d6b55427f96910 |
| SHA512 | 8715889d9c968050563f0cbe45b842f6c5561c2ee856b580d967f3705153fe56fb95f4cd9a3985a9598adc0947cd5baa0c0dade07ec95fcb07ce40701e66099e |
memory/3032-86-0x0000000002470000-0x000000000258B000-memory.dmp
memory/2240-87-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16D.exe
| MD5 | 8f97c2799966683927dd2f84bff96ccf |
| SHA1 | baad94cc883abe75ec971d1cdf0719dacf8699e9 |
| SHA256 | 60b5d030684d8611527a61cff3afa9b74f76c26bbcd68b4789fea0d7efa4757a |
| SHA512 | aace07085396ccb6a2fd1669c0ad0fcd5de3b39211d316fa04f37a1bee7c03dae7b7cd063999a1e7f496b6d8602b50e72949f33202ae0312b79f3a22682b7a61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1508-120-0x0000000000310000-0x00000000003A1000-memory.dmp
memory/2240-118-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2752-121-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-122-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-123-0x00000000758D0000-0x00000000759E0000-memory.dmp
memory/2752-124-0x00000000758D0000-0x00000000759E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\16D.exe
| MD5 | 24ff93dea74eb789b4436b9edbd02d81 |
| SHA1 | 6809e48b0e7d6df359cd90db327c861bf406b9fd |
| SHA256 | efaefef1189d4845585f147c3cc2a47eb232d38b0d60b5b4174520831d09af4a |
| SHA512 | 1c4ff0ee22a46f7c2b5fa2abab07b182d0ff7781b7dfe902c16cd52e22f64a68b72c78305c3336b438b82502a33981bacf49eebf0cfbf2fd83e9b8b7e061c4b5 |
C:\Users\Admin\AppData\Local\04b9cc7f-43de-45ae-ba56-1af5527a9bf3\16D.exe
| MD5 | ab44d70cc7a7683806c1be6c6761bd97 |
| SHA1 | eca09ce92061dccd429bcc970aa9379c7dfd99b8 |
| SHA256 | 33626b039dd0609f1c12d9e5eda539f14f26c59e38f0fb293d39025b1aadae67 |
| SHA512 | fa98e22922ff22fa6621cd7de442fb8baaa21e1fe5c209613b25c7ddcdff493d9dcb08d268a91732090b2e03a7a17f331a35c05ee7352e7d95c064c9fba6e95b |
memory/1508-131-0x0000000000310000-0x00000000003A1000-memory.dmp
memory/1632-135-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2752-134-0x0000000007BC0000-0x0000000007C00000-memory.dmp
memory/2752-133-0x0000000074EB0000-0x000000007559E000-memory.dmp
memory/1632-132-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1632-149-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1632-148-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1632-156-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1632-155-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1632-153-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1632-158-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2308-164-0x00000000002A0000-0x00000000003DA000-memory.dmp
memory/2308-166-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2308-165-0x000000001A900000-0x000000001AA30000-memory.dmp
memory/2308-170-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-180-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-192-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-202-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-200-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-198-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-196-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-194-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-190-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-188-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-186-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-184-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-182-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-178-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-176-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-174-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-172-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-168-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-167-0x000000001A900000-0x000000001AA2A000-memory.dmp
memory/2308-1152-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2308-1151-0x000000001A780000-0x000000001A800000-memory.dmp
memory/2308-1154-0x0000000002270000-0x00000000022BC000-memory.dmp
memory/2308-1153-0x000000001B140000-0x000000001B20A000-memory.dmp
memory/2308-1167-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/1852-1172-0x000000001ADF0000-0x000000001AED4000-memory.dmp
memory/1852-1171-0x000000001A760000-0x000000001A7E0000-memory.dmp
memory/1852-1170-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/1852-1169-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/2508-2035-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2508-2037-0x00000000003C0000-0x00000000003F1000-memory.dmp
memory/2296-2067-0x0000000000400000-0x0000000000644000-memory.dmp
\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe
| MD5 | 9b1c6f382ed44900f4e4a1e23a56f4c7 |
| SHA1 | bd27dfdb30ad8ad799c7ca5e50b80ee76bef5c9d |
| SHA256 | ee6228af8e503250efa08ec943baf09227e0138fc80b255a50e1b2a0db2881ab |
| SHA512 | 8bac96678150f861a5942fa05c96cdc0eebd6b15c95db9dcdc53374595cf3b699482ee668f55caf6484a507dd8ee4ad39370e613e95d22bdcdffac9f372a4949 |
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe
| MD5 | d0b7c8d96013c6b0c646ea4abae85863 |
| SHA1 | 51606b121c6bd65c3ea1b023d5b70d6a5bcb13af |
| SHA256 | d2fda0bb95b3f16c589f06287587cbc110c2564e232364512c9f06a0f00f7a06 |
| SHA512 | b1f59cb7974c43e92bdcf5f894a2faf2243df9b468fc72a54275a145c2e8715985fab95af3694d6661ea237ffbcd2c352b661aef7da2ae1b3ffabba940df9d9e |
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe
| MD5 | 4acc373c4b5876b3593ca2eaf124cef0 |
| SHA1 | 9a1ea29c2daba097a29051a7de1e6d48539fc431 |
| SHA256 | c6ab02932a26805b7f9dbc81802d0fc5b5bd594eb138d220f76b6a8350b98917 |
| SHA512 | 86e5c1c54e5011803e75ec7ba1d7b91b7706450900f9684ae5e889638438182184b8c2446faa54b62509938240d0bd71cd122badb7906355ee81d7ea3551916f |
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe
| MD5 | 6d328d2444b347ec434d4fed2582e694 |
| SHA1 | 95ad7e28938908c417fc665e6f6a8ab8e949a744 |
| SHA256 | 653ba5e067bb8b837e8fce0cfd4af2e4ace76d35093f1596265ce671ee3fe58e |
| SHA512 | 6f42f176432fdb550634bec41db6a5390f371a68d3917ad575210d297c7a8de7ebe5cd9360bb96f46666148e7d2019ce86af6fa0014d3975125f6e7c0ffb0472 |
memory/1272-3344-0x0000000000C50000-0x0000000000D50000-memory.dmp
memory/1272-3345-0x00000000003C0000-0x00000000003C4000-memory.dmp
C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe
| MD5 | 49b6fdf2157567d257a8879c61f8ce3f |
| SHA1 | 5858d8668a77b8c2d42df578291f1847ff74c3cf |
| SHA256 | c45f910567bf3994aa0c9dfbbfebcb9861fe15bcfeb653e4a5a48e09de7d9d2d |
| SHA512 | 0adbd5e2e6ab1f3d840de9347403679e29ba91a15d2a41b358673f92142f6c40b842eb7c6286e37f8cea66c8a4dfb8bd18f433458ff8316207cdf3b5fd8e4eed |
memory/1852-3352-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp
memory/572-3353-0x0000000000400000-0x0000000000406000-memory.dmp
\Users\Admin\AppData\Local\Temp\A1F0.exe
| MD5 | 81409faeeb48fd73443430e8fbf5fabb |
| SHA1 | feb1ee6f8f685b46a9937d145a755235324d80eb |
| SHA256 | 177bf97a1c829084aa4c3a6005cce61034fd918a75de71199c441ed30fb3d2d2 |
| SHA512 | 6b99a40137937c3b415dff325e8b190d1c46a87f95e2daeaa91d54e1ae238dae77feb13c7c04e983de5cc059c35163a34376cfda63871e7daeadb26b0117b4cc |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
| MD5 | 9fb70e96f825da97070b5e88be208aa8 |
| SHA1 | 56e79746fc48b017872eea8246f69128c2544b46 |
| SHA256 | ed97c6136ab675922bd218fe177ef69e523f31972251f92d2caaa95f48a9535e |
| SHA512 | a973517689ef111d272407eed6744c64f9e544b3b9adcfb7dfef2f750159846bf4f04034a9a2a37894244b1ab3a39ccc65f2dce88ff89258961725d52de01ed9 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
| MD5 | a9cb86ce0b3e2dd9d8627506b691e66e |
| SHA1 | 65432b6253e5564369c92370edb09f4d5cf482a1 |
| SHA256 | 4b2f6f697ad8df407041d2eb7142a0341b9a879c77afe11dc4e46b58d1aeea5f |
| SHA512 | e5d84db489bdae377f117238bdb5e6fbc261826697c7586ee41b8cf37482841e681890ebee13910db668344d2e5e83e4d294db2ea91ea5c6827751f7697eba6c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | bfc925e86886cd5527bf0a5616b16224 |
| SHA1 | 88294d50420adba744ac0d73b418256933b88358 |
| SHA256 | 517aa69a46f119ab83fd71ebadf3e50acfc8e291bbde30be1441d74442188192 |
| SHA512 | 094f60b8acf681c705e13ddc0976971315d8bc2abb70cd5cd6778b1a90b185750901f28a7934aa297fd9559a77dd9f1dde1f738cd8fdf2bda6261d58d6863455 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
| MD5 | d145ed674263e5ef79266859050701a2 |
| SHA1 | a33cdea97e343ff1aee414b0fe0d8747627ff761 |
| SHA256 | b15d135d5feb4e354a5e8c71a2a42cfa247a5755e6a1dd1afc909905d578296b |
| SHA512 | 5edf0a60899f15694fb425b3f4daf5cdbfc098503f5b01a5a34588686da9b8e1c5b1ceccbf0285d47a1db8833c91fc46a61ee90d86a79c9e048bd10070ff7280 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
| MD5 | f70e30b8ae53176181d59df72ac7ba4c |
| SHA1 | c3221c60bc9117fb4aaa65e44860c5f6a3ebb1a8 |
| SHA256 | d4566c5abc75d1f643ee4ee424d6354a920eeec5c594afe1dfdabb6dd3d5520c |
| SHA512 | 5179db141331da98f11d4a6f2b5be3b09c4600dad898f929592610e166f61dc8036800e17895621589f3f48d8562079b7ddeb340347bf1b20e19dcff073c16a4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
| MD5 | 69aeaa001d75d3c419ed80b9eb7416bc |
| SHA1 | 4a6e05515dc10e7caf2609ab292d2a4ca3c6607a |
| SHA256 | 4e8ad667df7ac28e32d77e2a2139eb31c43fadaaff4d52a38a006a431c075382 |
| SHA512 | 1e1de9cad83e0ef2c50c9c4cca1ebe1ba74d23a3d576468bc3326cdcfb200ee7319b1534dbc568d7d7d64813d724108aaf94430c6fa2d1f2c7f6f8ab2dcfd39c |
C:\Users\Admin\AppData\Local\Temp\A1F0.exe
| MD5 | 6711c38373f238b60811a6460a04c160 |
| SHA1 | 8a991f215602745ffad5faf1d9142aad09bf2f14 |
| SHA256 | ae95edddd735c126b3df7408ba54e5bb3ec9b45009fa18fb1464b366522dfe24 |
| SHA512 | 23dfd6eaf94b707dec3b1181884ebe4a1e54272c840db560de23a564e6855b7f5c0c6edb613f109b4e0b738eb2a2193e9d27d231e8516e64b892f0233172212c |
C:\Users\Admin\AppData\Local\Temp\A1F0.exe
| MD5 | a18a08cab3fb012ef6eb2ba46a8d964c |
| SHA1 | ddd12bd34eb7c796ed7859e22f6215ca84a13b2a |
| SHA256 | f890def40dad1cd1c0e0e8e20e0f96e95ecc4aeaa740250ef5d518a3abf144cf |
| SHA512 | beb680bdd91234f7b42d7ebe4d2492c257ad93eeb1e01b1aef4e54a7cf09acf53bf06ec39afcd5e482e16e88729f746feb7267a582a1229458c9281d30396709 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e4bad8e1c520c8aac574f59c60c80d58 |
| SHA1 | 699677ef561f0a75d1b1c5bd0147b2eaaffccb11 |
| SHA256 | 704edb0e08d7c5c6039339ab4f45bbcb5c56018e2cee33af1ac5033b8876cdf4 |
| SHA512 | c39eeb7348ca325a77d8f7af41dce5da6d21e943d22afac6136545326199478551e7d01c2be7444fdea49d58018865daedc453820386c56bb08afd45ffe87468 |
C:\Users\Admin\AppData\Local\Temp\grandUIAYCoeWcH4daxAj\information.txt
| MD5 | 6bf4ae752e198352eb3537811f833a62 |
| SHA1 | 684b2ba2ad00c67a129d3cf40fc190b38ee82b37 |
| SHA256 | 53cb0d9a174cbbd6cec4ddc6f12f60efa08032b9851fc11cabb89357e573d71d |
| SHA512 | 2cb1d5d9b5d7493138d5c8d595a27d13ecc6042bd62cf993a366546438d6c582677f5e7d4d003c5ba3c83df96a085006e073610e16f8a961c304bab33e9dea2c |
memory/1852-3477-0x000000001A760000-0x000000001A7E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xp358sR.exe
| MD5 | b695080449a79bafb26dd20c38a8de03 |
| SHA1 | e5e97c7739bf1f584b951ca0e5ef48725ae58b10 |
| SHA256 | f86739d4bdcaf5968084484371577f96ff83cab4b0f249f023188a9cd7e6d955 |
| SHA512 | 2dd3053de11c41f92555f2c6f25bdd73a2b935ef51487e2aa880bed2abfdbca9511fa8f0aec902e8ee05152cfc3036abd0ec201a203e075374b88281c09b2937 |
memory/1616-3487-0x00000000000C0000-0x00000000000CB000-memory.dmp
memory/2872-3489-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2872-3490-0x0000000000020000-0x000000000002B000-memory.dmp
memory/2296-3491-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1616-3488-0x00000000000C0000-0x00000000000CB000-memory.dmp
memory/2872-3495-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe
| MD5 | 7ddece70d6d53f59544edb561ba5d22c |
| SHA1 | ba437530e64080a14152fac6225adc51431d6353 |
| SHA256 | 3305c21e9e05411c80c0e898e308cd4d3fc778bb3511a64a0d8c171c098d8b5f |
| SHA512 | c91bb61c7253e7a776aa247bdc000bf1f107f6a265a73eee037148278187cadbd08cd110ed53a56a784ddfa7c1014be132192f8e59519f1ad1593cf02b4131e7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe
| MD5 | ab62cc145ebc50dad7cc1dddd339fe4d |
| SHA1 | a929a6a4d1a820facb19df5d24ba48f8fcaef51b |
| SHA256 | 16b7dab79ce1991b8609c5e7543d974e1b13034ebf13d9a246e86b678d79bdc7 |
| SHA512 | 334cf8ffcf55652e3da59613c9949be040573ed0ffab17de6ad89f742e46288ec39e47821632c8e5e745043fb4c33d312d50adce32b22569b6408041431e96c3 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe
| MD5 | b47fc6a06830ad32c7433aeaae2ce607 |
| SHA1 | 1ad2ec89b8416fbc2232911b24f361a8b1882a7a |
| SHA256 | 1866357aa85e80ac03a3fcda3627518bc49937f322e7f283c2a81069efd4b12e |
| SHA512 | 2ebcc347ab493cb1093a8fe77be0ef8099510fff179a16da6e7ae47980c0d340ad46e46b359e6e3c2329533540b56920221f916078fcf9fcdef55cd0079812fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e2f64856064bdf102282275293790b07 |
| SHA1 | 4b5751f6fe1ee17deaa491d4479a134e56d0bc35 |
| SHA256 | f3c40efbeb68fb38b0e59a114df3eabb174bc93ea8ce55a6c04e94de7dac7f97 |
| SHA512 | 12f98312c9cc28a1b82f7f9f6e575e25953cd09e2d620ea2b94fb02eb392f22714e05313af65e599396612f6c8546486259f3899648eb81736bc5fe1d7ad1705 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | f0574bb0afdf68a173736236c2b11351 |
| SHA1 | 05971b19359e8e36f9b242cd58dcb296074b1530 |
| SHA256 | a3e7b331b29b5d0642a513eadaec37fc1f819d088e9b0cae8e9cbfd054b6c83e |
| SHA512 | c4c9d96ca2edc62b24cb5ad72149459c4e68d8bd56d021b4df8f38b7b52d6e6b512a8d4318679e7b86b2e785713ab3c91b8791c710aa726feae89e4b72fbe24d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | c2f69a991d8bb9b5f52b8eb5644dce12 |
| SHA1 | aa0ae8e0e5cf68a1c302a673a1ef1efe3a464470 |
| SHA256 | 099d29e2b9f992e61c31ce334105c30744145160b2e3dcddd54ab01127d9d390 |
| SHA512 | 046f14856cd41db510b8b4739390e39d2620da5d04a8f0cf20c394c3f96c95654a19d1f370eb4f80cf06ef2f01d30aaaddf6fa69cda16d0ffd4d4143b5c1c822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\shared_responsive[1].css
| MD5 | 086f049ba7be3b3ab7551f792e4cbce1 |
| SHA1 | 292c885b0515d7f2f96615284a7c1a4b8a48294a |
| SHA256 | b38fc1074ef68863c2841111b9e20d98ea0305c1e39308dc7ad3a6f3fd39117a |
| SHA512 | 645f23b5598d0c38286c2a68268cb0bc60db9f6de7620297f94ba14afe218d18359d124ebb1518d31cd8960baed7870af8fd6960902b1c9496d945247fbb2d78 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\shared_responsive_adapter[2].js
| MD5 | a52bc800ab6e9df5a05a5153eea29ffb |
| SHA1 | 8661643fcbc7498dd7317d100ec62d1c1c6886ff |
| SHA256 | 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e |
| SHA512 | 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\shared_global[1].js
| MD5 | f94199f679db999550a5771140bfad4b |
| SHA1 | 10e3647f07ef0b90e64e1863dd8e45976ba160c0 |
| SHA256 | 26c013d87a0650ece1f28cdc42d7995ad1a57e5681e30c4fd1c3010d995b7548 |
| SHA512 | 66aef2dda0d8b76b68fd4a90c0c8332d98fe6d23590954a20317b0129a39feb9cd3bd44e0c57e6b309227d912c6c07b399302a5e680615e05269769b7e750036 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\tooltip[1].js
| MD5 | 72938851e7c2ef7b63299eba0c6752cb |
| SHA1 | b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e |
| SHA256 | e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661 |
| SHA512 | 2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\buttons[2].css
| MD5 | 84524a43a1d5ec8293a89bb6999e2f70 |
| SHA1 | ea924893c61b252ce6cdb36cdefae34475d4078c |
| SHA256 | 8163d25cb71da281079b36fcde6d9f6846ff1e9d70112bbe328cae5ffb05f2bc |
| SHA512 | 2bf17794d327b4a9bdbae446dd086354b6b98ac044a8ee0b85bd72c3ab22d93b43f3542df03d64f997d1df6fc6cac5c5e258c4ec82b998f3a40b50c2fde99b5a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\shared_global[2].css
| MD5 | eec4781215779cace6715b398d0e46c9 |
| SHA1 | b978d94a9efe76d90f17809ab648f378eb66197f |
| SHA256 | 64f61829703eca976c04cf194765a87c5a718e98597df2cb3eae9cf3150e572e |
| SHA512 | c1f8164eb3a250a8edf8b7cb3b8c30396861eff95bcc4ed9a0c92a9dcde8fd7cd3a91b8f4fd8968c4fdafd18b51d20541bcc07a0643e55c8f6b12ceb67d7805d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BHYOKO3G\pp_favicon_x[1].ico
| MD5 | e1528b5176081f0ed963ec8397bc8fd3 |
| SHA1 | ff60afd001e924511e9b6f12c57b6bf26821fc1e |
| SHA256 | 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667 |
| SHA512 | acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | fc7d39150b24dca19b40065e68695874 |
| SHA1 | 7d055382469c12da68b82c09ed5a3a6fdf6e61cb |
| SHA256 | 2fd7dbd08abca3df679e95c956d6916aff9803c71166d4c720f8f4609e782e8b |
| SHA512 | a9151d5c1c203b240f49b0d3ee0b44f49d35d2a2c51b8097cb404b95a8e6cc3594a4ce3804006894e5efee97a258027ff502901e1bc9c2737163753018718bba |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\h00gt77\imagestore.dat
| MD5 | 25706dffc0d2a9503f1e61257c4f58af |
| SHA1 | 8b7fd75d0a46ebaa59a8f102b82191810e009ad8 |
| SHA256 | c67e048882b95f24312b7511d76101114343ad607bef910387d003a6af37c769 |
| SHA512 | 00fbdd3c988e1199e12cded5e44c5cadce83373d3f6518d55002b09a15781dc5c217e2ec73d3b6035ac6c51399e0f25312bbd6210a6ab45c852842b88dcf246d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\favicon[1].ico
| MD5 | 231913fdebabcbe65f4b0052372bde56 |
| SHA1 | 553909d080e4f210b64dc73292f3a111d5a0781f |
| SHA256 | 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad |
| SHA512 | 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BHYOKO3G\hLRJ1GG_y0J[1].ico
| MD5 | 8cddca427dae9b925e73432f8733e05a |
| SHA1 | 1999a6f624a25cfd938eef6492d34fdc4f55dedc |
| SHA256 | 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62 |
| SHA512 | 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\favicon[3].ico
| MD5 | f2a495d85735b9a0ac65deb19c129985 |
| SHA1 | f2e22853e5da3e1017d5e1e319eeefe4f622e8c8 |
| SHA256 | 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d |
| SHA512 | 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f2add4ce9c2f40e2004310968850f5dc |
| SHA1 | 20efad8aadae99057724bece97797bf7abc72fc8 |
| SHA256 | 135b094c17962d666531716c38e7ba1bb351a8154f6c14b4cfd40d4f498cc0ef |
| SHA512 | 91cbfb01dd8497329ff94565f44a31001f07dadf3c54d104e57b7fdbd0b4358e60efd38337d8151cbb5925e758779fa37613be6869c41ab382fe0f96a6501d60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | abc33f1dace6f996b8f731d337658f94 |
| SHA1 | f97a5c71703060a9479fd3d5bf92f483d66d4a8f |
| SHA256 | 5b340762c05ade641b52fde8b79951f6073f5a6c30352a51b72c9fac021b722f |
| SHA512 | 2ef36363a3d8f65cf0fd2c15f31e7b91b97b38ea278d6f4c28319cd6cc979e1fdc1d44a66573b8fcc73b3b20fa18621dd479468fa20f65485d6229339d7d20b0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3TSDZ9K1\favicon[1].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3TSDZ9K1\epic-favicon-96x96[1].png
| MD5 | c94a0e93b5daa0eec052b89000774086 |
| SHA1 | cb4acc8cfedd95353aa8defde0a82b100ab27f72 |
| SHA256 | 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775 |
| SHA512 | f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f0dc234ccb184a51de68ec2b932341c |
| SHA1 | 8192d09f6ed8719b09eba12c7ad41124d519d562 |
| SHA256 | 3a681f25149d3cffb03dc1ece23e3759b711dc58ec544b762106e083daa41f88 |
| SHA512 | a27a456c73f32d9aec585d54e4e2744f17a8e68c85309f6a02ca6eba6c4c38847c36cade45ef03d4951f5a93a0d07d68fa6db1fd397b1a9d1dcaa39c685721a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8e6fd5f70462430ebf2e654cdcdb1d7a |
| SHA1 | 467f70a80f5b5e6c36efc0da4088f8836eaeeea1 |
| SHA256 | e505500de96b4d954415cceba699b707ae2b69e5e4c66e8379fedfb56ea39b75 |
| SHA512 | 2ecfc2a3173323e277c2cf6312131c5d964a3b53f519d3f535f4f3496c44a1fa57d5401cdcc6d88820154cc2d3b8a954ffd1b1a6c4ffa1de5a0ff40dd6e70384 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b1b31365825582eb8b8465c1cd5afe1 |
| SHA1 | cede133594265cccf091f3abae2ab65fec239121 |
| SHA256 | ac07010752902cb58cf75bd50de43fb8444f3813046bb1832db835da3e56993c |
| SHA512 | feabfd9486bc36b36e7d2faa919e46c00f7e4710177190e9d6d2fcd0e535604bcdd5d1e37bb2235ecb9ef5ab9549cea9d484b24b5f3e17add64f7a9ababeff09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b7d4d5cbf0c448d4d77d41c474829b4 |
| SHA1 | 6b7dba0655d6721d6d75b2bcc1d3af151ae5ab70 |
| SHA256 | 517b03d71ea66d4809a82f845052bf3b754af59816b657e4158f970193b568db |
| SHA512 | 3c3bc1734c69928471147c62bbb26360b126b36de33d7fc35c6b7f0886f9494203fdda282e3d8aa30e5caad70aca6332c33b4df80876fee2f0ef501c9ea68536 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 742a2bcad35c90e579a1efd58542025c |
| SHA1 | a776724543079ed559d9ab7f666c8672539a3b19 |
| SHA256 | bd1f6256ca11194fe82ddc33780215adcf8e4ffe5bd63b7b8ff8ea5ad9fb03a2 |
| SHA512 | 81e4bb0391376ec147b380659bab4d3cbad80a799f1d168894d0166583964ce3ab2847cb4642c14416fd391d401bac48f5fd06afc42dfd4da69b220709b0b2d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1b6a3687e20c6cf0205048e9c243d66 |
| SHA1 | cc3b39b27a253d66943db0f9ebd6a1ecca99d41e |
| SHA256 | e7544f0f1676b393c3bd647cfdd52245c53ca27a1a48c99390d103eb7f6f97ae |
| SHA512 | 75c8610a5f59e6bdbe5494f0475cd9ff743c5af17c31a7fa007e2fada1972492ea745c78caf92ac4d4103d655840993bb27f6bddf2b93486826a8b594fbbd5a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62d985be72be9f74ee8cde54b699f285 |
| SHA1 | 0b16b796464efa48337dee51880f7531b0c48002 |
| SHA256 | b6073ea04c9c96b5874a2e9d9abc903cd95f5c7c7f84baf036cb9fa8cb5fb123 |
| SHA512 | 3eccd9a957f10b8407a20ac20f94f1ce115bd0c574334685a944afb9fd4909ccbffcabf13d61a142a4ac43e9524234307a708e5ee5593657cf32c7498940e450 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82010eb5aac967dba7bf3e87f2ffde59 |
| SHA1 | 8fb127177405955e2eff706735de9aee06fe7aa5 |
| SHA256 | 2fd0896200eb38e76902aa16f2604bbab64f7d46d1e09a27fb75e7f0200b09f5 |
| SHA512 | 7270296e91bf127ad93e03e0fd97e41e9eb8ac8686b81c8a7ab88aa17ca431b01dc62fa676fecfae225ab095a159e0c573e0e4abaf69384fb1daf3f07c24d32a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4fbf9e876384207b65f9a84e1fa5b049 |
| SHA1 | 73a1fd3f45f4d6a3feeead3b3cf0e0af594645f9 |
| SHA256 | 37e01b3325fb52145b0d479a6b113af7c3f0a3df556a313e567cd27c90f5b659 |
| SHA512 | 4dabd3e7660276e0983a4ec1ff1d26b4303e3fe4913d1a5a266e10723d84188871314f373bf7d1321df6811dd538343af2af4cc021f6c3b23b4086c9ff35fa65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
memory/1924-5621-0x0000000000160000-0x000000000019C000-memory.dmp
memory/1924-5623-0x0000000074EB0000-0x000000007559E000-memory.dmp
memory/1924-5624-0x00000000020E0000-0x0000000002120000-memory.dmp
memory/1924-5633-0x0000000074EB0000-0x000000007559E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | c60aa157a3bf1f9dd49addad38be9d68 |
| SHA1 | 8055b2c563e24018af67a6c7752c7b0ed47ec252 |
| SHA256 | 2b6dc7c8c511ca80053beb596b112a89e64782b961ff816a476613d0f64a90b7 |
| SHA512 | dbd516d43e6f6428b3b9819c7f66c79f5057d4f1b707ab0d7f755ad14a4ed053db39748e7b19b273c08df620f2d56666168ea685ee8834adf738a011941313fc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0ec9b2b50543e691c1f1244ab7ebd3ee |
| SHA1 | d8b04b5912add5277deb2409cfb6700dfff151a5 |
| SHA256 | 03d1500521601b701219b49a964df6766074f6836a3676b9ad5f949d6ecb389f |
| SHA512 | 9b31a6fdd95f453ec69dff9403ec927147038554f0d6ab5f68d5eb33d3d213039c298515230b7af5e8b2d202b8856926d8708dbc1c24997ebd48f39d8c2eb20e |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 05:05
Reported
2023-12-11 05:10
Platform
win10-20231129-en
Max time kernel
300s
Max time network
209s
Command Line
Signatures
DcRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects DLL dropped by Raspberry Robin.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
PrivateLoader
RisePro
SmokeLoader
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5C17.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5C17.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5C17.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
Executes dropped EXE
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9f8dd60c-bcf3-4a31-a2fd-cb4a9dbbed65\\94BC.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\94BC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\3AF1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\5C17.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5C17.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5C17.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C37E.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"
C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 496
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3321.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3583.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\5C17.exe
C:\Users\Admin\AppData\Local\Temp\5C17.exe
C:\Users\Admin\AppData\Local\Temp\94BC.exe
C:\Users\Admin\AppData\Local\Temp\94BC.exe
C:\Users\Admin\AppData\Local\Temp\94BC.exe
C:\Users\Admin\AppData\Local\Temp\94BC.exe
C:\Users\Admin\AppData\Local\Temp\94BC.exe
"C:\Users\Admin\AppData\Local\Temp\94BC.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\9f8dd60c-bcf3-4a31-a2fd-cb4a9dbbed65" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\94BC.exe
"C:\Users\Admin\AppData\Local\Temp\94BC.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe"
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe"
C:\Users\Admin\AppData\Local\Temp\C37E.exe
C:\Users\Admin\AppData\Local\Temp\C37E.exe
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 756
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\C37E.exe
C:\Users\Admin\AppData\Local\Temp\C37E.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
C:\Users\Admin\AppData\Local\Temp\3AF1.exe
C:\Users\Admin\AppData\Local\Temp\3AF1.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1668
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\jrgcjib
C:\Users\Admin\AppData\Roaming\jrgcjib
C:\Users\Admin\AppData\Roaming\jrgcjib
C:\Users\Admin\AppData\Roaming\jrgcjib
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 172.67.167.33:443 | edarululoom.com | tcp |
| US | 8.8.8.8:53 | 33.167.67.172.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| IR | 151.233.51.166:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 166.51.233.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 38.47.221.193:34368 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.221.47.38.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| IR | 151.233.51.166:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| MX | 187.211.38.89:80 | zexeq.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| NL | 149.154.167.99:443 | tcp | |
| US | 185.196.8.238:80 | 185.196.8.238 | tcp |
| MX | 187.211.38.89:80 | zexeq.com | tcp |
| DE | 78.47.104.201:25565 | tcp | |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.8.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.104.47.78.in-addr.arpa | udp |
| DE | 144.76.136.153:443 | tcp | |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| BG | 91.92.243.247:80 | tcp | |
| DE | 78.47.104.201:25565 | tcp | |
| DE | 78.47.104.201:25565 | tcp | |
| DE | 78.47.104.201:25565 | 78.47.104.201 | tcp |
| RU | 109.107.182.45:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| RU | 80.85.241.193:58001 | tcp | |
| US | 8.8.8.8:53 | 193.241.85.80.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| RU | 212.193.52.24:80 | tcp | |
| RU | 212.193.52.24:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| RU | 212.193.52.24:80 | tcp | |
| N/A | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 34.117.59.81:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.190.177.148:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.190.177.148:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp |
Files
memory/2400-1-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2400-5-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2400-4-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2424-3-0x0000000000920000-0x0000000000929000-memory.dmp
memory/2424-2-0x0000000000960000-0x0000000000A60000-memory.dmp
memory/3412-6-0x0000000000980000-0x0000000000996000-memory.dmp
memory/2400-10-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3321.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\5C17.exe
| MD5 | 1aacf4af0268404d746d8b72f4fe9403 |
| SHA1 | 9f8bb4c9e274fa9cf52692a2ac5c045cf0dcb1cc |
| SHA256 | 3b7695494d71d847a983f8041ac49c56253a1b04a6d29ad05700bef6320db27a |
| SHA512 | fadb9970bb19585af3ce0693256470f43cb3d4911ec073882ee078b2d77486043798ee5d0566a60286617efeb234e13ca99a3477408fb8abc0439af85e9c3e9d |
C:\Users\Admin\AppData\Local\Temp\5C17.exe
| MD5 | f174c4a57e1fcfb725dfd1e2ab2215b5 |
| SHA1 | 98039c700ba2b9577b324c18f022373463dadc80 |
| SHA256 | 3856b5b224b4f5a1a50661d8422237341ac47746784069db9c9c1e8c0128441b |
| SHA512 | 54179a341354433386d43edd1f389a6818f32eb2e8efae2dbcdf10a8299d1aee870ec9e4199ca2acae1425ba072b816d788f82cb8cd163f9fd582cb8481b23c4 |
memory/3652-28-0x0000000000190000-0x0000000000C5A000-memory.dmp
memory/3652-29-0x0000000074630000-0x0000000074700000-memory.dmp
memory/3652-30-0x0000000074630000-0x0000000074700000-memory.dmp
memory/3652-31-0x0000000074630000-0x0000000074700000-memory.dmp
memory/3652-33-0x0000000073EA0000-0x0000000074062000-memory.dmp
memory/3652-34-0x0000000073EA0000-0x0000000074062000-memory.dmp
memory/3652-35-0x0000000073EA0000-0x0000000074062000-memory.dmp
memory/3652-36-0x0000000073EA0000-0x0000000074062000-memory.dmp
memory/3652-37-0x00000000772D4000-0x00000000772D5000-memory.dmp
memory/3652-42-0x0000000000190000-0x0000000000C5A000-memory.dmp
memory/3652-43-0x00000000727C0000-0x0000000072EAE000-memory.dmp
memory/3652-41-0x0000000000190000-0x0000000000C5A000-memory.dmp
memory/3652-45-0x0000000007990000-0x0000000007A22000-memory.dmp
memory/3652-44-0x0000000007E90000-0x000000000838E000-memory.dmp
memory/3652-46-0x00000000052E0000-0x00000000052EA000-memory.dmp
memory/3652-49-0x0000000007A80000-0x0000000007A92000-memory.dmp
memory/3652-50-0x0000000007BE0000-0x0000000007C1E000-memory.dmp
memory/3652-51-0x0000000007B80000-0x0000000007BCB000-memory.dmp
memory/3652-48-0x0000000007CF0000-0x0000000007DFA000-memory.dmp
memory/3652-47-0x00000000089A0000-0x0000000008FA6000-memory.dmp
memory/3652-53-0x0000000074630000-0x0000000074700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94BC.exe
| MD5 | 313af54c41008ad4a3973b549e14dc74 |
| SHA1 | 15236c90b06348131922cd92f5c1a08c52956669 |
| SHA256 | 33556c51f0691023951cdb79f21714957fc5f5c0de9eabba002ea30418fb426c |
| SHA512 | 98bf6cae17707fb81e6408f486d64116e445b8ba9cb4c47dd4cce64ebab9d664b62aa5d3127505bfcc9ecbaad545c28b6659091e526a292dfca8b83c63ffccb4 |
C:\Users\Admin\AppData\Local\Temp\94BC.exe
| MD5 | f226399d07d7a6a558c17c61d2a72101 |
| SHA1 | e622a1bb0f82353222e2c7845a0deedd970e216e |
| SHA256 | efabb7f75b83873717cc2ab8e9916b5ba6d063c9dfb1c38a04762040b1fd3246 |
| SHA512 | 720fc30bc3ded73c3da990075bfe979165d44c8fa1aace081b9e4fc33ee8dde276a9f2ab9c5947d67a418801ea3bddf536560f97d2d3b667fb35c0f45c8dbee2 |
memory/3652-61-0x0000000074630000-0x0000000074700000-memory.dmp
memory/4748-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3652-67-0x0000000074630000-0x0000000074700000-memory.dmp
memory/4748-66-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3228-65-0x0000000002AA0000-0x0000000002BBB000-memory.dmp
memory/3228-64-0x00000000028B0000-0x000000000294E000-memory.dmp
memory/4748-63-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94BC.exe
| MD5 | 420dc9ce87b8ab47f749a6875c4f54dd |
| SHA1 | 023dcbb108b83bc29db0ee81e30071070bc44534 |
| SHA256 | 48d825002c3c5ce39719347aa24e8c0c5048b657dea095584f0928e1e23e74c5 |
| SHA512 | 2957c55b192f5c30237118f7af53acc8938f372013a8256ccff53f706d69716b1c0c013384814576293e519279fb54d6882628ef2291e9f0c4ed3febadab3126 |
memory/4748-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3652-69-0x0000000008400000-0x0000000008466000-memory.dmp
memory/3652-76-0x0000000073EA0000-0x0000000074062000-memory.dmp
C:\Users\Admin\AppData\Local\9f8dd60c-bcf3-4a31-a2fd-cb4a9dbbed65\94BC.exe
| MD5 | c2c5a406603a5c6036185a65dba3a132 |
| SHA1 | 22e953437fc1d169e38eb7992d8079c9c53848ac |
| SHA256 | 2bf20230678e6f2c9c121f14f940c24a57a24d11a2db813bae860fd087b8da90 |
| SHA512 | 94ebd4706acfce6bc86dbbac4fed7e821adb133eb7e42c423b4553467168f393a860faa9b39b33cf8507cc52b11baf2ffd99c6e940c3c9384df436363013564f |
memory/4748-80-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94BC.exe
| MD5 | 5e8b49d7626e3a3217747afe4645fccf |
| SHA1 | fd8e7a81723c19c9332036e21d604fb59d3d6415 |
| SHA256 | 656bc622d36649b3e1ef92fd25493e63330b7b44e25276282677494ccab877b1 |
| SHA512 | f2d02c62ea8f8cca56e771e98da4a491bdc217d60ba06164e7a1d388b246418bfb7a4fd26bbbb35a88456903aae68d9b96cc7912bbc834c6b5218a26319bc339 |
memory/3872-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3872-89-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3872-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2436-86-0x0000000000DD0000-0x0000000000E6F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94BC.exe
| MD5 | 4e75a67343b5b14998751bd04ee4355a |
| SHA1 | 5309d0d3c7d70b827af7e6b6f0899d98a83ab0c9 |
| SHA256 | c77cb148b46f5a4c6a57997388bfa41a13a8604cc22d67e89fc9ab751807a499 |
| SHA512 | 4d3b9974c43dc96169a6765e75b63bbf298b5af9daeafe11f6b55c8754dcd9330c1a79e8b0337db3321b33d0151c86b9853fa5675b4db13338118ff114f29370 |
memory/3652-84-0x0000000073EA0000-0x0000000074062000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | c26e75ca11f2d14072f0245aec488cdb |
| SHA1 | 34c32292e20bf9d1b1aeee564761340e2928a71b |
| SHA256 | 35d3a71d2e8b899eef448aee212f2e867a7ab98743e68782f8fbba74496af8db |
| SHA512 | cc07d181cf159cf0c8086ddab762d52675e3f146095270b1263ea3e34a211cca59cb4bb8529b20daf4de74e02054dec660590274909cb9d95fbd3f20afd55f89 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 41047f6f2ab6f31e3d0d6458a6251741 |
| SHA1 | 924bedb650e0d64e79d0dab7db148b3daffd31c7 |
| SHA256 | 029973dd7e5c10e41d6dd31b8e58806dd8b23ac15bd7dae7270382ddef32efca |
| SHA512 | 6506fdbcd72c2638813c64ab82e2a774a2cfb91040c95f0dc9f514fc5384dce67ecb9258dd65a5f2f290c53e6dada10e317b81df58b5cbbe466e2fb59c6b40b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | ff0cff529dfb80aedbeb0e6e26a6f5ab |
| SHA1 | 3fd7f47f214a4e6de0315f6c06e7c1ff696e9ebd |
| SHA256 | 265f93740f69eeb9014ad9de9c44a418d7adfa40cfb120df4a047ede7bb5e3f6 |
| SHA512 | ab43b1bad3f790b100a37bbb8a1bdf75f1693f7f41eaaa554cbcadf3f5c345a8cb20b94aef27024e09e958664ea9f212d4343ed9413ec63eb17d9c3d0e6b8762 |
memory/3872-95-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3872-94-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3872-102-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3872-103-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3872-100-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3652-104-0x00000000727C0000-0x0000000072EAE000-memory.dmp
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
| MD5 | a5c4e549878160e6e7fb629418e4b28f |
| SHA1 | 0d036c36c7ebb1a7a569dba795674782510812b8 |
| SHA256 | 4894bdf8e2f5c3a650ed5951b5b19aeb58073e55f487e066ff2447d609c71dad |
| SHA512 | 73435785464223c38df9963b50a7117bc7e7e2eb8678beb83ef42fa1e31e3b9090bfb5f57f6ea50d2a36d155648fd2eadad3be8610f80e429611b775593c8045 |
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
| MD5 | 86db60cf49c374f837a0e3e25afae594 |
| SHA1 | 601bb732f3a9928c6574e6d7de9d3a6764b33623 |
| SHA256 | 675db78ee4cbc392ea8057c4d17904eb07c56e4ad5d556d41ec38ba4500fe997 |
| SHA512 | fe38c759bc940ae9383be19d24cf19649b89b32f761f4a7589bafb1d687b7d6fd43106e3971bfe043fc6d252faca489af10b30d5df70499ce78d5df325cd4a2c |
memory/2808-119-0x0000000002B40000-0x0000000002B71000-memory.dmp
memory/2808-118-0x0000000002BE0000-0x0000000002CE0000-memory.dmp
memory/4520-117-0x0000000000400000-0x0000000000644000-memory.dmp
memory/4520-113-0x0000000000400000-0x0000000000644000-memory.dmp
memory/3872-120-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
| MD5 | f53bc27c87992a92eabed19318a9eb3a |
| SHA1 | 8a240f5eea02a0b5f2d178cc6fcb50aab027050a |
| SHA256 | d2d02e74390859f336e6bc2b8219f102f94e3e658cc7a9c74482faab1936aed7 |
| SHA512 | aad0c9f2ff5740033e21a0092dc1d18a75bb8a4c8220631e4398e53a1d0cb2afb9cacda373bd3405943c3ae73e7cc84b0af7d342f1192018663a84a6d69389f9 |
memory/1900-135-0x00000227F17D0000-0x00000227F190A000-memory.dmp
memory/1900-136-0x00000227F3E10000-0x00000227F3F40000-memory.dmp
memory/1900-137-0x00007FF993550000-0x00007FF993F3C000-memory.dmp
memory/1900-149-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-161-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-167-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-173-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-171-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-169-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-165-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-163-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
| MD5 | f4df8be1393fbed9ff94fbde46702a4a |
| SHA1 | 948a9ce3f85d56822a6982b34693a23330ef5167 |
| SHA256 | 386d114b164a3db9b05c5fb1aee4e451d8a26f751965ba05d3f04b4fc326f560 |
| SHA512 | 3862bc7c46d0aa30c20fbf1f21b51a38861c689b1c6ee5e0ccd99c14368e0b021d254344305c8a736c8f978d3d7edbb8de63775f9f12250cba8f974af44ca8d1 |
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
| MD5 | 93a0aef35fa8fae9ce708e35829276df |
| SHA1 | 64502bf1036740a0a1d69edcc2c1189daad457f5 |
| SHA256 | 1479452c519623a04c6ba4adda56f9b6696f1f7c55b890556b2b79f2175187ff |
| SHA512 | a990e8c76bdedbe0c10cd1308814380255decdc8bd3362759e2fac29812fc4824fee5a6d08c9d916e377ac1d8d01e75f3864e4e2dd9ff41a0960ea4a6579d070 |
memory/1900-159-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-157-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-155-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-153-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-151-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-147-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-145-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-143-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-141-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-139-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
memory/1900-138-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C37E.exe
| MD5 | 58186315d38d614223981871311f29ff |
| SHA1 | 1dc07f6b38787598acfc5276f46753712ac9b3e6 |
| SHA256 | 15a85ad886d9fdb74f93ca580fc2f4910483f8e92cfd8fb52f1292ca16ae7660 |
| SHA512 | 1092ee3c6ec27272cab2a415e3f946bdeb1791b38f8ceefde42b18833c39bf66a6022243799312d6dd65c11ed045883f1b3ea248803d98b85ed930525170e528 |
C:\Users\Admin\AppData\Local\Temp\C37E.exe
| MD5 | 53b21bc0f597dc5d76f520dd0909d696 |
| SHA1 | b78b4eeafe67e9ff9735865242bb1831cdcfe88a |
| SHA256 | b20bca5b527debe685e5e8e06839d7ec9c8f666de1f2f16f06416b3f36ac0aba |
| SHA512 | f133590fb3759f463f50ff80dba8839af206abfc9e4d79e0c7e1a40a0281d3b98a305d029cb70e215c87c95b211cd114a15bc7a0afced92b3096b6803d2868c4 |
memory/2436-728-0x0000000000DD0000-0x0000000000E6F000-memory.dmp
memory/1432-995-0x0000000000B40000-0x0000000000C40000-memory.dmp
C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
| MD5 | 70b29b8a01f49bd47b92155cb827bcdc |
| SHA1 | 9ee60f264d4aa62b923b6920d39fd7965465fce7 |
| SHA256 | 7a0fdbacbf237a2473086abdbcdfaab4441250e87fdff24b28f66716845a0f88 |
| SHA512 | a0ad17f14e25871a54ba3562852837c2f0b8c2a9b82ed9d3bfacd139399c8ed3422ba44f3cfbf4a92ded66381bd04e8bfb83a3991a525f70910b0272a0b8e3fe |
memory/1432-998-0x0000000000A30000-0x0000000000A34000-memory.dmp
memory/316-1009-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 6d9f4883c37ad53b3155afa92c17b867 |
| SHA1 | 2fc91ae0362d76d592eac109a34f6c9a3c98ba85 |
| SHA256 | fdcfda7af32fe21f60d5bee304640be0f56779d2aa3647ff61c708b7d1ab1fcf |
| SHA512 | b908add2fa25d592f7ed16ebe4e8775b80da9bad2d3989fc2bfd0a0c219b977814b8dbe159e1c9ecad0e5f391d5c18430524ca651efa4a50923d82a791d42d57 |
memory/3872-993-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1900-1094-0x00000227F1C90000-0x00000227F1C91000-memory.dmp
memory/1900-1093-0x00000227F3620000-0x00000227F3630000-memory.dmp
memory/1900-1096-0x00000227F3F40000-0x00000227F3F8C000-memory.dmp
memory/1900-1095-0x00000227F3530000-0x00000227F35FA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C37E.exe.log
| MD5 | 90cf4018738ff8c556ccdce93ead514f |
| SHA1 | 999620440d3dc26c1303df234e66a4be8993d56e |
| SHA256 | 8fdbdc5ded1c2fb7a88dcf94e93540b6a642a92d87f301e0419405fc75295e3e |
| SHA512 | 18c594ecb98677b4b462196018b4deffa8b82db030fedc49c4234eac8c7e885618856386d157b5e955d9612208dd4fccbb2e0b03496ab2bf3b0e148f09454407 |
memory/4520-1105-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1992-1106-0x000001F53E520000-0x000001F53E530000-memory.dmp
memory/1992-1104-0x000001F53E400000-0x000001F53E4E4000-memory.dmp
memory/1992-1103-0x00007FF993550000-0x00007FF993F3C000-memory.dmp
memory/1900-1102-0x00007FF993550000-0x00007FF993F3C000-memory.dmp
memory/1992-1101-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C37E.exe
| MD5 | 4d644d0e5eba50ab6fa87c0b1e7f4a26 |
| SHA1 | 54bcffbb5d9e497939c121cd8dce98861aa9aaca |
| SHA256 | e2ffdb89108ffd6a8677cfc3015ce08227991a6614f408e3cac8caf55e9d68b6 |
| SHA512 | 411d8876ff7c3bfc5d06d31a4a340f1a13da2904e39de2d48bf4ffaa39ca552f5528f64bd94616970f23ec5f9baf1b7b02ec63500311bdacc21e6ea93b2fc2f4 |
memory/1992-3308-0x000001F525CD0000-0x000001F525D26000-memory.dmp
memory/1992-3307-0x000001F524310000-0x000001F524318000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3AF1.exe
| MD5 | dba18992c732affe91f3f681588e8f9c |
| SHA1 | f1dbda89df81104ad95c5ae68ffd0ddec0e17b1e |
| SHA256 | a631caa8f292220cffb26a851e157acafd0119a8077ba52cae40fc543b2b1762 |
| SHA512 | ae753b7af8fd001305af5fe7aba797539f3db3b5fd38c285b9579bd2b957c0c31992d309896a25fd28e836bcbeabb082f716ce753ad76503cfd8611991e6e103 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
| MD5 | f1e53ad686718f0befc9f47c2accb098 |
| SHA1 | bb6edc9beded6397af3a55dabc9e1b2ecb244249 |
| SHA256 | f6f2a9bb88e770796a981bb4d5f5ff0418374573ddc8aa651d9f05f8dbe6fbc9 |
| SHA512 | 0e6d5178c33aa17418c98503caa0038c3012762a02d4818b836680932942ca940059899b9159f15863502a33bae6ff77f8b302fdd868e8ddba51cc9d9a3628ff |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
| MD5 | b47ba4045c861cc5243d211e307c2c80 |
| SHA1 | b3c128c987a3dae00853cdd0a60c5cb6100c3749 |
| SHA256 | 6f8f983067af9f8d18ac2a400b6fc12929b2cf38a1bafe8102f8ff64b68fa10b |
| SHA512 | 3f8812b50ec9dc6dd95ede24cd1122f0e1c91c2c53a05496bdd9225ce282d69e1845d2645974b8318441ada9f7609dcca3cfdc954fa58499f29a46936f5f03f0 |
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | f9234d0c710838b04bb74b8628b62632 |
| SHA1 | 72f00555e8a59ef4cc98b45c5f71016150390648 |
| SHA256 | 286ecf9b56aa3edeb98f1798d18568cbbb96053fa9bd7750a3c1aa8923dbc794 |
| SHA512 | 47e68e85be33d25137f4305c67a8a43675cb53a770b1823197fbd0f7742521451a965d634db361e277aeea2b80868f06a81c666e9bfcb3232abb88da59a9abd1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe
| MD5 | a390bdea494f2cdd8da3ef4cd47b650a |
| SHA1 | c66f0a604c5fab9a536a42ee8e49d23e49f8ec5a |
| SHA256 | eddf9c4b86546c92e99bdff5aa8530072527dc3bbbdcf2b9ab8f18c1dc0b9af0 |
| SHA512 | 9dd09ace85528e18f3b753ae8d9167123a177048fa382c03045e056584a4114d5514c81f7c22fa008b8c79fedf2f5b50de91bdb0e919c56c9143248d64c5f944 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe
| MD5 | 18e9ebf6dcb63f89de68341fb5039ec2 |
| SHA1 | c05af5a02e4bc7203faccccbfd627eafa3cad4b5 |
| SHA256 | c3d7865023bda70833d890efff480359228f36bce49973ffeae2c9a94f71d79b |
| SHA512 | 7288cc6772f40449cdffb6423c59008fc31acff2dd345aaf800386370222fabb1a24fb0b6341f318023d42d539b82b6281fd84a283dfb7f3a8ac08f56d1602fa |
C:\Users\Admin\AppData\Local\Temp\3AF1.exe
| MD5 | 2cb9d37643d0ff6316fe2228d8f4ca7d |
| SHA1 | 0d16614b64c7c87eb37c6e18e681a62aa74f84d6 |
| SHA256 | 8a7d028a90549c7673f8b3f4b588d16ee1d0b0d7fc2d598d6fbabddc85f63682 |
| SHA512 | 4ab276153d27f5f2bac9b7ce8062a93fc5bdcacb57706ffb96d92ceb76c31deae3c03027db6991ee50edce5ef90a2cf5c1c1c27ec8129c481ba7ca3766a6859d |
memory/1992-3340-0x000001F53E980000-0x000001F53E9D4000-memory.dmp
memory/1992-3342-0x00007FF993550000-0x00007FF993F3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\grandUIA66PvNnm8Td6tn\information.txt
| MD5 | d2bb52106c8b54c0f49937def8ab6de5 |
| SHA1 | a56df699ba85d14869e6bd6f4fa344b3b9012459 |
| SHA256 | d19c7f34bd47ad3483e32373cc35e466b99f5c3362d93385786aa80f5ac0f146 |
| SHA512 | 7bcdea950ce281987eff956b1ac2cbce3616ec17f099a40af6f7a042b1abb8bc57e5fd2183bf475ece44c34670fd35fdff3a806cffe3215bccc45f0dfcb54896 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | cf2ee397d4dcbcec5e2ed55a7ecb7b88 |
| SHA1 | b4f41afa4f34e33ba8d7dc8a6de630945e1bdd34 |
| SHA256 | 800e0589fd78f7fcc2c3f5eaa84eb601f1996520da2246ea6dd41c091be1435e |
| SHA512 | c9c8b3d98092422b1e0c29f64d0fa32c7e6a4899ed49b58c5bfcec7a5f25df4abbcaa17dfba718fb21e4849ca85372e33c644a9c8be193e5d330b0819fa3b25b |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 2783c4210e8e39b8b01c5333c9cb0397 |
| SHA1 | 121f68a26bd6c9c57e0948332dd4e05be9ee7353 |
| SHA256 | 789f4d48c8e026eb4f23b35223d4381bcb3165fab484cea24c2a957d1b3cb7b9 |
| SHA512 | f193096e8181f09cfce8a79c2d4415ac78cf11e6d49cb9d810be944f9692c152e13855ff1317497f4366b962b4e01ebd4436e746472b3d897a0da467818d0060 |
memory/3652-3404-0x0000000008950000-0x00000000089A0000-memory.dmp
memory/3652-3405-0x000000000A030000-0x000000000A1F2000-memory.dmp
memory/3652-3406-0x000000000A730000-0x000000000AC5C000-memory.dmp
memory/2836-3412-0x0000000000ACA000-0x0000000000ADA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 43b71aa109b8f936233908bdfff05596 |
| SHA1 | 797c9dc3f76b01767017f57e4d13495f79452c8a |
| SHA256 | cd28d2ac1f068c931f19e967598b7b63840cf92cf1e46922176ed0cf9c3abaa1 |
| SHA512 | 22ab0f2e86822b91ba362dbf0c421bd4993e96f055a8fe23592962a490be0f345b75a6ed9fa05705a9f59ebb693ca281cc4ab5b284966d749f5a566190dec007 |
C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
| MD5 | cda530b8188e9c42c6202ddff7a727fe |
| SHA1 | b3309c547d92b03c183ba0b34fc85e2cfa476164 |
| SHA256 | 5cf4d9ef87793585f3d435eefa6ea65cf1f89290470ef098b59c4084a2681ea9 |
| SHA512 | c39f888e01d2e80c49c54599dab684ce56f6132a1bede0e5d4845e931858810e9db998e5e9b84e173aa5d95e002822374ab879abb26f182f1f02da1a1c464fd4 |
C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
| MD5 | 387eccc1e33a7e4d70f8fe35e08907a9 |
| SHA1 | 143e9e86e09eba3a15caffa460c18a53d5baf830 |
| SHA256 | 0cbb932e531550e1588baad6562ea2e86e4f5572c6af391d98440413be9d1407 |
| SHA512 | 2dc3f1095dc080cac842f589b3e073c502569c7859f29b20eb49010ab65bb12a4dfa0d5027985e096c985d16a28eecc0062846aed225b2b80978835723205ddd |
C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
| MD5 | c7962a8e90613a3dcf6cd153c5b08f9f |
| SHA1 | 43ea1d613345cee380a78843fc84d40db62823aa |
| SHA256 | 443f47bfd11027fbb22461f9e7485b56256fddd2c5455ad980b295f353362d07 |
| SHA512 | b6e5fa02361f07e79e86193f33f6a01dca2e6dc319e5f29026ba64a74fae932712c14c9d6d90770407b02092574707145b35b5dc3c3b732a3dbae53a68ad01c3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | ec8f49bdea3d0d383777b0d7fdea26d3 |
| SHA1 | c88d58ec2c26bc914189c4b753e70b781ac4c5a9 |
| SHA256 | da1fc82c78e3b58aab9b9349e50ddcbdcfddedf696cd873128ce392d48248058 |
| SHA512 | 8977a48305fd98200a2f00bea3c642ddd24af7106794a70e34b64ea7a4fa4ad714bc0bd2294519db5fa5b0439319442fb360cc4254efd88191e5a75c72376614 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 3c67c8f1e153f77f96303589fdfc1756 |
| SHA1 | 7247ff3d070a24e1b0ec4fd7fc6f3b324344729d |
| SHA256 | 2799135b83495f3771e1aeadbbad4fa8186868059c166a4e439abf9235b6d26e |
| SHA512 | a8a4aa77aa805b331e96c7a257149a34098d4729e4b1a8933d499568315a07cd11f88f8a92be67f6762eea357d9fa850f666f6dc8170d1f249d689ff8534f638 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Roaming\jrgcjib
| MD5 | 11b1cc83dc32d2b8764c543b8619e7a9 |
| SHA1 | 04842c872a2baee46e2108c01ed49de99fe36d50 |
| SHA256 | 8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58 |
| SHA512 | f6bffaa6e6fd85fcf38ecd6a8482963af09b4a7d3101e49cc7c4cfd80ec1622acb6984c909abb98f5359b1b9d6de1cbc135ad4f27b5b138ce2b02c9678ebcc0d |