Malware Analysis Report

2025-03-15 05:13

Sample ID 231211-fqzg1adgck
Target 8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58
SHA256 8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58
Tags
djvu privateloader redline risepro smokeloader zgrat livetraffic up3 backdoor discovery infostealer loader ransomware rat stealer themida trojan dcrat collection evasion persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58

Threat Level: Known bad

The file 8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58 was found to be: Known bad.

Malicious Activity Summary

djvu privateloader redline risepro smokeloader zgrat livetraffic up3 backdoor discovery infostealer loader ransomware rat stealer themida trojan dcrat collection evasion persistence spyware

RedLine payload

Djvu Ransomware

ZGRat

RedLine

Detected Djvu ransomware

RisePro

Detect ZGRat V1

Detects DLL dropped by Raspberry Robin.

DcRat

PrivateLoader

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Drops startup file

Deletes itself

Modifies file permissions

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Executes dropped EXE

Checks BIOS information in registry

Themida packer

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Program crash

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

outlook_win_path

outlook_office_path

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks processor information in registry

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 05:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 05:05

Reported

2023-12-11 05:10

Platform

win7-20231130-en

Max time kernel

30s

Max time network

199s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 1388 wrote to memory of 2908 N/A N/A C:\Windows\system32\conhost.exe
PID 1388 wrote to memory of 2908 N/A N/A C:\Windows\system32\conhost.exe
PID 1388 wrote to memory of 2908 N/A N/A C:\Windows\system32\conhost.exe
PID 2908 wrote to memory of 2760 N/A C:\Windows\system32\conhost.exe C:\Windows\system32\reg.exe
PID 2908 wrote to memory of 2760 N/A C:\Windows\system32\conhost.exe C:\Windows\system32\reg.exe
PID 2908 wrote to memory of 2760 N/A C:\Windows\system32\conhost.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe

"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"

C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe

"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7A4E.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\81ED.bat" "

C:\Users\Admin\AppData\Local\Temp\D167.exe

C:\Users\Admin\AppData\Local\Temp\D167.exe

C:\Users\Admin\AppData\Local\Temp\16D.exe

C:\Users\Admin\AppData\Local\Temp\16D.exe

C:\Users\Admin\AppData\Local\Temp\16D.exe

C:\Users\Admin\AppData\Local\Temp\16D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\04b9cc7f-43de-45ae-ba56-1af5527a9bf3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\16D.exe

"C:\Users\Admin\AppData\Local\Temp\16D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\16D.exe

"C:\Users\Admin\AppData\Local\Temp\16D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2EE3.exe

C:\Users\Admin\AppData\Local\Temp\2EE3.exe

C:\Users\Admin\AppData\Local\Temp\2EE3.exe

C:\Users\Admin\AppData\Local\Temp\2EE3.exe

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe

"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe"

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe

"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1452

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe

"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe"

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe

"C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "412955830-2106039015104744157427168583-1255834076-1158100537-1479764714311912355"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

C:\Users\Admin\AppData\Local\Temp\A1F0.exe

C:\Users\Admin\AppData\Local\Temp\A1F0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xp358sR.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xp358sR.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe

C:\Users\Admin\AppData\Local\Temp\11E2.exe

C:\Users\Admin\AppData\Local\Temp\11E2.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {B7F80C6A-1BBE-4F11-8565-BBD8353B540D} S-1-5-21-2058106572-1146578376-825901627-1000:LPKQNNGV\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\BA52.exe

C:\Users\Admin\AppData\Local\Temp\BA52.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\C135.exe

C:\Users\Admin\AppData\Local\Temp\C135.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\is-T4OF5.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-T4OF5.tmp\tuc3.tmp" /SL5="$106B6,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\FDAA.exe

C:\Users\Admin\AppData\Local\Temp\FDAA.exe

C:\Users\Admin\AppData\Local\Temp\11C7.exe

C:\Users\Admin\AppData\Local\Temp\11C7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
IR 2.180.10.7:80 tcp
US 38.47.221.193:34368 tcp
DE 144.76.136.153:443 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
IR 2.180.10.7:80 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
RU 185.172.128.19:80 tcp
GB 96.17.179.205:80 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 tcp

Files

memory/1992-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2032-5-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2032-4-0x0000000000C82000-0x0000000000C96000-memory.dmp

memory/1992-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1992-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1388-7-0x0000000002E90000-0x0000000002EA6000-memory.dmp

memory/1992-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A4E.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\D167.exe

MD5 6c7bf19d82d1f23ef56d4c25f4e741eb
SHA1 64b0285118c890f231352b2fde4a7d62104f8777
SHA256 4296084c8b32e5645eae69ada641ea04611da97d1668b4793bd5140ac6f1454a
SHA512 6cf0b20a35e8380830e85ab9002f9ac03f5623ed5b45ef541afad35619da8e8694f7e27da34d17d3b81a614a207f8efa15e66b3718d0328a7468002c91270eba

memory/2752-52-0x0000000076450000-0x0000000076497000-memory.dmp

memory/2752-54-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-57-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-60-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-64-0x0000000076450000-0x0000000076497000-memory.dmp

memory/2752-69-0x0000000077E60000-0x0000000077E62000-memory.dmp

memory/2752-70-0x0000000000260000-0x0000000000BE4000-memory.dmp

memory/2752-71-0x0000000074EB0000-0x000000007559E000-memory.dmp

memory/2752-68-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-67-0x0000000076450000-0x0000000076497000-memory.dmp

memory/2752-72-0x0000000007BC0000-0x0000000007C00000-memory.dmp

memory/2752-66-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-65-0x0000000076450000-0x0000000076497000-memory.dmp

memory/2752-63-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-62-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-55-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-53-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-51-0x0000000000260000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16D.exe

MD5 165e369c9562b3d347c94ab6fd2390a3
SHA1 43d9e13195d788f732bd2d6dd7d50a78a8fe7f29
SHA256 78f2bd6fa54f035b872dd5558b6252b042eec44108f6866db78c4407ee5223f3
SHA512 3e506729989ad394c13a9435e08a23953611a3446c78b6e106c6ba82472ca0ca695fcc25022b3fd617469744f0097ef6af7b0e5c0de37d92e6412727416e293b

memory/3032-79-0x0000000000230000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16D.exe

MD5 92b2330b59a2fdb6fe40150eb7dfb649
SHA1 bb18cee1a6f6fbd1a64f4c57ca6b42c66fc3d763
SHA256 ff495c627165740428480cb496eb3c73ed8f716b74ce4ce5e965b7ead244e4c0
SHA512 3bf8d3c19d4122fa610266959edc96256381ea0195ce315fe7ce669953541b1cc8f1d65306f899845f5629e3b269f2ebf9427bc63afed2165a5d61b6938be468

\Users\Admin\AppData\Local\Temp\16D.exe

MD5 ba3a6e8b895de6a5f2a2b411516ecf50
SHA1 cccd00e468094c84dabe47db6de1cabd45d08a40
SHA256 17d4aad8bbe94709e38f9ed68185d7a67b64e2fef1cc36f72a9a6b8f355f73ee
SHA512 4de728f64e2f1c0a407df81ca3520acaea84d4d2c47885c6a8df87c3c72a59e5048cb784f58ff266e7f6ac3bdaf336e11571502b0c2126091851e67b45cf6081

memory/3032-84-0x0000000000230000-0x00000000002C1000-memory.dmp

memory/2240-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2240-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-92-0x0000000076450000-0x0000000076497000-memory.dmp

memory/2752-91-0x0000000000260000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16D.exe

MD5 5e84ee64b7e05a6e1c95dcecbc38a12b
SHA1 44322c4ba04775123db432437b20e82fdac5dfa9
SHA256 0de6482c78e628abf21a5c2f452a41b76fb91a16ef2dea21f2d6b55427f96910
SHA512 8715889d9c968050563f0cbe45b842f6c5561c2ee856b580d967f3705153fe56fb95f4cd9a3985a9598adc0947cd5baa0c0dade07ec95fcb07ce40701e66099e

memory/3032-86-0x0000000002470000-0x000000000258B000-memory.dmp

memory/2240-87-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16D.exe

MD5 8f97c2799966683927dd2f84bff96ccf
SHA1 baad94cc883abe75ec971d1cdf0719dacf8699e9
SHA256 60b5d030684d8611527a61cff3afa9b74f76c26bbcd68b4789fea0d7efa4757a
SHA512 aace07085396ccb6a2fd1669c0ad0fcd5de3b39211d316fa04f37a1bee7c03dae7b7cd063999a1e7f496b6d8602b50e72949f33202ae0312b79f3a22682b7a61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1508-120-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/2240-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-121-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-122-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-123-0x00000000758D0000-0x00000000759E0000-memory.dmp

memory/2752-124-0x00000000758D0000-0x00000000759E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\16D.exe

MD5 24ff93dea74eb789b4436b9edbd02d81
SHA1 6809e48b0e7d6df359cd90db327c861bf406b9fd
SHA256 efaefef1189d4845585f147c3cc2a47eb232d38b0d60b5b4174520831d09af4a
SHA512 1c4ff0ee22a46f7c2b5fa2abab07b182d0ff7781b7dfe902c16cd52e22f64a68b72c78305c3336b438b82502a33981bacf49eebf0cfbf2fd83e9b8b7e061c4b5

C:\Users\Admin\AppData\Local\04b9cc7f-43de-45ae-ba56-1af5527a9bf3\16D.exe

MD5 ab44d70cc7a7683806c1be6c6761bd97
SHA1 eca09ce92061dccd429bcc970aa9379c7dfd99b8
SHA256 33626b039dd0609f1c12d9e5eda539f14f26c59e38f0fb293d39025b1aadae67
SHA512 fa98e22922ff22fa6621cd7de442fb8baaa21e1fe5c209613b25c7ddcdff493d9dcb08d268a91732090b2e03a7a17f331a35c05ee7352e7d95c064c9fba6e95b

memory/1508-131-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/1632-135-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-134-0x0000000007BC0000-0x0000000007C00000-memory.dmp

memory/2752-133-0x0000000074EB0000-0x000000007559E000-memory.dmp

memory/1632-132-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1632-149-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1632-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1632-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1632-155-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1632-153-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1632-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2308-164-0x00000000002A0000-0x00000000003DA000-memory.dmp

memory/2308-166-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/2308-165-0x000000001A900000-0x000000001AA30000-memory.dmp

memory/2308-170-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-180-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-192-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-202-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-200-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-198-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-196-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-194-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-190-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-188-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-186-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-184-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-182-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-178-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-176-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-174-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-172-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-168-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-167-0x000000001A900000-0x000000001AA2A000-memory.dmp

memory/2308-1152-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2308-1151-0x000000001A780000-0x000000001A800000-memory.dmp

memory/2308-1154-0x0000000002270000-0x00000000022BC000-memory.dmp

memory/2308-1153-0x000000001B140000-0x000000001B20A000-memory.dmp

memory/2308-1167-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

memory/1852-1172-0x000000001ADF0000-0x000000001AED4000-memory.dmp

memory/1852-1171-0x000000001A760000-0x000000001A7E0000-memory.dmp

memory/1852-1170-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/1852-1169-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/2508-2035-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2508-2037-0x00000000003C0000-0x00000000003F1000-memory.dmp

memory/2296-2067-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe

MD5 9b1c6f382ed44900f4e4a1e23a56f4c7
SHA1 bd27dfdb30ad8ad799c7ca5e50b80ee76bef5c9d
SHA256 ee6228af8e503250efa08ec943baf09227e0138fc80b255a50e1b2a0db2881ab
SHA512 8bac96678150f861a5942fa05c96cdc0eebd6b15c95db9dcdc53374595cf3b699482ee668f55caf6484a507dd8ee4ad39370e613e95d22bdcdffac9f372a4949

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe

MD5 d0b7c8d96013c6b0c646ea4abae85863
SHA1 51606b121c6bd65c3ea1b023d5b70d6a5bcb13af
SHA256 d2fda0bb95b3f16c589f06287587cbc110c2564e232364512c9f06a0f00f7a06
SHA512 b1f59cb7974c43e92bdcf5f894a2faf2243df9b468fc72a54275a145c2e8715985fab95af3694d6661ea237ffbcd2c352b661aef7da2ae1b3ffabba940df9d9e

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe

MD5 4acc373c4b5876b3593ca2eaf124cef0
SHA1 9a1ea29c2daba097a29051a7de1e6d48539fc431
SHA256 c6ab02932a26805b7f9dbc81802d0fc5b5bd594eb138d220f76b6a8350b98917
SHA512 86e5c1c54e5011803e75ec7ba1d7b91b7706450900f9684ae5e889638438182184b8c2446faa54b62509938240d0bd71cd122badb7906355ee81d7ea3551916f

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe

MD5 6d328d2444b347ec434d4fed2582e694
SHA1 95ad7e28938908c417fc665e6f6a8ab8e949a744
SHA256 653ba5e067bb8b837e8fce0cfd4af2e4ace76d35093f1596265ce671ee3fe58e
SHA512 6f42f176432fdb550634bec41db6a5390f371a68d3917ad575210d297c7a8de7ebe5cd9360bb96f46666148e7d2019ce86af6fa0014d3975125f6e7c0ffb0472

memory/1272-3344-0x0000000000C50000-0x0000000000D50000-memory.dmp

memory/1272-3345-0x00000000003C0000-0x00000000003C4000-memory.dmp

C:\Users\Admin\AppData\Local\ef9e9c5f-7988-4520-95e5-f0da5e1b9fe1\build3.exe

MD5 49b6fdf2157567d257a8879c61f8ce3f
SHA1 5858d8668a77b8c2d42df578291f1847ff74c3cf
SHA256 c45f910567bf3994aa0c9dfbbfebcb9861fe15bcfeb653e4a5a48e09de7d9d2d
SHA512 0adbd5e2e6ab1f3d840de9347403679e29ba91a15d2a41b358673f92142f6c40b842eb7c6286e37f8cea66c8a4dfb8bd18f433458ff8316207cdf3b5fd8e4eed

memory/1852-3352-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/572-3353-0x0000000000400000-0x0000000000406000-memory.dmp

\Users\Admin\AppData\Local\Temp\A1F0.exe

MD5 81409faeeb48fd73443430e8fbf5fabb
SHA1 feb1ee6f8f685b46a9937d145a755235324d80eb
SHA256 177bf97a1c829084aa4c3a6005cce61034fd918a75de71199c441ed30fb3d2d2
SHA512 6b99a40137937c3b415dff325e8b190d1c46a87f95e2daeaa91d54e1ae238dae77feb13c7c04e983de5cc059c35163a34376cfda63871e7daeadb26b0117b4cc

\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

MD5 9fb70e96f825da97070b5e88be208aa8
SHA1 56e79746fc48b017872eea8246f69128c2544b46
SHA256 ed97c6136ab675922bd218fe177ef69e523f31972251f92d2caaa95f48a9535e
SHA512 a973517689ef111d272407eed6744c64f9e544b3b9adcfb7dfef2f750159846bf4f04034a9a2a37894244b1ab3a39ccc65f2dce88ff89258961725d52de01ed9

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe

MD5 a9cb86ce0b3e2dd9d8627506b691e66e
SHA1 65432b6253e5564369c92370edb09f4d5cf482a1
SHA256 4b2f6f697ad8df407041d2eb7142a0341b9a879c77afe11dc4e46b58d1aeea5f
SHA512 e5d84db489bdae377f117238bdb5e6fbc261826697c7586ee41b8cf37482841e681890ebee13910db668344d2e5e83e4d294db2ea91ea5c6827751f7697eba6c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 bfc925e86886cd5527bf0a5616b16224
SHA1 88294d50420adba744ac0d73b418256933b88358
SHA256 517aa69a46f119ab83fd71ebadf3e50acfc8e291bbde30be1441d74442188192
SHA512 094f60b8acf681c705e13ddc0976971315d8bc2abb70cd5cd6778b1a90b185750901f28a7934aa297fd9559a77dd9f1dde1f738cd8fdf2bda6261d58d6863455

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

MD5 d145ed674263e5ef79266859050701a2
SHA1 a33cdea97e343ff1aee414b0fe0d8747627ff761
SHA256 b15d135d5feb4e354a5e8c71a2a42cfa247a5755e6a1dd1afc909905d578296b
SHA512 5edf0a60899f15694fb425b3f4daf5cdbfc098503f5b01a5a34588686da9b8e1c5b1ceccbf0285d47a1db8833c91fc46a61ee90d86a79c9e048bd10070ff7280

\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

MD5 f70e30b8ae53176181d59df72ac7ba4c
SHA1 c3221c60bc9117fb4aaa65e44860c5f6a3ebb1a8
SHA256 d4566c5abc75d1f643ee4ee424d6354a920eeec5c594afe1dfdabb6dd3d5520c
SHA512 5179db141331da98f11d4a6f2b5be3b09c4600dad898f929592610e166f61dc8036800e17895621589f3f48d8562079b7ddeb340347bf1b20e19dcff073c16a4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

MD5 69aeaa001d75d3c419ed80b9eb7416bc
SHA1 4a6e05515dc10e7caf2609ab292d2a4ca3c6607a
SHA256 4e8ad667df7ac28e32d77e2a2139eb31c43fadaaff4d52a38a006a431c075382
SHA512 1e1de9cad83e0ef2c50c9c4cca1ebe1ba74d23a3d576468bc3326cdcfb200ee7319b1534dbc568d7d7d64813d724108aaf94430c6fa2d1f2c7f6f8ab2dcfd39c

C:\Users\Admin\AppData\Local\Temp\A1F0.exe

MD5 6711c38373f238b60811a6460a04c160
SHA1 8a991f215602745ffad5faf1d9142aad09bf2f14
SHA256 ae95edddd735c126b3df7408ba54e5bb3ec9b45009fa18fb1464b366522dfe24
SHA512 23dfd6eaf94b707dec3b1181884ebe4a1e54272c840db560de23a564e6855b7f5c0c6edb613f109b4e0b738eb2a2193e9d27d231e8516e64b892f0233172212c

C:\Users\Admin\AppData\Local\Temp\A1F0.exe

MD5 a18a08cab3fb012ef6eb2ba46a8d964c
SHA1 ddd12bd34eb7c796ed7859e22f6215ca84a13b2a
SHA256 f890def40dad1cd1c0e0e8e20e0f96e95ecc4aeaa740250ef5d518a3abf144cf
SHA512 beb680bdd91234f7b42d7ebe4d2492c257ad93eeb1e01b1aef4e54a7cf09acf53bf06ec39afcd5e482e16e88729f746feb7267a582a1229458c9281d30396709

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4bad8e1c520c8aac574f59c60c80d58
SHA1 699677ef561f0a75d1b1c5bd0147b2eaaffccb11
SHA256 704edb0e08d7c5c6039339ab4f45bbcb5c56018e2cee33af1ac5033b8876cdf4
SHA512 c39eeb7348ca325a77d8f7af41dce5da6d21e943d22afac6136545326199478551e7d01c2be7444fdea49d58018865daedc453820386c56bb08afd45ffe87468

C:\Users\Admin\AppData\Local\Temp\grandUIAYCoeWcH4daxAj\information.txt

MD5 6bf4ae752e198352eb3537811f833a62
SHA1 684b2ba2ad00c67a129d3cf40fc190b38ee82b37
SHA256 53cb0d9a174cbbd6cec4ddc6f12f60efa08032b9851fc11cabb89357e573d71d
SHA512 2cb1d5d9b5d7493138d5c8d595a27d13ecc6042bd62cf993a366546438d6c582677f5e7d4d003c5ba3c83df96a085006e073610e16f8a961c304bab33e9dea2c

memory/1852-3477-0x000000001A760000-0x000000001A7E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xp358sR.exe

MD5 b695080449a79bafb26dd20c38a8de03
SHA1 e5e97c7739bf1f584b951ca0e5ef48725ae58b10
SHA256 f86739d4bdcaf5968084484371577f96ff83cab4b0f249f023188a9cd7e6d955
SHA512 2dd3053de11c41f92555f2c6f25bdd73a2b935ef51487e2aa880bed2abfdbca9511fa8f0aec902e8ee05152cfc3036abd0ec201a203e075374b88281c09b2937

memory/1616-3487-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2872-3489-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2872-3490-0x0000000000020000-0x000000000002B000-memory.dmp

memory/2296-3491-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1616-3488-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2872-3495-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe

MD5 7ddece70d6d53f59544edb561ba5d22c
SHA1 ba437530e64080a14152fac6225adc51431d6353
SHA256 3305c21e9e05411c80c0e898e308cd4d3fc778bb3511a64a0d8c171c098d8b5f
SHA512 c91bb61c7253e7a776aa247bdc000bf1f107f6a265a73eee037148278187cadbd08cd110ed53a56a784ddfa7c1014be132192f8e59519f1ad1593cf02b4131e7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe

MD5 ab62cc145ebc50dad7cc1dddd339fe4d
SHA1 a929a6a4d1a820facb19df5d24ba48f8fcaef51b
SHA256 16b7dab79ce1991b8609c5e7543d974e1b13034ebf13d9a246e86b678d79bdc7
SHA512 334cf8ffcf55652e3da59613c9949be040573ed0ffab17de6ad89f742e46288ec39e47821632c8e5e745043fb4c33d312d50adce32b22569b6408041431e96c3

\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WE2wQ6.exe

MD5 b47fc6a06830ad32c7433aeaae2ce607
SHA1 1ad2ec89b8416fbc2232911b24f361a8b1882a7a
SHA256 1866357aa85e80ac03a3fcda3627518bc49937f322e7f283c2a81069efd4b12e
SHA512 2ebcc347ab493cb1093a8fe77be0ef8099510fff179a16da6e7ae47980c0d340ad46e46b359e6e3c2329533540b56920221f916078fcf9fcdef55cd0079812fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e2f64856064bdf102282275293790b07
SHA1 4b5751f6fe1ee17deaa491d4479a134e56d0bc35
SHA256 f3c40efbeb68fb38b0e59a114df3eabb174bc93ea8ce55a6c04e94de7dac7f97
SHA512 12f98312c9cc28a1b82f7f9f6e575e25953cd09e2d620ea2b94fb02eb392f22714e05313af65e599396612f6c8546486259f3899648eb81736bc5fe1d7ad1705

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 f0574bb0afdf68a173736236c2b11351
SHA1 05971b19359e8e36f9b242cd58dcb296074b1530
SHA256 a3e7b331b29b5d0642a513eadaec37fc1f819d088e9b0cae8e9cbfd054b6c83e
SHA512 c4c9d96ca2edc62b24cb5ad72149459c4e68d8bd56d021b4df8f38b7b52d6e6b512a8d4318679e7b86b2e785713ab3c91b8791c710aa726feae89e4b72fbe24d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 c2f69a991d8bb9b5f52b8eb5644dce12
SHA1 aa0ae8e0e5cf68a1c302a673a1ef1efe3a464470
SHA256 099d29e2b9f992e61c31ce334105c30744145160b2e3dcddd54ab01127d9d390
SHA512 046f14856cd41db510b8b4739390e39d2620da5d04a8f0cf20c394c3f96c95654a19d1f370eb4f80cf06ef2f01d30aaaddf6fa69cda16d0ffd4d4143b5c1c822

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\shared_responsive[1].css

MD5 086f049ba7be3b3ab7551f792e4cbce1
SHA1 292c885b0515d7f2f96615284a7c1a4b8a48294a
SHA256 b38fc1074ef68863c2841111b9e20d98ea0305c1e39308dc7ad3a6f3fd39117a
SHA512 645f23b5598d0c38286c2a68268cb0bc60db9f6de7620297f94ba14afe218d18359d124ebb1518d31cd8960baed7870af8fd6960902b1c9496d945247fbb2d78

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\shared_responsive_adapter[2].js

MD5 a52bc800ab6e9df5a05a5153eea29ffb
SHA1 8661643fcbc7498dd7317d100ec62d1c1c6886ff
SHA256 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e
SHA512 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\shared_global[1].js

MD5 f94199f679db999550a5771140bfad4b
SHA1 10e3647f07ef0b90e64e1863dd8e45976ba160c0
SHA256 26c013d87a0650ece1f28cdc42d7995ad1a57e5681e30c4fd1c3010d995b7548
SHA512 66aef2dda0d8b76b68fd4a90c0c8332d98fe6d23590954a20317b0129a39feb9cd3bd44e0c57e6b309227d912c6c07b399302a5e680615e05269769b7e750036

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\tooltip[1].js

MD5 72938851e7c2ef7b63299eba0c6752cb
SHA1 b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e
SHA256 e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661
SHA512 2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\buttons[2].css

MD5 84524a43a1d5ec8293a89bb6999e2f70
SHA1 ea924893c61b252ce6cdb36cdefae34475d4078c
SHA256 8163d25cb71da281079b36fcde6d9f6846ff1e9d70112bbe328cae5ffb05f2bc
SHA512 2bf17794d327b4a9bdbae446dd086354b6b98ac044a8ee0b85bd72c3ab22d93b43f3542df03d64f997d1df6fc6cac5c5e258c4ec82b998f3a40b50c2fde99b5a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8M86OWM\shared_global[2].css

MD5 eec4781215779cace6715b398d0e46c9
SHA1 b978d94a9efe76d90f17809ab648f378eb66197f
SHA256 64f61829703eca976c04cf194765a87c5a718e98597df2cb3eae9cf3150e572e
SHA512 c1f8164eb3a250a8edf8b7cb3b8c30396861eff95bcc4ed9a0c92a9dcde8fd7cd3a91b8f4fd8968c4fdafd18b51d20541bcc07a0643e55c8f6b12ceb67d7805d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BHYOKO3G\pp_favicon_x[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 fc7d39150b24dca19b40065e68695874
SHA1 7d055382469c12da68b82c09ed5a3a6fdf6e61cb
SHA256 2fd7dbd08abca3df679e95c956d6916aff9803c71166d4c720f8f4609e782e8b
SHA512 a9151d5c1c203b240f49b0d3ee0b44f49d35d2a2c51b8097cb404b95a8e6cc3594a4ce3804006894e5efee97a258027ff502901e1bc9c2737163753018718bba

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\h00gt77\imagestore.dat

MD5 25706dffc0d2a9503f1e61257c4f58af
SHA1 8b7fd75d0a46ebaa59a8f102b82191810e009ad8
SHA256 c67e048882b95f24312b7511d76101114343ad607bef910387d003a6af37c769
SHA512 00fbdd3c988e1199e12cded5e44c5cadce83373d3f6518d55002b09a15781dc5c217e2ec73d3b6035ac6c51399e0f25312bbd6210a6ab45c852842b88dcf246d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\favicon[1].ico

MD5 231913fdebabcbe65f4b0052372bde56
SHA1 553909d080e4f210b64dc73292f3a111d5a0781f
SHA256 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad
SHA512 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BHYOKO3G\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4UTX0F6\favicon[3].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2add4ce9c2f40e2004310968850f5dc
SHA1 20efad8aadae99057724bece97797bf7abc72fc8
SHA256 135b094c17962d666531716c38e7ba1bb351a8154f6c14b4cfd40d4f498cc0ef
SHA512 91cbfb01dd8497329ff94565f44a31001f07dadf3c54d104e57b7fdbd0b4358e60efd38337d8151cbb5925e758779fa37613be6869c41ab382fe0f96a6501d60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abc33f1dace6f996b8f731d337658f94
SHA1 f97a5c71703060a9479fd3d5bf92f483d66d4a8f
SHA256 5b340762c05ade641b52fde8b79951f6073f5a6c30352a51b72c9fac021b722f
SHA512 2ef36363a3d8f65cf0fd2c15f31e7b91b97b38ea278d6f4c28319cd6cc979e1fdc1d44a66573b8fcc73b3b20fa18621dd479468fa20f65485d6229339d7d20b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3TSDZ9K1\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3TSDZ9K1\epic-favicon-96x96[1].png

MD5 c94a0e93b5daa0eec052b89000774086
SHA1 cb4acc8cfedd95353aa8defde0a82b100ab27f72
SHA256 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775
SHA512 f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f0dc234ccb184a51de68ec2b932341c
SHA1 8192d09f6ed8719b09eba12c7ad41124d519d562
SHA256 3a681f25149d3cffb03dc1ece23e3759b711dc58ec544b762106e083daa41f88
SHA512 a27a456c73f32d9aec585d54e4e2744f17a8e68c85309f6a02ca6eba6c4c38847c36cade45ef03d4951f5a93a0d07d68fa6db1fd397b1a9d1dcaa39c685721a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e6fd5f70462430ebf2e654cdcdb1d7a
SHA1 467f70a80f5b5e6c36efc0da4088f8836eaeeea1
SHA256 e505500de96b4d954415cceba699b707ae2b69e5e4c66e8379fedfb56ea39b75
SHA512 2ecfc2a3173323e277c2cf6312131c5d964a3b53f519d3f535f4f3496c44a1fa57d5401cdcc6d88820154cc2d3b8a954ffd1b1a6c4ffa1de5a0ff40dd6e70384

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b1b31365825582eb8b8465c1cd5afe1
SHA1 cede133594265cccf091f3abae2ab65fec239121
SHA256 ac07010752902cb58cf75bd50de43fb8444f3813046bb1832db835da3e56993c
SHA512 feabfd9486bc36b36e7d2faa919e46c00f7e4710177190e9d6d2fcd0e535604bcdd5d1e37bb2235ecb9ef5ab9549cea9d484b24b5f3e17add64f7a9ababeff09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b7d4d5cbf0c448d4d77d41c474829b4
SHA1 6b7dba0655d6721d6d75b2bcc1d3af151ae5ab70
SHA256 517b03d71ea66d4809a82f845052bf3b754af59816b657e4158f970193b568db
SHA512 3c3bc1734c69928471147c62bbb26360b126b36de33d7fc35c6b7f0886f9494203fdda282e3d8aa30e5caad70aca6332c33b4df80876fee2f0ef501c9ea68536

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 742a2bcad35c90e579a1efd58542025c
SHA1 a776724543079ed559d9ab7f666c8672539a3b19
SHA256 bd1f6256ca11194fe82ddc33780215adcf8e4ffe5bd63b7b8ff8ea5ad9fb03a2
SHA512 81e4bb0391376ec147b380659bab4d3cbad80a799f1d168894d0166583964ce3ab2847cb4642c14416fd391d401bac48f5fd06afc42dfd4da69b220709b0b2d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1b6a3687e20c6cf0205048e9c243d66
SHA1 cc3b39b27a253d66943db0f9ebd6a1ecca99d41e
SHA256 e7544f0f1676b393c3bd647cfdd52245c53ca27a1a48c99390d103eb7f6f97ae
SHA512 75c8610a5f59e6bdbe5494f0475cd9ff743c5af17c31a7fa007e2fada1972492ea745c78caf92ac4d4103d655840993bb27f6bddf2b93486826a8b594fbbd5a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62d985be72be9f74ee8cde54b699f285
SHA1 0b16b796464efa48337dee51880f7531b0c48002
SHA256 b6073ea04c9c96b5874a2e9d9abc903cd95f5c7c7f84baf036cb9fa8cb5fb123
SHA512 3eccd9a957f10b8407a20ac20f94f1ce115bd0c574334685a944afb9fd4909ccbffcabf13d61a142a4ac43e9524234307a708e5ee5593657cf32c7498940e450

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82010eb5aac967dba7bf3e87f2ffde59
SHA1 8fb127177405955e2eff706735de9aee06fe7aa5
SHA256 2fd0896200eb38e76902aa16f2604bbab64f7d46d1e09a27fb75e7f0200b09f5
SHA512 7270296e91bf127ad93e03e0fd97e41e9eb8ac8686b81c8a7ab88aa17ca431b01dc62fa676fecfae225ab095a159e0c573e0e4abaf69384fb1daf3f07c24d32a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fbf9e876384207b65f9a84e1fa5b049
SHA1 73a1fd3f45f4d6a3feeead3b3cf0e0af594645f9
SHA256 37e01b3325fb52145b0d479a6b113af7c3f0a3df556a313e567cd27c90f5b659
SHA512 4dabd3e7660276e0983a4ec1ff1d26b4303e3fe4913d1a5a266e10723d84188871314f373bf7d1321df6811dd538343af2af4cc021f6c3b23b4086c9ff35fa65

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

memory/1924-5621-0x0000000000160000-0x000000000019C000-memory.dmp

memory/1924-5623-0x0000000074EB0000-0x000000007559E000-memory.dmp

memory/1924-5624-0x00000000020E0000-0x0000000002120000-memory.dmp

memory/1924-5633-0x0000000074EB0000-0x000000007559E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 c60aa157a3bf1f9dd49addad38be9d68
SHA1 8055b2c563e24018af67a6c7752c7b0ed47ec252
SHA256 2b6dc7c8c511ca80053beb596b112a89e64782b961ff816a476613d0f64a90b7
SHA512 dbd516d43e6f6428b3b9819c7f66c79f5057d4f1b707ab0d7f755ad14a4ed053db39748e7b19b273c08df620f2d56666168ea685ee8834adf738a011941313fc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0ec9b2b50543e691c1f1244ab7ebd3ee
SHA1 d8b04b5912add5277deb2409cfb6700dfff151a5
SHA256 03d1500521601b701219b49a964df6766074f6836a3676b9ad5f949d6ecb389f
SHA512 9b31a6fdd95f453ec69dff9403ec927147038554f0d6ab5f68d5eb33d3d213039c298515230b7af5e8b2d202b8856926d8708dbc1c24997ebd48f39d8c2eb20e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 05:05

Reported

2023-12-11 05:10

Platform

win10-20231129-en

Max time kernel

300s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"

Signatures

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects DLL dropped by Raspberry Robin.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5C17.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5C17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5C17.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C17.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C37E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3AF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jrgcjib N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jrgcjib N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\9f8dd60c-bcf3-4a31-a2fd-cb4a9dbbed65\\94BC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\94BC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3AF1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5C17.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C17.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 3228 set thread context of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 set thread context of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2808 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 1432 set thread context of 316 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
PID 1900 set thread context of 1992 N/A C:\Windows\SysWOW64\schtasks.exe C:\Users\Admin\AppData\Local\Temp\C37E.exe
PID 2836 set thread context of 4692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1644 set thread context of 4208 N/A C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe
PID 4208 set thread context of 404 N/A C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 404 set thread context of 3588 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2028 set thread context of 3704 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1304 set thread context of 2200 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4828 set thread context of 508 N/A C:\Users\Admin\AppData\Roaming\jrgcjib C:\Users\Admin\AppData\Roaming\jrgcjib
PID 4124 set thread context of 1112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5C17.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\schtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C37E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2424 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2424 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2424 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2424 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 2424 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe
PID 3412 wrote to memory of 2828 N/A N/A C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 2828 N/A N/A C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 3752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2828 wrote to memory of 3752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 4708 N/A N/A C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 4708 N/A N/A C:\Windows\system32\cmd.exe
PID 4708 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4708 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C17.exe
PID 3412 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C17.exe
PID 3412 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C17.exe
PID 3412 wrote to memory of 3228 N/A N/A C:\Windows\System32\Conhost.exe
PID 3412 wrote to memory of 3228 N/A N/A C:\Windows\System32\Conhost.exe
PID 3412 wrote to memory of 3228 N/A N/A C:\Windows\System32\Conhost.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3228 wrote to memory of 4748 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 4748 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Windows\SysWOW64\icacls.exe
PID 4748 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Windows\SysWOW64\icacls.exe
PID 4748 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Windows\SysWOW64\icacls.exe
PID 4748 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 4748 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 4748 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 2436 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\Temp\94BC.exe
PID 3872 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 3872 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 3872 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 2808 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe
PID 3412 wrote to memory of 1900 N/A N/A C:\Windows\SysWOW64\schtasks.exe
PID 3412 wrote to memory of 1900 N/A N/A C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
PID 3872 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
PID 3872 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\94BC.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe
PID 1432 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3426238547-133202173-2522127025-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe

"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"

C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe

"C:\Users\Admin\AppData\Local\Temp\8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 496

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3321.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3583.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5C17.exe

C:\Users\Admin\AppData\Local\Temp\5C17.exe

C:\Users\Admin\AppData\Local\Temp\94BC.exe

C:\Users\Admin\AppData\Local\Temp\94BC.exe

C:\Users\Admin\AppData\Local\Temp\94BC.exe

C:\Users\Admin\AppData\Local\Temp\94BC.exe

C:\Users\Admin\AppData\Local\Temp\94BC.exe

"C:\Users\Admin\AppData\Local\Temp\94BC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\9f8dd60c-bcf3-4a31-a2fd-cb4a9dbbed65" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\94BC.exe

"C:\Users\Admin\AppData\Local\Temp\94BC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe

"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe"

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe

"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe"

C:\Users\Admin\AppData\Local\Temp\C37E.exe

C:\Users\Admin\AppData\Local\Temp\C37E.exe

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe

"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 756

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe

"C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\C37E.exe

C:\Users\Admin\AppData\Local\Temp\C37E.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

C:\Users\Admin\AppData\Local\Temp\3AF1.exe

C:\Users\Admin\AppData\Local\Temp\3AF1.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1668

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\jrgcjib

C:\Users\Admin\AppData\Roaming\jrgcjib

C:\Users\Admin\AppData\Roaming\jrgcjib

C:\Users\Admin\AppData\Roaming\jrgcjib

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
US 8.8.8.8:53 33.167.67.172.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
IR 151.233.51.166:80 brusuax.com tcp
US 8.8.8.8:53 166.51.233.151.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
IR 151.233.51.166:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
MX 187.211.38.89:80 zexeq.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
NL 149.154.167.99:443 tcp
US 185.196.8.238:80 185.196.8.238 tcp
MX 187.211.38.89:80 zexeq.com tcp
DE 78.47.104.201:25565 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 201.104.47.78.in-addr.arpa udp
DE 144.76.136.153:443 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
BG 91.92.243.247:80 tcp
DE 78.47.104.201:25565 tcp
DE 78.47.104.201:25565 tcp
DE 78.47.104.201:25565 78.47.104.201 tcp
RU 109.107.182.45:80 tcp
US 8.8.8.8:53 udp
RU 80.85.241.193:58001 tcp
US 8.8.8.8:53 193.241.85.80.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 tcp
N/A 193.233.132.51:50500 tcp
US 8.8.8.8:53 udp
N/A 34.117.59.81:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.190.177.148:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.190.177.148:443 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp

Files

memory/2400-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2400-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2400-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2424-3-0x0000000000920000-0x0000000000929000-memory.dmp

memory/2424-2-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/3412-6-0x0000000000980000-0x0000000000996000-memory.dmp

memory/2400-10-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3321.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\5C17.exe

MD5 1aacf4af0268404d746d8b72f4fe9403
SHA1 9f8bb4c9e274fa9cf52692a2ac5c045cf0dcb1cc
SHA256 3b7695494d71d847a983f8041ac49c56253a1b04a6d29ad05700bef6320db27a
SHA512 fadb9970bb19585af3ce0693256470f43cb3d4911ec073882ee078b2d77486043798ee5d0566a60286617efeb234e13ca99a3477408fb8abc0439af85e9c3e9d

C:\Users\Admin\AppData\Local\Temp\5C17.exe

MD5 f174c4a57e1fcfb725dfd1e2ab2215b5
SHA1 98039c700ba2b9577b324c18f022373463dadc80
SHA256 3856b5b224b4f5a1a50661d8422237341ac47746784069db9c9c1e8c0128441b
SHA512 54179a341354433386d43edd1f389a6818f32eb2e8efae2dbcdf10a8299d1aee870ec9e4199ca2acae1425ba072b816d788f82cb8cd163f9fd582cb8481b23c4

memory/3652-28-0x0000000000190000-0x0000000000C5A000-memory.dmp

memory/3652-29-0x0000000074630000-0x0000000074700000-memory.dmp

memory/3652-30-0x0000000074630000-0x0000000074700000-memory.dmp

memory/3652-31-0x0000000074630000-0x0000000074700000-memory.dmp

memory/3652-33-0x0000000073EA0000-0x0000000074062000-memory.dmp

memory/3652-34-0x0000000073EA0000-0x0000000074062000-memory.dmp

memory/3652-35-0x0000000073EA0000-0x0000000074062000-memory.dmp

memory/3652-36-0x0000000073EA0000-0x0000000074062000-memory.dmp

memory/3652-37-0x00000000772D4000-0x00000000772D5000-memory.dmp

memory/3652-42-0x0000000000190000-0x0000000000C5A000-memory.dmp

memory/3652-43-0x00000000727C0000-0x0000000072EAE000-memory.dmp

memory/3652-41-0x0000000000190000-0x0000000000C5A000-memory.dmp

memory/3652-45-0x0000000007990000-0x0000000007A22000-memory.dmp

memory/3652-44-0x0000000007E90000-0x000000000838E000-memory.dmp

memory/3652-46-0x00000000052E0000-0x00000000052EA000-memory.dmp

memory/3652-49-0x0000000007A80000-0x0000000007A92000-memory.dmp

memory/3652-50-0x0000000007BE0000-0x0000000007C1E000-memory.dmp

memory/3652-51-0x0000000007B80000-0x0000000007BCB000-memory.dmp

memory/3652-48-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

memory/3652-47-0x00000000089A0000-0x0000000008FA6000-memory.dmp

memory/3652-53-0x0000000074630000-0x0000000074700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94BC.exe

MD5 313af54c41008ad4a3973b549e14dc74
SHA1 15236c90b06348131922cd92f5c1a08c52956669
SHA256 33556c51f0691023951cdb79f21714957fc5f5c0de9eabba002ea30418fb426c
SHA512 98bf6cae17707fb81e6408f486d64116e445b8ba9cb4c47dd4cce64ebab9d664b62aa5d3127505bfcc9ecbaad545c28b6659091e526a292dfca8b83c63ffccb4

C:\Users\Admin\AppData\Local\Temp\94BC.exe

MD5 f226399d07d7a6a558c17c61d2a72101
SHA1 e622a1bb0f82353222e2c7845a0deedd970e216e
SHA256 efabb7f75b83873717cc2ab8e9916b5ba6d063c9dfb1c38a04762040b1fd3246
SHA512 720fc30bc3ded73c3da990075bfe979165d44c8fa1aace081b9e4fc33ee8dde276a9f2ab9c5947d67a418801ea3bddf536560f97d2d3b667fb35c0f45c8dbee2

memory/3652-61-0x0000000074630000-0x0000000074700000-memory.dmp

memory/4748-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3652-67-0x0000000074630000-0x0000000074700000-memory.dmp

memory/4748-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3228-65-0x0000000002AA0000-0x0000000002BBB000-memory.dmp

memory/3228-64-0x00000000028B0000-0x000000000294E000-memory.dmp

memory/4748-63-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94BC.exe

MD5 420dc9ce87b8ab47f749a6875c4f54dd
SHA1 023dcbb108b83bc29db0ee81e30071070bc44534
SHA256 48d825002c3c5ce39719347aa24e8c0c5048b657dea095584f0928e1e23e74c5
SHA512 2957c55b192f5c30237118f7af53acc8938f372013a8256ccff53f706d69716b1c0c013384814576293e519279fb54d6882628ef2291e9f0c4ed3febadab3126

memory/4748-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3652-69-0x0000000008400000-0x0000000008466000-memory.dmp

memory/3652-76-0x0000000073EA0000-0x0000000074062000-memory.dmp

C:\Users\Admin\AppData\Local\9f8dd60c-bcf3-4a31-a2fd-cb4a9dbbed65\94BC.exe

MD5 c2c5a406603a5c6036185a65dba3a132
SHA1 22e953437fc1d169e38eb7992d8079c9c53848ac
SHA256 2bf20230678e6f2c9c121f14f940c24a57a24d11a2db813bae860fd087b8da90
SHA512 94ebd4706acfce6bc86dbbac4fed7e821adb133eb7e42c423b4553467168f393a860faa9b39b33cf8507cc52b11baf2ffd99c6e940c3c9384df436363013564f

memory/4748-80-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94BC.exe

MD5 5e8b49d7626e3a3217747afe4645fccf
SHA1 fd8e7a81723c19c9332036e21d604fb59d3d6415
SHA256 656bc622d36649b3e1ef92fd25493e63330b7b44e25276282677494ccab877b1
SHA512 f2d02c62ea8f8cca56e771e98da4a491bdc217d60ba06164e7a1d388b246418bfb7a4fd26bbbb35a88456903aae68d9b96cc7912bbc834c6b5218a26319bc339

memory/3872-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3872-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3872-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-86-0x0000000000DD0000-0x0000000000E6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94BC.exe

MD5 4e75a67343b5b14998751bd04ee4355a
SHA1 5309d0d3c7d70b827af7e6b6f0899d98a83ab0c9
SHA256 c77cb148b46f5a4c6a57997388bfa41a13a8604cc22d67e89fc9ab751807a499
SHA512 4d3b9974c43dc96169a6765e75b63bbf298b5af9daeafe11f6b55c8754dcd9330c1a79e8b0337db3321b33d0151c86b9853fa5675b4db13338118ff114f29370

memory/3652-84-0x0000000073EA0000-0x0000000074062000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c26e75ca11f2d14072f0245aec488cdb
SHA1 34c32292e20bf9d1b1aeee564761340e2928a71b
SHA256 35d3a71d2e8b899eef448aee212f2e867a7ab98743e68782f8fbba74496af8db
SHA512 cc07d181cf159cf0c8086ddab762d52675e3f146095270b1263ea3e34a211cca59cb4bb8529b20daf4de74e02054dec660590274909cb9d95fbd3f20afd55f89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 41047f6f2ab6f31e3d0d6458a6251741
SHA1 924bedb650e0d64e79d0dab7db148b3daffd31c7
SHA256 029973dd7e5c10e41d6dd31b8e58806dd8b23ac15bd7dae7270382ddef32efca
SHA512 6506fdbcd72c2638813c64ab82e2a774a2cfb91040c95f0dc9f514fc5384dce67ecb9258dd65a5f2f290c53e6dada10e317b81df58b5cbbe466e2fb59c6b40b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ff0cff529dfb80aedbeb0e6e26a6f5ab
SHA1 3fd7f47f214a4e6de0315f6c06e7c1ff696e9ebd
SHA256 265f93740f69eeb9014ad9de9c44a418d7adfa40cfb120df4a047ede7bb5e3f6
SHA512 ab43b1bad3f790b100a37bbb8a1bdf75f1693f7f41eaaa554cbcadf3f5c345a8cb20b94aef27024e09e958664ea9f212d4343ed9413ec63eb17d9c3d0e6b8762

memory/3872-95-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3872-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3872-102-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3872-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3872-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3652-104-0x00000000727C0000-0x0000000072EAE000-memory.dmp

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe

MD5 a5c4e549878160e6e7fb629418e4b28f
SHA1 0d036c36c7ebb1a7a569dba795674782510812b8
SHA256 4894bdf8e2f5c3a650ed5951b5b19aeb58073e55f487e066ff2447d609c71dad
SHA512 73435785464223c38df9963b50a7117bc7e7e2eb8678beb83ef42fa1e31e3b9090bfb5f57f6ea50d2a36d155648fd2eadad3be8610f80e429611b775593c8045

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe

MD5 86db60cf49c374f837a0e3e25afae594
SHA1 601bb732f3a9928c6574e6d7de9d3a6764b33623
SHA256 675db78ee4cbc392ea8057c4d17904eb07c56e4ad5d556d41ec38ba4500fe997
SHA512 fe38c759bc940ae9383be19d24cf19649b89b32f761f4a7589bafb1d687b7d6fd43106e3971bfe043fc6d252faca489af10b30d5df70499ce78d5df325cd4a2c

memory/2808-119-0x0000000002B40000-0x0000000002B71000-memory.dmp

memory/2808-118-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

memory/4520-117-0x0000000000400000-0x0000000000644000-memory.dmp

memory/4520-113-0x0000000000400000-0x0000000000644000-memory.dmp

memory/3872-120-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build2.exe

MD5 f53bc27c87992a92eabed19318a9eb3a
SHA1 8a240f5eea02a0b5f2d178cc6fcb50aab027050a
SHA256 d2d02e74390859f336e6bc2b8219f102f94e3e658cc7a9c74482faab1936aed7
SHA512 aad0c9f2ff5740033e21a0092dc1d18a75bb8a4c8220631e4398e53a1d0cb2afb9cacda373bd3405943c3ae73e7cc84b0af7d342f1192018663a84a6d69389f9

memory/1900-135-0x00000227F17D0000-0x00000227F190A000-memory.dmp

memory/1900-136-0x00000227F3E10000-0x00000227F3F40000-memory.dmp

memory/1900-137-0x00007FF993550000-0x00007FF993F3C000-memory.dmp

memory/1900-149-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-161-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-167-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-173-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-171-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-169-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-165-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-163-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe

MD5 f4df8be1393fbed9ff94fbde46702a4a
SHA1 948a9ce3f85d56822a6982b34693a23330ef5167
SHA256 386d114b164a3db9b05c5fb1aee4e451d8a26f751965ba05d3f04b4fc326f560
SHA512 3862bc7c46d0aa30c20fbf1f21b51a38861c689b1c6ee5e0ccd99c14368e0b021d254344305c8a736c8f978d3d7edbb8de63775f9f12250cba8f974af44ca8d1

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe

MD5 93a0aef35fa8fae9ce708e35829276df
SHA1 64502bf1036740a0a1d69edcc2c1189daad457f5
SHA256 1479452c519623a04c6ba4adda56f9b6696f1f7c55b890556b2b79f2175187ff
SHA512 a990e8c76bdedbe0c10cd1308814380255decdc8bd3362759e2fac29812fc4824fee5a6d08c9d916e377ac1d8d01e75f3864e4e2dd9ff41a0960ea4a6579d070

memory/1900-159-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-157-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-155-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-153-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-151-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-147-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-145-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-143-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-141-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-139-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

memory/1900-138-0x00000227F3E10000-0x00000227F3F3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C37E.exe

MD5 58186315d38d614223981871311f29ff
SHA1 1dc07f6b38787598acfc5276f46753712ac9b3e6
SHA256 15a85ad886d9fdb74f93ca580fc2f4910483f8e92cfd8fb52f1292ca16ae7660
SHA512 1092ee3c6ec27272cab2a415e3f946bdeb1791b38f8ceefde42b18833c39bf66a6022243799312d6dd65c11ed045883f1b3ea248803d98b85ed930525170e528

C:\Users\Admin\AppData\Local\Temp\C37E.exe

MD5 53b21bc0f597dc5d76f520dd0909d696
SHA1 b78b4eeafe67e9ff9735865242bb1831cdcfe88a
SHA256 b20bca5b527debe685e5e8e06839d7ec9c8f666de1f2f16f06416b3f36ac0aba
SHA512 f133590fb3759f463f50ff80dba8839af206abfc9e4d79e0c7e1a40a0281d3b98a305d029cb70e215c87c95b211cd114a15bc7a0afced92b3096b6803d2868c4

memory/2436-728-0x0000000000DD0000-0x0000000000E6F000-memory.dmp

memory/1432-995-0x0000000000B40000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Local\13a0250d-d33a-4305-9c3c-b43741d49b54\build3.exe

MD5 70b29b8a01f49bd47b92155cb827bcdc
SHA1 9ee60f264d4aa62b923b6920d39fd7965465fce7
SHA256 7a0fdbacbf237a2473086abdbcdfaab4441250e87fdff24b28f66716845a0f88
SHA512 a0ad17f14e25871a54ba3562852837c2f0b8c2a9b82ed9d3bfacd139399c8ed3422ba44f3cfbf4a92ded66381bd04e8bfb83a3991a525f70910b0272a0b8e3fe

memory/1432-998-0x0000000000A30000-0x0000000000A34000-memory.dmp

memory/316-1009-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 6d9f4883c37ad53b3155afa92c17b867
SHA1 2fc91ae0362d76d592eac109a34f6c9a3c98ba85
SHA256 fdcfda7af32fe21f60d5bee304640be0f56779d2aa3647ff61c708b7d1ab1fcf
SHA512 b908add2fa25d592f7ed16ebe4e8775b80da9bad2d3989fc2bfd0a0c219b977814b8dbe159e1c9ecad0e5f391d5c18430524ca651efa4a50923d82a791d42d57

memory/3872-993-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1900-1094-0x00000227F1C90000-0x00000227F1C91000-memory.dmp

memory/1900-1093-0x00000227F3620000-0x00000227F3630000-memory.dmp

memory/1900-1096-0x00000227F3F40000-0x00000227F3F8C000-memory.dmp

memory/1900-1095-0x00000227F3530000-0x00000227F35FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C37E.exe.log

MD5 90cf4018738ff8c556ccdce93ead514f
SHA1 999620440d3dc26c1303df234e66a4be8993d56e
SHA256 8fdbdc5ded1c2fb7a88dcf94e93540b6a642a92d87f301e0419405fc75295e3e
SHA512 18c594ecb98677b4b462196018b4deffa8b82db030fedc49c4234eac8c7e885618856386d157b5e955d9612208dd4fccbb2e0b03496ab2bf3b0e148f09454407

memory/4520-1105-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1992-1106-0x000001F53E520000-0x000001F53E530000-memory.dmp

memory/1992-1104-0x000001F53E400000-0x000001F53E4E4000-memory.dmp

memory/1992-1103-0x00007FF993550000-0x00007FF993F3C000-memory.dmp

memory/1900-1102-0x00007FF993550000-0x00007FF993F3C000-memory.dmp

memory/1992-1101-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C37E.exe

MD5 4d644d0e5eba50ab6fa87c0b1e7f4a26
SHA1 54bcffbb5d9e497939c121cd8dce98861aa9aaca
SHA256 e2ffdb89108ffd6a8677cfc3015ce08227991a6614f408e3cac8caf55e9d68b6
SHA512 411d8876ff7c3bfc5d06d31a4a340f1a13da2904e39de2d48bf4ffaa39ca552f5528f64bd94616970f23ec5f9baf1b7b02ec63500311bdacc21e6ea93b2fc2f4

memory/1992-3308-0x000001F525CD0000-0x000001F525D26000-memory.dmp

memory/1992-3307-0x000001F524310000-0x000001F524318000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3AF1.exe

MD5 dba18992c732affe91f3f681588e8f9c
SHA1 f1dbda89df81104ad95c5ae68ffd0ddec0e17b1e
SHA256 a631caa8f292220cffb26a851e157acafd0119a8077ba52cae40fc543b2b1762
SHA512 ae753b7af8fd001305af5fe7aba797539f3db3b5fd38c285b9579bd2b957c0c31992d309896a25fd28e836bcbeabb082f716ce753ad76503cfd8611991e6e103

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

MD5 f1e53ad686718f0befc9f47c2accb098
SHA1 bb6edc9beded6397af3a55dabc9e1b2ecb244249
SHA256 f6f2a9bb88e770796a981bb4d5f5ff0418374573ddc8aa651d9f05f8dbe6fbc9
SHA512 0e6d5178c33aa17418c98503caa0038c3012762a02d4818b836680932942ca940059899b9159f15863502a33bae6ff77f8b302fdd868e8ddba51cc9d9a3628ff

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe

MD5 b47ba4045c861cc5243d211e307c2c80
SHA1 b3c128c987a3dae00853cdd0a60c5cb6100c3749
SHA256 6f8f983067af9f8d18ac2a400b6fc12929b2cf38a1bafe8102f8ff64b68fa10b
SHA512 3f8812b50ec9dc6dd95ede24cd1122f0e1c91c2c53a05496bdd9225ce282d69e1845d2645974b8318441ada9f7609dcca3cfdc954fa58499f29a46936f5f03f0

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 f9234d0c710838b04bb74b8628b62632
SHA1 72f00555e8a59ef4cc98b45c5f71016150390648
SHA256 286ecf9b56aa3edeb98f1798d18568cbbb96053fa9bd7750a3c1aa8923dbc794
SHA512 47e68e85be33d25137f4305c67a8a43675cb53a770b1823197fbd0f7742521451a965d634db361e277aeea2b80868f06a81c666e9bfcb3232abb88da59a9abd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ch35sr0.exe

MD5 a390bdea494f2cdd8da3ef4cd47b650a
SHA1 c66f0a604c5fab9a536a42ee8e49d23e49f8ec5a
SHA256 eddf9c4b86546c92e99bdff5aa8530072527dc3bbbdcf2b9ab8f18c1dc0b9af0
SHA512 9dd09ace85528e18f3b753ae8d9167123a177048fa382c03045e056584a4114d5514c81f7c22fa008b8c79fedf2f5b50de91bdb0e919c56c9143248d64c5f944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NS1SP23.exe

MD5 18e9ebf6dcb63f89de68341fb5039ec2
SHA1 c05af5a02e4bc7203faccccbfd627eafa3cad4b5
SHA256 c3d7865023bda70833d890efff480359228f36bce49973ffeae2c9a94f71d79b
SHA512 7288cc6772f40449cdffb6423c59008fc31acff2dd345aaf800386370222fabb1a24fb0b6341f318023d42d539b82b6281fd84a283dfb7f3a8ac08f56d1602fa

C:\Users\Admin\AppData\Local\Temp\3AF1.exe

MD5 2cb9d37643d0ff6316fe2228d8f4ca7d
SHA1 0d16614b64c7c87eb37c6e18e681a62aa74f84d6
SHA256 8a7d028a90549c7673f8b3f4b588d16ee1d0b0d7fc2d598d6fbabddc85f63682
SHA512 4ab276153d27f5f2bac9b7ce8062a93fc5bdcacb57706ffb96d92ceb76c31deae3c03027db6991ee50edce5ef90a2cf5c1c1c27ec8129c481ba7ca3766a6859d

memory/1992-3340-0x000001F53E980000-0x000001F53E9D4000-memory.dmp

memory/1992-3342-0x00007FF993550000-0x00007FF993F3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIA66PvNnm8Td6tn\information.txt

MD5 d2bb52106c8b54c0f49937def8ab6de5
SHA1 a56df699ba85d14869e6bd6f4fa344b3b9012459
SHA256 d19c7f34bd47ad3483e32373cc35e466b99f5c3362d93385786aa80f5ac0f146
SHA512 7bcdea950ce281987eff956b1ac2cbce3616ec17f099a40af6f7a042b1abb8bc57e5fd2183bf475ece44c34670fd35fdff3a806cffe3215bccc45f0dfcb54896

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 cf2ee397d4dcbcec5e2ed55a7ecb7b88
SHA1 b4f41afa4f34e33ba8d7dc8a6de630945e1bdd34
SHA256 800e0589fd78f7fcc2c3f5eaa84eb601f1996520da2246ea6dd41c091be1435e
SHA512 c9c8b3d98092422b1e0c29f64d0fa32c7e6a4899ed49b58c5bfcec7a5f25df4abbcaa17dfba718fb21e4849ca85372e33c644a9c8be193e5d330b0819fa3b25b

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 2783c4210e8e39b8b01c5333c9cb0397
SHA1 121f68a26bd6c9c57e0948332dd4e05be9ee7353
SHA256 789f4d48c8e026eb4f23b35223d4381bcb3165fab484cea24c2a957d1b3cb7b9
SHA512 f193096e8181f09cfce8a79c2d4415ac78cf11e6d49cb9d810be944f9692c152e13855ff1317497f4366b962b4e01ebd4436e746472b3d897a0da467818d0060

memory/3652-3404-0x0000000008950000-0x00000000089A0000-memory.dmp

memory/3652-3405-0x000000000A030000-0x000000000A1F2000-memory.dmp

memory/3652-3406-0x000000000A730000-0x000000000AC5C000-memory.dmp

memory/2836-3412-0x0000000000ACA000-0x0000000000ADA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 43b71aa109b8f936233908bdfff05596
SHA1 797c9dc3f76b01767017f57e4d13495f79452c8a
SHA256 cd28d2ac1f068c931f19e967598b7b63840cf92cf1e46922176ed0cf9c3abaa1
SHA512 22ab0f2e86822b91ba362dbf0c421bd4993e96f055a8fe23592962a490be0f345b75a6ed9fa05705a9f59ebb693ca281cc4ab5b284966d749f5a566190dec007

C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe

MD5 cda530b8188e9c42c6202ddff7a727fe
SHA1 b3309c547d92b03c183ba0b34fc85e2cfa476164
SHA256 5cf4d9ef87793585f3d435eefa6ea65cf1f89290470ef098b59c4084a2681ea9
SHA512 c39f888e01d2e80c49c54599dab684ce56f6132a1bede0e5d4845e931858810e9db998e5e9b84e173aa5d95e002822374ab879abb26f182f1f02da1a1c464fd4

C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe

MD5 387eccc1e33a7e4d70f8fe35e08907a9
SHA1 143e9e86e09eba3a15caffa460c18a53d5baf830
SHA256 0cbb932e531550e1588baad6562ea2e86e4f5572c6af391d98440413be9d1407
SHA512 2dc3f1095dc080cac842f589b3e073c502569c7859f29b20eb49010ab65bb12a4dfa0d5027985e096c985d16a28eecc0062846aed225b2b80978835723205ddd

C:\Users\Admin\AppData\Local\AceFlags\avbmit\ContextProperties.exe

MD5 c7962a8e90613a3dcf6cd153c5b08f9f
SHA1 43ea1d613345cee380a78843fc84d40db62823aa
SHA256 443f47bfd11027fbb22461f9e7485b56256fddd2c5455ad980b295f353362d07
SHA512 b6e5fa02361f07e79e86193f33f6a01dca2e6dc319e5f29026ba64a74fae932712c14c9d6d90770407b02092574707145b35b5dc3c3b732a3dbae53a68ad01c3

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 ec8f49bdea3d0d383777b0d7fdea26d3
SHA1 c88d58ec2c26bc914189c4b753e70b781ac4c5a9
SHA256 da1fc82c78e3b58aab9b9349e50ddcbdcfddedf696cd873128ce392d48248058
SHA512 8977a48305fd98200a2f00bea3c642ddd24af7106794a70e34b64ea7a4fa4ad714bc0bd2294519db5fa5b0439319442fb360cc4254efd88191e5a75c72376614

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 3c67c8f1e153f77f96303589fdfc1756
SHA1 7247ff3d070a24e1b0ec4fd7fc6f3b324344729d
SHA256 2799135b83495f3771e1aeadbbad4fa8186868059c166a4e439abf9235b6d26e
SHA512 a8a4aa77aa805b331e96c7a257149a34098d4729e4b1a8933d499568315a07cd11f88f8a92be67f6762eea357d9fa850f666f6dc8170d1f249d689ff8534f638

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\jrgcjib

MD5 11b1cc83dc32d2b8764c543b8619e7a9
SHA1 04842c872a2baee46e2108c01ed49de99fe36d50
SHA256 8e65b46ca1d2f5aeaefac09009f1ce9a3ea30ec8c0b9c8d168156ff8369d8f58
SHA512 f6bffaa6e6fd85fcf38ecd6a8482963af09b4a7d3101e49cc7c4cfd80ec1622acb6984c909abb98f5359b1b9d6de1cbc135ad4f27b5b138ce2b02c9678ebcc0d