Malware Analysis Report

2025-03-14 22:00

Sample ID 231215-b74qtsbbe8
Target d03bcd36867e7c28bb1a55cce8dde5ec.exe
SHA256 1ce005163f0931b60a2340dae83894ab89a710d930c7e0c28da75b41518a6ef3
Tags
djvu smokeloader pu10 backdoor discovery persistence ransomware trojan dcrat lumma privateloader redline risepro @oleh_ps google collection infostealer loader phishing rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ce005163f0931b60a2340dae83894ab89a710d930c7e0c28da75b41518a6ef3

Threat Level: Known bad

The file d03bcd36867e7c28bb1a55cce8dde5ec.exe was found to be: Known bad.

Malicious Activity Summary

djvu smokeloader pu10 backdoor discovery persistence ransomware trojan dcrat lumma privateloader redline risepro @oleh_ps google collection infostealer loader phishing rat spyware stealer

RisePro

SmokeLoader

Djvu Ransomware

Detected google phishing page

DcRat

RedLine payload

RedLine

Detect Lumma Stealer payload V4

Detected Djvu ransomware

PrivateLoader

Lumma Stealer

Downloads MZ/PE file

Modifies file permissions

Reads user/profile data of local email clients

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Checks processor information in registry

outlook_office_path

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

outlook_win_path

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-15 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-15 01:48

Reported

2023-12-15 01:50

Platform

win10v2004-20231130-en

Max time kernel

31s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AB16.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\11378549-d88e-45ab-b5e6-9d4716f58b69\\AB16.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\AB16.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 4444 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 4444 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 4444 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 4444 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 4444 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 3412 wrote to memory of 4924 N/A N/A C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 4924 N/A N/A C:\Windows\system32\cmd.exe
PID 4924 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4924 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3412 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 3412 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 3412 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 2288 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 1484 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Windows\SysWOW64\icacls.exe
PID 1484 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Windows\SysWOW64\icacls.exe
PID 1484 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Windows\SysWOW64\icacls.exe
PID 1484 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 1484 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 1484 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 4560 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AB16.exe C:\Users\Admin\AppData\Local\Temp\AB16.exe
PID 3412 wrote to memory of 4360 N/A N/A C:\Users\Admin\AppData\Local\Temp\B98E.exe
PID 3412 wrote to memory of 4360 N/A N/A C:\Users\Admin\AppData\Local\Temp\B98E.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe

"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"

C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe

"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1916 -ip 1916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94ED.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\AB16.exe

C:\Users\Admin\AppData\Local\Temp\AB16.exe

C:\Users\Admin\AppData\Local\Temp\AB16.exe

C:\Users\Admin\AppData\Local\Temp\AB16.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\11378549-d88e-45ab-b5e6-9d4716f58b69" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AB16.exe

"C:\Users\Admin\AppData\Local\Temp\AB16.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AB16.exe

"C:\Users\Admin\AppData\Local\Temp\AB16.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2332 -ip 2332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 568

C:\Users\Admin\AppData\Local\Temp\B98E.exe

C:\Users\Admin\AppData\Local\Temp\B98E.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 123.140.161.243:80 brusuax.com tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp

Files

memory/4444-1-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/4444-2-0x0000000002460000-0x0000000002469000-memory.dmp

memory/1916-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1916-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3412-5-0x0000000003140000-0x0000000003156000-memory.dmp

memory/1916-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94ED.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\AB16.exe

MD5 597507b354253ff613bbf18c31985438
SHA1 0736a124c64ce6127912277c410186bac29a308d
SHA256 e51a3064d0e0d267ac87301875c12545e2279ba282292dad110ada5806444e18
SHA512 d44830d95b2078e9f096cf68b2942a0a23cd30ec3b3356f09a9bb29081b77fe2325f943e088748db538be0ec41573d46b3d6451286b6db714324df8e32424a8a

memory/1484-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2288-26-0x0000000002620000-0x000000000273B000-memory.dmp

memory/2288-25-0x0000000002430000-0x00000000024CA000-memory.dmp

memory/1484-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1484-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1484-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\11378549-d88e-45ab-b5e6-9d4716f58b69\AB16.exe

MD5 3f5e0a8ea20c995f7c3100ba2a184196
SHA1 1a89f579e08677f3f72102d556c77d49bb3d51d5
SHA256 07bd1b82588438e8f050500cf49ddfe5f765ce0d7c4892036c2cc550db4ea20f
SHA512 1f1148b7b4744f314b87f33db32ff7e1786c6c8c0fc1800b47e6f47757778b6264c41a9022e26786d6301dc3ad2bf6c4c883277702e31a36ab86e351fde89bbb

memory/1484-40-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB16.exe

MD5 6ec082f63cd8692cc247107dba00492c
SHA1 69dc04077ca6c57c4450fa243c03b790886b64b6
SHA256 1f798dbd5a075d86cc02515ff5f797b47172ff291efe80b857671ac4eb233e02
SHA512 8e7bacf303a69fb15ee42393c76751d3542476542af9cf0cfe0d7539a48e560627dfba2c3ce3462b7d20f0b6794e36c1b1910912f3c771356f7bc1d6205d774c

memory/4560-44-0x00000000023A0000-0x0000000002439000-memory.dmp

memory/2332-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB16.exe

MD5 74959810eacebb25017021835fa503dc
SHA1 41b70b471a0a99c867b455617d74123414d7a995
SHA256 04c2de45b62a0777a02982d4de73e28278ae299880afe517838e7af12359f711
SHA512 4caaa443863a74a29ece6139315786d9c23f2994b0de93922722a62f683350c328e69fb278b13086023c17dd8396edbac256114b74f11197048aff73708d9f8a

memory/2332-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2332-47-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B98E.exe

MD5 fdced44282e3b2601ba0b0e0eb3a8c43
SHA1 e0d6041213dabfbd533f1e257c94428ed9f02d0e
SHA256 54fc05d99c3dbcc41964af347b5e1c61d94a57ec7ac6d29771d0ee1fd9878ee4
SHA512 b6fd651e86ce66d4ca9bd571991ed6acee293f0923fd65409d5b8edfee8362517898d216ae1869841952f7302f8ead950174dc09cf01f651c26ed28483738150

memory/4360-56-0x00000288399B0000-0x0000028839B24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B98E.exe

MD5 b26823c8af5fbcdc86f84fc2e267311b
SHA1 fc4efc116024547a35e1374e1a168895cadb9430
SHA256 e7e850769c68b1bdd5cfc47e30eb09d5bab56d19fa59cc7075b023b05d7f13f1
SHA512 d73bc376875649231e5f9ad2b216e2f6a8fa0c06609146fa3843652b52ccb0dc502850ac4f76e771bad5fe7f761cc06c34d5ba304cca307c849618c81bfb4c7a

memory/4360-57-0x0000028854110000-0x000002885423E000-memory.dmp

memory/4360-59-0x0000028854100000-0x0000028854110000-memory.dmp

memory/4360-58-0x00007FFC3F8C0000-0x00007FFC40381000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-15 01:48

Reported

2023-12-15 01:50

Platform

win7-20231130-en

Max time kernel

85s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\14a22dc4-2cc9-460e-a60a-a0c3751db70f\\7550.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7550.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D6E2.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E91EFC1-9AEC-11EE-88F1-D2343147A8FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E8608E1-9AEC-11EE-88F1-D2343147A8FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E8ACBA1-9AEC-11EE-88F1-D2343147A8FD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\7550.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\7550.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\7550.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\7550.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\7550.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 2872 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 2872 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 2872 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 2872 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 2872 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 2872 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe
PID 1372 wrote to memory of 2560 N/A N/A C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2560 N/A N/A C:\Windows\system32\cmd.exe
PID 1372 wrote to memory of 2560 N/A N/A C:\Windows\system32\cmd.exe
PID 2560 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2560 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2560 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1372 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1372 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1372 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1372 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2824 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2556 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Windows\SysWOW64\icacls.exe
PID 2556 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Windows\SysWOW64\icacls.exe
PID 2556 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Windows\SysWOW64\icacls.exe
PID 2556 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Windows\SysWOW64\icacls.exe
PID 2556 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2556 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2556 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2556 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 2008 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\Temp\7550.exe
PID 1372 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\85B5.exe
PID 1372 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\85B5.exe
PID 1372 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\85B5.exe
PID 760 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 760 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 760 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 760 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\7550.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe
PID 1400 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe

"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"

C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe

"C:\Users\Admin\AppData\Local\Temp\d03bcd36867e7c28bb1a55cce8dde5ec.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5A31.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7550.exe

C:\Users\Admin\AppData\Local\Temp\7550.exe

C:\Users\Admin\AppData\Local\Temp\7550.exe

C:\Users\Admin\AppData\Local\Temp\7550.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\14a22dc4-2cc9-460e-a60a-a0c3751db70f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7550.exe

"C:\Users\Admin\AppData\Local\Temp\7550.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7550.exe

"C:\Users\Admin\AppData\Local\Temp\7550.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\85B5.exe

C:\Users\Admin\AppData\Local\Temp\85B5.exe

C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe

"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe"

C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe

"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe"

C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe

"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe"

C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe

"C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1448

C:\Windows\system32\taskeng.exe

taskeng.exe {97F87DDE-4589-4ECD-8AA4-8AA105F3E7B3} S-1-5-21-2185821622-4133679102-1697169727-1000:QHCIVBOB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\D6E2.exe

C:\Users\Admin\AppData\Local\Temp\D6E2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe

C:\Users\Admin\AppData\Local\Temp\47DD.exe

C:\Users\Admin\AppData\Local\Temp\47DD.exe

C:\Users\Admin\AppData\Local\Temp\4B38.exe

C:\Users\Admin\AppData\Local\Temp\4B38.exe

C:\Users\Admin\AppData\Local\Temp\4DB9.exe

C:\Users\Admin\AppData\Local\Temp\4DB9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 216

C:\Users\Admin\AppData\Local\Temp\52F7.exe

C:\Users\Admin\AppData\Local\Temp\52F7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.112:80 brusuax.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 www.microsoft.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
KR 211.119.84.112:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
BR 179.153.102.52:80 zexeq.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
BR 179.153.102.52:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
DE 5.75.211.54:1993 5.75.211.54 tcp
DE 5.75.211.54:1993 5.75.211.54 tcp
DE 5.75.211.54:1993 tcp
DE 5.75.211.54:1993 5.75.211.54 tcp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
IE 163.70.147.35:443 facebook.com tcp
IE 163.70.147.35:443 facebook.com tcp
BE 74.125.71.84:443 accounts.google.com tcp
BE 74.125.71.84:443 accounts.google.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
BG 91.92.249.253:50500 tcp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 ipinfo.io udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
IE 163.70.147.35:443 fbcdn.net tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 fbsbx.com udp
IE 163.70.147.35:443 fbsbx.com tcp
IE 163.70.147.35:443 fbsbx.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
FR 216.58.204.78:443 play.google.com tcp
US 92.123.128.181:80 www.bing.com tcp
US 92.123.128.181:80 www.bing.com tcp
US 92.123.128.181:80 www.bing.com tcp
US 92.123.128.181:80 www.bing.com tcp
US 92.123.128.181:80 www.bing.com tcp
US 92.123.128.181:80 www.bing.com tcp
US 8.8.8.8:53 udp
GB 142.250.200.46:443 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 soupinterestoe.fun udp
US 172.67.221.65:80 soupinterestoe.fun tcp
US 8.8.8.8:53 dayfarrichjwclik.fun udp
US 172.67.174.181:80 dayfarrichjwclik.fun tcp
US 8.8.8.8:53 neighborhoodfeelsa.fun udp
US 104.21.87.137:80 neighborhoodfeelsa.fun tcp
US 8.8.8.8:53 diagramfiremonkeyowwa.fun udp
US 104.21.18.224:80 diagramfiremonkeyowwa.fun tcp
US 8.8.8.8:53 ratefacilityframw.fun udp
US 172.67.161.55:80 ratefacilityframw.fun tcp
RU 178.236.247.164:80 tcp
US 8.8.8.8:53 reviveincapablewew.pw udp
US 8.8.8.8:53 cakecoldsplurgrewe.pw udp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 opposesicknessopw.pw udp
US 8.8.8.8:53 politefrightenpowoa.pw udp

Files

memory/2932-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2932-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2932-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2872-5-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2872-4-0x00000000009A2000-0x00000000009B8000-memory.dmp

memory/1372-7-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/2932-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A31.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\7550.exe

MD5 597507b354253ff613bbf18c31985438
SHA1 0736a124c64ce6127912277c410186bac29a308d
SHA256 e51a3064d0e0d267ac87301875c12545e2279ba282292dad110ada5806444e18
SHA512 d44830d95b2078e9f096cf68b2942a0a23cd30ec3b3356f09a9bb29081b77fe2325f943e088748db538be0ec41573d46b3d6451286b6db714324df8e32424a8a

memory/2824-30-0x0000000000280000-0x0000000000312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7550.exe

MD5 f2c4adace3088abebbbc93692dcddb9d
SHA1 0453b93ca9114bef48139d6ddf42d533a3f390f2
SHA256 b2c1be16d09428c8cf3135f937957065d6345efd84eaacef98ca192b285aee07
SHA512 63570fc2dce309f95cf5d6d93514e288af28d4da999e19bd525c2b389778b8928c49b2e06bbadafb72089c4bf1ded4b65342c0e79470fc3711ff0920caff8e64

memory/2824-31-0x0000000000280000-0x0000000000312000-memory.dmp

memory/2824-35-0x0000000002220000-0x000000000233B000-memory.dmp

\Users\Admin\AppData\Local\Temp\7550.exe

MD5 9e1c30e85113313c3c5f227b5d9bde5d
SHA1 9872d9bc104bee8843e613e96b2de274e5c9f994
SHA256 742b3944a2946623653fab6a8f74a21af83068207dafc7dff5ea03bed869156a
SHA512 b74541cc92cd92a3f6ed983ec41c7f54fae630b00e86425dcde2ccf2d47b3b58318db89a8707f4e94f3b87c3de2fc73d3f6395ccf8bcf92bab6d49628b7828de

C:\Users\Admin\AppData\Local\Temp\7550.exe

MD5 8ec0266edf36428c5bb864776f2488e7
SHA1 32b4515f85df239d4df540426e06aa74e91fecd1
SHA256 9ff212e6796dc01031299095edce4d5c844ef7024ff04c1c278c91735f75ba67
SHA512 cb2b2348d3967105484030200a8c73fd58f18eea277c18453ddfaead4aad24d0c1bad2169efd559435ac9e8f107959fb9c345b41a6901cb76db00d10cc0a3074

memory/2556-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2556-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\14a22dc4-2cc9-460e-a60a-a0c3751db70f\7550.exe

MD5 5dbf4da9fac614a1124b94201ab05e72
SHA1 9b6b1024600d0a7c293948c464878a7095c1efc1
SHA256 1bc06073ca61d270bae4610ef87884cc56f0b221e7a8dc7400ab0aea419b37fe
SHA512 a06bfd8ace46d99099df9d3df1fcd4f67090c2e9c5279052f04730a51498d6655025847c46366ebbf4a707a9bbad21170e16675fe98564ae6febab563d0c4bf7

\Users\Admin\AppData\Local\Temp\7550.exe

MD5 51f274f3d5adb038858b4462a53be5f8
SHA1 d11bc1867042dcfead69ede3321f9286ade6d2d2
SHA256 8b30c1175135f81973dc79008ffdc88bbcb29edfadc95bacc4357d3003cd581d
SHA512 a5e7b88fd921f244cbece9d99803f2e2927590a496e2dff51605e9b116c674d665b5d1947f468265649cdfbf21fdddc3e20dadfe4f3b0231d21c588f6763787f

\Users\Admin\AppData\Local\Temp\7550.exe

MD5 b598a31d5c552a3e756ffd26c93e8c52
SHA1 9a1b23bddf8ab4262c2345cb7aa737bf6fccaca9
SHA256 cdfdbbbce4734698eef67ea4f91a14af0f29ee35c88d5311c1310c9ea8695ec1
SHA512 32def60b865fd286dd13c6dc9528cdb4fc3da8e5a3f51b5cd85213fe38bc2a6397ce7fbaf4d2c5802bdd5f25831eb686c3564a713581aede5bf372ccdf5c74c8

memory/2556-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2008-82-0x00000000020E0000-0x0000000002172000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7550.exe

MD5 b47cb6279c90383dc3023d1debcac272
SHA1 a54b28d243d5383b9333961fd43cc7093e6a1e81
SHA256 d6949c74ecf46bd8ec3aeff28c472cba5af01cbb5f71d86864775e9436a500fc
SHA512 f2ba4d84f92ef661533a865e9276134e680c3a820d02174d175cc51637a9f5492eeb427e1628b022d16782e2867aed43573121b9976356b5150c049b97faaffd

\Users\Admin\AppData\Local\Temp\7550.exe

MD5 166112bfd22d1bb62a1524356ee1a4ff
SHA1 18e50db3d212af01887d50867c4fa46f0da37bbd
SHA256 326a6e99e3a8a45d1a20a8bf7892a7f131ddd66acc513196fbff3a3d066b8ad1
SHA512 6ce6d109dc6f07f8f9ef083fb46e26db00ce149858061cb426d83b33ededdc0f8d209f92bd3c94d964264739952b59e44e5da2d7f390bc86010ad8cd3fd508dc

C:\Users\Admin\AppData\Local\Temp\7550.exe

MD5 0f88ac38bc246f35853f9e28f3110679
SHA1 73f182ff7b04d2f007bac8c9a7eda4fb8650b180
SHA256 c428fe04958413976cd71b368da1fde2a75f17996febef29ae3f1dc5832c6257
SHA512 1bc2d6759b38b43712034fcc8e41c912b98bb1ff8c9bdd8664897b40295220c8630d121372b296f76c16b8d5b4cc650f5f109650e7c5926b6ab33328e5d4137f

memory/760-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2008-89-0x00000000020E0000-0x0000000002172000-memory.dmp

memory/760-91-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 871567bb3202a3faa90dd33d609df6c9
SHA1 f39c2cd3afa13cb18cad9df1375fadd225a9e27a
SHA256 c8bc36169057de26e19def68e5ab1a584dd61746a590e673d2772add125f4eae
SHA512 0a37b9b6cd1785bf50bce9344ddc0c9ace29dc183e2820224bb8c999d64b0097ad351b5d171280972ec783e31bfe911f392d1068a336cccded07805b5af4811e

C:\Users\Admin\AppData\Local\Temp\Tar7EC2.tmp

MD5 1c37269ee4763ee6f1632ed98ee776fe
SHA1 567797fdc92ee9b03e61f3e67cd3cc9463c9ae2e
SHA256 231bda33be12a948868c2abba758971a64b20cda059c663a42c10ea37fe21f62
SHA512 c1610f6dc8a928a6f1832d127b5b95a4624b6612b452d50c1ab032c6a3434d3b88841c144e4e556aa8bb6bb8ab18d74b6abd85b5ffe3b4ef5bbfc0fff8c6ea89

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 5491475fd56ab6b74b9266b1252f3752
SHA1 f2b49f1ecdbee2ba9459f21178023ad3e66e4cac
SHA256 4d294d7a358070ad504a1e85e8d7be11a3a89b13d5b24847da9d8c4a43693269
SHA512 9e6da009b2cfcbb5f5088c0009d358118f1444111bffef8495e775f0e7141cb049d2f092fc1ccd15ae0756aed04e4b466a360061fde1b27fc6ef9193ec94aaac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08c6d3787c733e84f88e0189e1796be3
SHA1 f2f181bd5c9043b858d3db36261d82a82ce63037
SHA256 29aaba490874922c0f23b1a9af1b4457a2b9e1baa463c5cdb11fb390a9e4127c
SHA512 f96ed1dc690a09d4060ff74216bbd2bcee73b652eae72949ee0b367e37d265f8841e8b294b600bb7b3144f5b81fefc60480ed20c6049d6a1581ec6cf3a9bc98e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f8c07c236291663e4f4749bac13e3feb
SHA1 d3b8ccb4afcdf63be90d3a509e32516ec27693fc
SHA256 bf740fc1d146fcea28aa697cb5e9f97350bc5a3200e8effe4174ede07d487bf2
SHA512 4d76b51edcbed573be71b45b72c28d8399f784e1dd370f9327248b2b40e568cf0c90ea4090a7c3e90c05c94021edfe69a198bc62d28397147a9419c8004059da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a084e58a5d5b04e46aaea72cbf122619
SHA1 86b23d015d7b6c2aee44322dc0b7e41e6ce69200
SHA256 8ad1098ad99d75820bf30bbe4d692f4c1153e434d4cc63bd25bf11f19e606b8d
SHA512 45c66d552264d5a28c90d932a45a51ec83b696ef5846b123544820e8f8b44cf530f1d4355a3fe6103b060f2af1bf6ef16bb7c23ed6b9ddb3d199dd857296ab2c

memory/760-108-0x0000000000400000-0x0000000000537000-memory.dmp

memory/760-107-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 74720066af206928fc4d91052d85f318
SHA1 52de810c9d9fcededaa66f01c59924dbfaf8c65f
SHA256 8cab494a4920654b7ec5766e6a8c7a03389aba71a0a55d6cd99f4cf517cba388
SHA512 42cc79a852413de60e256fd66242b9f9a3ba9238a7267f87e66d2a5f0ac7838b0e8ab7ae6bab44a8b0da6828b6bbb0a137b54578c198714fa0a478a92b78f968

memory/760-115-0x0000000000400000-0x0000000000537000-memory.dmp

memory/760-114-0x0000000000400000-0x0000000000537000-memory.dmp

memory/760-112-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85B5.exe

MD5 e8a7c58150e15e5f50df5138d8ad76b5
SHA1 72cf64a30a3b53edeaddcc2208d4b56213e2b621
SHA256 fbcf59e0a03d92b54131853ff4def06f0866d4988494d4177416545247ba4539
SHA512 28c9aab25a955a36d38998b2a3027d50e4d7b7598687f41135c24604e7ba22baedeedb67fc9f9d4d2130e67a5bc5818822c8e9506f804a6baa1d83579a58728d

C:\Users\Admin\AppData\Local\Temp\85B5.exe

MD5 7dd569159d2cb939641a22367d7b5129
SHA1 e2f252fc02db41a5db4700c4a42829a899c44ff3
SHA256 3b682ed9b8b4f94bf7f6d296c2c06fdd356993555ceda20805449249738eeda2
SHA512 98f368d9561ac812a7695966db49c2af3ce145988c84307ed3f90eae2896a90794a0120a27edf7e4182be42a83f598d3f45b24ab402b448bac83177fe108c319

memory/2296-121-0x0000000001110000-0x0000000001284000-memory.dmp

\Users\Admin\AppData\Local\Temp\85B5.exe

MD5 dc51c4864c463652236a74f95b013886
SHA1 0054c96664463c445ddef5b9539274695c56ec9e
SHA256 8cc670dfd85b18c0d81fc69fe025260c539c660598ef63a22f23f06d716a5cf1
SHA512 572e0be1eeb966ce80a68efc0fb8507d3aec53b1028b87771b8a0beecbd23d5f33919d1f6309477818327fff8b8b3e1d5cc702812742e7e1b6cdd8b1fdcd3577

memory/2296-123-0x000000001BC80000-0x000000001BD00000-memory.dmp

memory/2296-122-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

memory/2296-124-0x000000001AE30000-0x000000001AF5E000-memory.dmp

C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe

MD5 2449def686158fff9801f567489d9c1f
SHA1 a26a611f6c8f43745d69a6138e07f8f32b09fa3f
SHA256 4230571aea510591a55384cedd110eb4c220014ccda30d2d7018dcee89c7770b
SHA512 9fe324902e5c31e6db664b40074ffcc03cd1c13606e9e6c4e156e71cb89d1e234477454df3debbccfe5b9e2c88b52e6e8f7746832a6f2f4d4ad6a9eb0d75000b

memory/1812-141-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1400-140-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/1400-142-0x0000000000220000-0x000000000024B000-memory.dmp

C:\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build2.exe

MD5 90c9b3a0975d1a1a3b1d37ac384d8bbe
SHA1 2147710bf0a7e0411dd0bd5fd4612e810d80befe
SHA256 b87169735848cc7806ce8312a7d3ad54ab11f15c8c31da9b010ef04c7cade8a5
SHA512 366ad68492116911d697202e7eccb4a00d59f8a5f6eeeb17fce9ccf8e056345d1095efbbf136304c6ccb1dd1624237a321c5e32ed9ba7dd510828ea167cd1134

memory/1812-145-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1812-146-0x0000000000400000-0x000000000063F000-memory.dmp

memory/760-147-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\33d81203-c279-462c-ba02-0e1d7dde9e23\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/760-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1812-161-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1740-172-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/1740-174-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1320-175-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1320-178-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1320-180-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D6E2.exe

MD5 800d3f769d00d9b9f7917450bf46c9d7
SHA1 b58cea892a4d6ca6c71c92065b7a620f99cdbb42
SHA256 af206517607f46229631d8724ce835daff76e1fc29557aa2737cbe48dcd180f6
SHA512 d07219d33a1ceb45cb624ff0470944a844de0277e5bd4bf69ae69642c62ed5b0be5395c1b0c362e3736961f6859d8fa5938b52f24b42573bdc460182ef9a7acb

\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe

MD5 c3b9ef73abd0ea56088336559c05e3d4
SHA1 194423e4cf7c52681826e3faba7cbaf55595a136
SHA256 36a769ae5577b8f8b32eae0f5983e99c68ca66fc86082c78dea67e95fefdb7a1
SHA512 07c576520badad0b6b06e928e1579e584ebb7429153b8970f0796991d639f2349b783b174a6efd2d3f01a4ba3a15eaefc6d9b73547bbc4d4ec177be9544a5c61

\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe

MD5 f84c96a4dc6779c73c19662171e0b4e7
SHA1 9ebff33691795678af554bf756c8d4df74d2406c
SHA256 d855dcfce333d898f1fac75bf9959a22c996b6c6d1f9957b14416ae859d7daeb
SHA512 8fc165746fbaf039bbc2b86d9615fb2e861c325a8faef1339829951b89a9a8c73aa304a1c3e85dad71af738fd45b210899f83fdf22e503c4c83388a7edb5ed35

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe

MD5 138c4ef419ca7a1682a412e00341d06a
SHA1 0e6be4a1b3d36cf2873be2cf33e634b14107e963
SHA256 99853c210b82776d3968df196fb2aad8c6bcb544a8c8306daba0d2a28b06eed0
SHA512 5eae4495cfb5abcb536d17448af8ecfcff2f38c23bc610acc56e64f60e7e30b8d9670845d4ff33080883af52051f60df69ef621538b387627c22199f3d01cda4

memory/1812-323-0x0000000000400000-0x000000000063F000-memory.dmp

memory/2488-324-0x0000000000930000-0x0000000000A30000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe

MD5 8e6877bcd17e995e17eba3d4cf3d8271
SHA1 b7b0f32f671b60e90a8cbfc57287c9112f519760
SHA256 9968b741871e14da40d267b8e1f951e1ab559fbbcc17e7ba49f770c09f7e89a2
SHA512 23e152693a6a5e57595eeda0c5035aae3abd26294f285eed6c3b229bbbe0374a7aa1d02d2f20d3979d41c805ceea6ef457990fc81bc9b810e64e763bc8ad1794

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe

MD5 258a22860177be2c4729e00c59c440a5
SHA1 0b9349f051a81180b893c30ab0e3f3ab87fe49cb
SHA256 ea4ed9e103e77f7316e2548b91c5359420476cf7e9d014a878212d7998bde046
SHA512 64cf62bd37e98a505d1a9c491a120f4e31d24c42ac31b208ad4cc4c32f14b3466c6715949107f68bc4e855308e92f50ee7553b8058cf22e69a23f3cf12baa97a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eY1yp32.exe

MD5 e06f79fce58fe9c0f3436040955a126e
SHA1 c0b59707a4877df8af5a1bdea3f47a215bf68650
SHA256 c86abfed1b5080d60560f69d2c954b1a6070fbab181d8c48c3504f4fd5623961
SHA512 3a649c3a639b4c0f15d3265ea842ef84235ab749054cf5b71d82dad01167bd1c8fc00401313334701bbf887d1b70a94e66f0cf8d292d49605e6cf37aaa2c46d1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe

MD5 c2103da771887a4a2666d1bdbd213860
SHA1 b8f015ddab0f697fec5d7c99fed932cea11324f6
SHA256 57818317f33293156c39739da10250efa3251a866fd4bda257c3217d6e758229
SHA512 568c3c8615b52c9f5795111eca53f83a0a9f836561c8e13f425029cd2c207b1a830031cfdeb65e3f5c6d09cc2f9fc14ee59e3c1f0a04a63a452f99a5b61884d8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Bk48bF9.exe

MD5 f72f16b09d684a186a735ab7acfeee65
SHA1 9854afae7e018b4015cd23194b4183cdb25568f1
SHA256 00cd016f274dd5f6bb38e09a743e57744c95e52ae031b39390125b8801073b8b
SHA512 739c8b7822a8087375f272cfbf04233b7508ea311b5cb4bc8fb06e6fb239808c03db632830e7171bc84da062817649b6ab4893a184780a0f41a792e1d05e4142

memory/2296-337-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe

MD5 ce619a41a432807ff441de9ddf77c555
SHA1 a9c37d8a730d8a4824a898c3f22f00986cafed35
SHA256 2b07352150632b02319852e6de0be7c5471ca6ed0e7101265e41a4bcb34b0a50
SHA512 5e45eb252a766e2595b3f729bd877d73e2ab97139d4b9058688e42c2a81b0c97be602baf8a1a0445b50f3d78143a66a5d2b404842c97181d8f575c0e6ebd3aa5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe

MD5 3407ff230a228a586ddd51929540cc7d
SHA1 373d24406ec78947a8419aa9364b46073caca218
SHA256 8d3b41616ce5250a0a32b9c695a7a062bf1beff8bb9d2dd2f4890e9bcfe5fe4f
SHA512 18b84e72f1425a3c3cabd34527aaa1649fc02e016fcbc086948d536b8ef13e4087981b4dfa33911986e346718dc03c9778b6dc09b8eeabee18b1b4368284b591

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 e16daee0837cdb57c16d578bc31cd64b
SHA1 ad5c53836b1a3dabe9fe7784c7b75b92a1f65bef
SHA256 0495eb34a92fde5675414b99a66a0dbb3cef8bdf314ee19ce681746733ed0227
SHA512 4514bfeb504d1f7bd45eca6fa87e47734c4339e3c4fb69890ff1c4eb426fd43a0407244aac757bbb9cbda3368f51fca8eb2b8b9dc4e599ccf6e9c3eba3f5f3f1

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E8608E1-9AEC-11EE-88F1-D2343147A8FD}.dat

MD5 00ba279bc27d975af0f5928cecc2a5f6
SHA1 c700da4d49e6f79c6814ad224f8049ae8ebea4f5
SHA256 c41595d07de0dede4c055ccbdf81e3b4cff873813d251f6283e7f5514c31adba
SHA512 017cd8c7000543b0b1250ad40b1504756667b7034e8e0778975cef45d39acb1b9aa09b0ca1ca72c6d93adf90d4c1caf122af7dede4aa93b23802d63009a6fa69

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E8ACBA1-9AEC-11EE-88F1-D2343147A8FD}.dat

MD5 93f7e4e7af72f2c5d4bd666e0fe7b1e5
SHA1 14f494554b6a6fe5bca3a335ae8b6eff62dc7b84
SHA256 1a6ac3afda32cb20a3486c2e08367d02e4f79576c21fe446c4f13c4b5ff907e1
SHA512 727e3b4eec2dad840eecda23b9e0d71ba0714431214603bde344e9e065a9fb9ee229f9740445081fcf373aea80e990047b0fa6d0f05c94279dcc1a6e2c90e95a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe

MD5 be319efabc9c9ad5f442e706cb8ab2d0
SHA1 82996999baf46f3fb1db3883c5ddeb7026f6dd3f
SHA256 7b749c06f7ea80d7f9377a9d5fc5988fde5d4c0f4ab779428ef5df418f1a9ff1
SHA512 b037cab3735c2dd4c4d7a6905188939a68f3270ad83c86e8f990f2a65e9dea20c9b6bd259f825539bde2bd4159d7c9d81e69e9feb9c0baabc8f3a60aa80769f7

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 a0c40930d0921a00456333f71ef40218
SHA1 a048da86ff3cfef486c4ccec7a53e19fac6c63ea
SHA256 8bd53b4ea48bb970004d960e5b7d41a9857a4e5f3a2d72278eae8aef3f5768c2
SHA512 9d8d9966a08250317dba4cb7fa600c00284e60531c2655edc4dac0d38497badda159b4b1c77e9465a1e99e84a40f261e57e4d514c9b057d6b49ff137132ccb9c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ud5107.exe

MD5 d0115bf31a754e541b702705f5698127
SHA1 71571eadc90a16a3ff45ad5a530fa6ff3edff3d0
SHA256 1ba4b3775e15629434473185c440d083dd89f08f01a8c7bec51850433ebada0e
SHA512 9634476289692609dcad4618361bd81cb37201ed8f9c188a1e28bc7683f04635a6b81dec664b2945dbd0942a5e31d2b97b52c00554c63f0699abe111090a8cd6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 d253b1d419fec8077b257c50bdc9268b
SHA1 f4cfbff8822b55b8314374aceb8bb453f3892308
SHA256 fccf7b8cb4ac95ba942f8fa984285c98da5710b4a05f3131c520d7b7f2992771
SHA512 38dd299dfcb0af978fc4c6496c2f8af853fccaf189375acee309f19b4a7a01b09bb25658a544c263966ae4a7edbfccdc8f9701ac1707015ee39a965858acfcea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee0d028fb1a4ab2cfca8a04143975826
SHA1 fa31c031c5312f7101fd0fa3bb5843cb5ea7995d
SHA256 24265cce79b893d5ed9740b8b3e99ac25b3a46031d4745dc90b7c513b6dc6c85
SHA512 8a9ff5eb54de7b826b0ef8ca8a7f494a7affead9b5fc7582f9d9fed4b2a5f54e4378f614a153d4a862f13dd5b97e38504ec53d1b093bcca84e4cb521fcf3be49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76529b2c12538fcd177d86466e39ce88
SHA1 0f025c8f60e54bd6a1999c1410aee464546e6597
SHA256 38332b463042cc2f70ff364ad37c3d354c784f967c9f10f29859abd32360c5f4
SHA512 7d187c26801f38632bc19834b3189c5d4a8cd3f26d1236146e63828af649eaec8880dac216f746736145f54376d32233f753cf5749ab2109af417cbe5317d4dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 f7a415bf1ae1476c0a958550620e4701
SHA1 971a48414208c2f4c5d209f587f0f746a85418dc
SHA256 f6b52fac27d5435d1a74af70f96f8e118909ec6b2e9dbcde4afab4013b33b577
SHA512 379caeed128b3d48dfd45501e651b51a7cf151d52e2a5e299b4c04978c58f7d6043ce728bd545ec99d3b286df6bf01b31d28c59d367b4badb4ed4398eec6dd97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 6bae91bdf5ffcc85f724f2a34e226555
SHA1 10483138da53e8932dc33e705734105d83f7fe5c
SHA256 5995b648b9d54009920709bd4e0d3b4d37eec9410b52384fe5a0a1108d3b4cde
SHA512 0840a6d8f52ee279ec5def2853ce975e79494af9600959ebf55b0af25f4a753453dfa49f35ea29fa528052b3366e50b7a28d3ad1b67bb7e32c853b206e70675d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 5da328317af9eaad10b010cd0a0291f9
SHA1 0c467e62d8f2a4f136cefc045afea8c5121fa718
SHA256 12e863bc7714128e8965ae4e97d60367ab3f55064750cb405caab100a36c5841
SHA512 6fabe694aaacf33bb65187208c15a864e7d20b84bad58b3619036735bfabaa4c1f9eebaaf16cb15500dec5da856aa38978d08f3ce75b8a9f9831dfd8425174cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 41476a75846df20cba21258a0b5228c9
SHA1 d337b4c793b42abf2a30d399d22e8030c0524fc3
SHA256 0d4cac93aead006a2829b2bcb9f15fa6fa568b9ac1e1951e2618275af082d8f6
SHA512 8be16ca55e0c31be1020f30e1aac8dee940f1bc5505e7b06df6108a8cc7ca48358bc1c50cb3cd2f937229e4ca7affae5905d033b627d0e3905846196ce19df2e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4IZH9ZYG\favicon[1].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DTPS7C58\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FAO9XAUJ\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Temp\posterBoxSInlMWXrW97Rz\QdX9ITDLyCRBWeb Data

MD5 c8d1c11f1b295675211691e5c27e6e60
SHA1 7ee187c9b4255ab8c5eaa9be6017758c2e82e654
SHA256 2cef086176e0551becc76db4bc4a7cb3e6b79718d6f035f6082f4e7313517e31
SHA512 0797c496c80732a0492a78f265815eaa851de9c80dbc0550b0049b79e97292f70700fa7444444255978699b8414ee1ba9827a51eec64a02be01e55a513a1f6dd

C:\Users\Admin\AppData\Local\Temp\grandUIASInlMWXrW97Rz\information.txt

MD5 2e0329da921f4bde29259825b8b7ea9c
SHA1 ba30d47f34d68884d2cccb7a9799ed007a7dc1d0
SHA256 366cd324850e9b1043f0db31451a9e07eb05326190cb893f069dedf5cc8db9fa
SHA512 26ba5f30cb0d473044358752743e7718aa6a4fd9d734949c82af78f1e15b3053e1d5b0b5fc4d353aa02995c279791fc09b2ee9f3c85ce6e4088aa119884a25c6

memory/2296-791-0x000000001BC80000-0x000000001BD00000-memory.dmp

memory/1936-799-0x0000000000020000-0x000000000002A000-memory.dmp

memory/1936-798-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2788-797-0x0000000000110000-0x000000000011A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mh0er5.exe

MD5 09d728f7ab39a9bfc2e16d63f1981349
SHA1 2b9417b2d2834c948c5a01b65747a6cd966817ee
SHA256 9bc40e9164a0e1352416838b4d5787a916b2e99ef265c2068857581d66f5a909
SHA512 ebe4723520e73e893204d6e477fdeb0ee78352d5bd6811fdfc542ad01683cdd1a757effbb82acbf71fa0385f98cc9aede2c09c5ec1209a9ead66dde9d6f92eb1

memory/2788-796-0x0000000000110000-0x000000000011A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b930bac8cdbaac9a063c0dfa348d5a66
SHA1 73fbbc2fa9ac00ae4bce91fc4175a3273684b6a8
SHA256 ade9ff1d5d1677c393d9ca681069b309a5b22b524730aedf692ea7e6f482f576
SHA512 5a76711491e2e7e30800d9b8d4bd2b2b9d45479b9df54ffd38a6dcc6a36d66e84aca6d6ced814234fcfec836c6722c1af758068f9341863b86aaa7ae4253ea8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f10d78bede9819377f91f8812b5303a7
SHA1 a6a697da35b0d1484aa7800f420c8e33a66d27ca
SHA256 35d9601f74952f6305cadee3f4bc49f8ef848dc6ada2ee80dd54cf74bd7cf8f9
SHA512 8dd23022d4ae907ae7b3744d9926cf169e97db763296fc1ef845084f0789f9bd64e889dc956ce79c77c8a654acf84b37b89d7464de7d158763816c123e8fde97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 985295532cce60f78ef7832ac5502139
SHA1 248feb6bc9bc2034f942ee42ccf47e192e8b6763
SHA256 1489e73c993343826ce10d9de44a86bdd33cdcfd0505ea6de93a65df0a87647a
SHA512 39753e36dbf958bf71725542092c7f7d71a8d78699e988e94f00f8f0408fddee15faa4ea0495b4d3dbf1521bb339bd8c6e596eb67e4df7f61899f8271e0dfe73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 385e4d9db7de41a398e70c0a2ff2d862
SHA1 a1e4573a33400202faddf5ff282efc06ebb55ba4
SHA256 82887ac8a66e574d8734ab96a3044818ef38ebb9cd0cadf6a584622c2240049f
SHA512 2a7ebb7c8cc0296821efd5ae7d4ad75aeec5719585fdbaa8eeb819107a5edd30e0a6c67f15c36237b0d07c3625a23588f930b062920d3c0ab71889b816a87304

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b363ceab913620c6cd1c87a3f124e270
SHA1 96ab538fd8125cbec53a244b7a856927034d0099
SHA256 635117ef800e95acccf777fcb246e0261f032607efb559665e27c9a6e04c10e4
SHA512 72c363a292ee66d94f5df413a58904b8f7ff94e5babe450f5a81edde9e63024e6d5012c04335b2123b301ed02da14a1d53894eb521f5bb02324b1006e05e8317

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfee7c58232f13ebd644fdddeb2f79e0
SHA1 19f6c4d9bb5cdf8318181f16e785910c79b0eb04
SHA256 866260a7f5b62cdaae43d15c5aea70b40a3a22e7ea85f1c88282cececa3835ec
SHA512 f16d1dcf3c04136e1c13677bd3d0084344a987a2c52dffd3d57e6ada51ea58d8a55a74a3fadad016efcb9226d5ab929e981a241cf328bf13349575f147abfeb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9240d2e211af6e3e28aab031fe52a13
SHA1 d21bb94dafcbc69ec3c34a1640e03a0b8df1d85e
SHA256 4e882a31fc64ac57f1fabe2c8b45f3f3a08ab35943cde1280a36b093faacedc0
SHA512 20877b1e5b0c9c28aef6c6258e30eb492c009ac8cec7831d0f394949b5707c41e6e959bb72cd959716c59ec675b8168a24d3d5fe4fcfb4bc425e1c5683ede10d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 25b8f3b2558cf624833c8a1380a28690
SHA1 ac21bf3c7311eb16f3b75c88a37fc9ab0d362be1
SHA256 1f54ddc77c763d296fca3cf9e319883d8ef7ee9ac378eebad796bf8122d79065
SHA512 c43997957de99f96bd8d6c3454de35ebb75d4d5c7d5b4e1b8409a26471b3f22586d34cac38f22f8e6d23dd17aa2e0f7556558eafc568fafbb12bdf7eb461df46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df47d5f0b9ae83145ea4bed844de93fe
SHA1 af4e35953d74cbeb0504f12ff2681a35123a4aac
SHA256 ac516be2608d236ffd566ebcdc01cf2e4879e217355ef560d11eb67cf60097db
SHA512 5bcb8e2354424f73ba20f90ad8f48855de0406d32216cc5acc39bcfbef7db3eb4e521d08faf025271aafa8ae2dfdd19989382cfc9504aca9ea9b40fac0621a56

memory/1372-1095-0x00000000042B0000-0x00000000042C6000-memory.dmp

memory/1936-1096-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cee073ab5ae6741e15729ecdb1c82222
SHA1 c303ec954cf3a9e7ad63ae84cb0135d97c453f74
SHA256 1b9daa7b2e13bae4d4cdcfddddeb1857230dd2c9d417e9711e00d97d92c6ed96
SHA512 2394127416dfc9ca7503c80b30b527437433b74a05d6fe9e896fa108f31029dffc2a313f813f1ec81575fffe87f9ac9a7fc6eff3e4f58d9637fee18b296669b4

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Temp\47DD.exe

MD5 700a9938d0fcff91df12cbefe7435c88
SHA1 f1f661f00b19007a5355a982677761e5cf14a2c4
SHA256 946583a0803167de24c7c0d768fe49546108e43500a1c2c838e7e0560addc818
SHA512 7fa6b52d10bcfc56ac4a43eda11ae107347ba302cc5a29c446b2d4a3f93425db486ed24a496a8acd87d98d9cfb8cad6505eb0d8d5d509bc323427b6931c8fff8

memory/2764-1286-0x0000000000A00000-0x0000000000B00000-memory.dmp

memory/2764-1287-0x0000000000220000-0x000000000029C000-memory.dmp

memory/2764-1288-0x0000000000400000-0x0000000000892000-memory.dmp

memory/2864-1292-0x00000000004F0000-0x0000000000544000-memory.dmp

memory/2864-1293-0x000000006FA80000-0x000000007016E000-memory.dmp

memory/2864-1294-0x0000000006780000-0x00000000067C0000-memory.dmp

memory/2864-1295-0x0000000006780000-0x00000000067C0000-memory.dmp

memory/2864-1296-0x0000000006780000-0x00000000067C0000-memory.dmp

memory/2864-1297-0x00000000009F0000-0x0000000000A4E000-memory.dmp

memory/2864-1298-0x0000000000B40000-0x0000000000B4C000-memory.dmp

memory/2616-1303-0x0000000000A20000-0x0000000000A5C000-memory.dmp

memory/2616-1302-0x000000006FA80000-0x000000007016E000-memory.dmp

memory/2616-1305-0x0000000004030000-0x0000000004070000-memory.dmp