Malware Analysis Report

2024-10-23 17:19

Sample ID 240128-2d281sbeh8
Target fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a
SHA256 fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a
Tags
djvu povertystealer risepro smokeloader vidar zgrat e7447dc405edc4690f5920bdb056364f pub1 backdoor discovery persistence ransomware rat spyware stealer trojan amadey lumma stealc
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a

Threat Level: Known bad

The file fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a was found to be: Known bad.

Malicious Activity Summary

djvu povertystealer risepro smokeloader vidar zgrat e7447dc405edc4690f5920bdb056364f pub1 backdoor discovery persistence ransomware rat spyware stealer trojan amadey lumma stealc

Amadey

Stealc

SmokeLoader

RisePro

Djvu Ransomware

Detected Djvu ransomware

Detect ZGRat V1

Detect Vidar Stealer

Detect Poverty Stealer Payload

Vidar

Poverty Stealer

Lumma Stealer

ZGRat

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

.NET Reactor proctector

Executes dropped EXE

Reads data files stored by FTP clients

Modifies file permissions

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Modifies system certificate store

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 22:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 22:28

Reported

2024-01-28 22:34

Platform

win7-20231215-en

Max time kernel

300s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe"

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Poverty Stealer

stealer povertystealer

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fwactwr N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3007.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\371A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3B20.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3B20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3B20.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3B20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3B20.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6a6cfcd-d541-4121-8e6f-6cd93ceb39b0\\AC57.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\AC57.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\92BE.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\92BE.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fwactwr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\92BE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fwactwr N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\fwactwr N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3B20.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\371A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\92BE.exe
PID 1256 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\92BE.exe
PID 1256 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\92BE.exe
PID 1256 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\92BE.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 2980 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1656 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Windows\SysWOW64\icacls.exe
PID 1656 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Windows\SysWOW64\icacls.exe
PID 1656 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Windows\SysWOW64\icacls.exe
PID 1656 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Windows\SysWOW64\icacls.exe
PID 1656 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1656 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1656 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1656 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 1920 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\Temp\AC57.exe
PID 560 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 560 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 560 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 560 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe
PID 560 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 560 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 560 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 560 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\AC57.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 1804 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 1804 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 1804 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 1804 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 1804 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 1804 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe
PID 1804 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe

"C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe"

C:\Users\Admin\AppData\Local\Temp\92BE.exe

C:\Users\Admin\AppData\Local\Temp\92BE.exe

C:\Users\Admin\AppData\Local\Temp\AC57.exe

C:\Users\Admin\AppData\Local\Temp\AC57.exe

C:\Users\Admin\AppData\Local\Temp\AC57.exe

C:\Users\Admin\AppData\Local\Temp\AC57.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f6a6cfcd-d541-4121-8e6f-6cd93ceb39b0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AC57.exe

"C:\Users\Admin\AppData\Local\Temp\AC57.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AC57.exe

"C:\Users\Admin\AppData\Local\Temp\AC57.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe"

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe"

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

"C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1460

C:\Users\Admin\AppData\Local\Temp\16DB.exe

C:\Users\Admin\AppData\Local\Temp\16DB.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B07011EE-33EE-45EA-8E51-7EF707BA6710} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\fwactwr

C:\Users\Admin\AppData\Roaming\fwactwr

C:\Users\Admin\AppData\Local\Temp\3007.exe

C:\Users\Admin\AppData\Local\Temp\3007.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 96

C:\Users\Admin\AppData\Local\Temp\371A.exe

C:\Users\Admin\AppData\Local\Temp\371A.exe

C:\Users\Admin\AppData\Local\Temp\3B20.exe

C:\Users\Admin\AppData\Local\Temp\3B20.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 156

C:\Users\Admin\AppData\Local\Temp\3B20.exe

C:\Users\Admin\AppData\Local\Temp\3B20.exe

C:\Users\Admin\AppData\Local\Temp\3B20.exe

C:\Users\Admin\AppData\Local\Temp\3B20.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.112:80 brusuax.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
DE 146.0.41.68:80 tcp
US 172.67.139.220:443 api.2ip.ua tcp
KR 211.119.84.112:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
MX 187.204.100.230:80 habrafa.com tcp
US 8.8.8.8:53 novoscanais.com udp
PT 194.38.133.167:443 novoscanais.com tcp
PT 194.38.133.167:443 novoscanais.com tcp
NL 45.15.156.13:443 tcp
NL 45.15.156.13:443 tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
MX 187.204.100.230:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.243.18:443 65.109.243.18 tcp
FI 65.109.243.18:443 65.109.243.18 tcp
FI 65.109.243.18:443 65.109.243.18 tcp
FI 65.109.243.18:443 65.109.243.18 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
FI 109.107.182.40:80 tcp
IT 185.196.10.146:80 185.196.10.146 tcp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp

Files

memory/2204-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2204-1-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

memory/2204-3-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1256-4-0x0000000002A60000-0x0000000002A76000-memory.dmp

memory/2204-5-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\92BE.exe

MD5 01fb175d82c6078ebfe27f5de4d8d2aa
SHA1 ff655d5908a109af47a62670ff45008cc9e430c4
SHA256 a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3
SHA512 c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

memory/2724-18-0x0000000002F50000-0x0000000003050000-memory.dmp

memory/2724-19-0x0000000000400000-0x0000000002B04000-memory.dmp

memory/1256-20-0x00000000039E0000-0x00000000039F6000-memory.dmp

memory/2724-21-0x0000000000400000-0x0000000002B04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 9942dcc604e22fcca1c46a5311207dba
SHA1 41629919ab65620e9f5be01ebdbb8fc6a1cbd49e
SHA256 a86aaa108c68378621ee1c3152aa5db3aaef3564600ca822df76f29bab86a0f7
SHA512 5c17fb6765c21cd68ed6410776c1a37f3330bda07f36e6d3800042fef1da2cb21085f8b81667cd495b948c9535e26464cd53ea37cdd5ec5fec90be6491dd5436

memory/2980-30-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 a672e66a90d5fe402e6b9937e621c866
SHA1 6ff0e94017cdf4a704f4241f2debd4d7a6cfa3a4
SHA256 1f8b0c2f91a771a970100cae325f1a1f7b9838aa35ae8ce5c0e1d392262234f2
SHA512 d129e8592983d4b415fb274689bc180e924694b066668409e60f92501598f9a6ed3cf77f7a7e3e5f63580329a75f42d12c100ad27af6b951b05334e91e7b0449

memory/2980-32-0x0000000002B90000-0x0000000002CAB000-memory.dmp

memory/2980-40-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/1656-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1656-42-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 e32d75a077a95007baa8c672a87513c3
SHA1 ac5acf50135941d3f34c68ec54bdb423f2866c44
SHA256 b720b40c7bcf81ef97932c9edecdc8c0958eeaba8886b4e5e4e5236064cb19b4
SHA512 bc7e602563d26d62b96e4be778759b560b8add3d3489ed082642e28d982f206acd891a785f60b522ddafc859d35ddaa04333ca19a09ec7dc7f736cc2df41e231

memory/1656-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1656-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 9e91d0b912def3c4e5b310e3fd2fa93a
SHA1 ef6f9e5189a11c326ccedc47a1231ef2d8bf9b99
SHA256 2041fbdd873f903934cf109be7aedffe9217147c41c1dbc35dc129a48b765f9e
SHA512 b9246eb516bf0e0eecd1416533b5e362a96e6a6c9b11bf64a32cb01b6abec9c4c441c65d92bec91f031fbde7b6dcb6d10acde23de6173b96c7add77fc9a977e9

\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 dd9c88d433ee4299f73e62b57709ed09
SHA1 b8a9613ec41d87f0730f5fae26d76f9bd8370197
SHA256 73b4b5b330bbc7e92f7131fb62633d6a6c909e699aa713b3e6037e8cb338bbab
SHA512 f65ec97225d54bf84b439dddb6aa6172649b56298bb39a1a7e0aa5e519e2a8c8b56856516fb56fe1ccfdf59da614ace581fa187a53212d5cef048349fb6b1569

memory/2980-31-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\f6a6cfcd-d541-4121-8e6f-6cd93ceb39b0\AC57.exe

MD5 3ba7e01d7871c1578135181c87c8fc06
SHA1 7460b6607835ada9178efe1d8614c782286425ae
SHA256 e56b321fc656d6542e5b27da933577c15f96c318ad0011d3d74f19a75877b868
SHA512 670ebdace55b460dc3fec0cd849a5a7f3989043f728a67e33f5be63beb223ec335e1bfacfb2714cd9c41d947bef40112032b53a9d760c0fedfdf093e1175db4c

\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 f36a4015f6da789fac1af7d9a521e1ea
SHA1 fc008e528c3d72a7703260923fccfdbe7acf301c
SHA256 4a629b3276a97466bc4a77de8a3a9cd7e10e6da6f8903678bb21833524be01c9
SHA512 a2ae7ee0f5815246ef16906339788147e54280e089556e5b565364194334a40e021555843f10628bf8e012a28966faa25f7f0e3a67ec232a30b4314d62ca1bc2

\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 53a3ab70d3e2802b938d66218c51dba7
SHA1 bab7f6122c0df9e4c1b245ebca769f7517e03819
SHA256 e33cc28ab230378080b3598b1892d77e632d964f96bdfa0d095a56be6c39897e
SHA512 82cdfaa5bf06948a5dff4575856a338ef3850cf6ee88ea151314ddf3b22c383039494852aca439a5360fdd0999160bc46a940b46d455672cc99d39778ba91a88

memory/1656-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-65-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 99cc42fc53518090a19ffcd675f277b4
SHA1 6803df024b2353f32c9d8c63da8e3275d569d129
SHA256 2a92245747b7354e7da5b39caf552e111d2a6caf4a035d81da91aae5eb36a47e
SHA512 ece58b011b649e400a356ef2cc208d25c19e7604bbdb884529bf5f39fdd58a39862d0cb66015d080711f14c44ac20910bebf1819002f314d11df417bbbed359d

\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 892e5b6ce94cb4d6830c081dcbdb6ea1
SHA1 a897c411d3066e12f88b85056942d09a28d015c7
SHA256 4dc5fb979f34a048cfa09da89c49e8a54ff3097807c274962b7e6a070731cdf1
SHA512 ab5096b4932c23d2a7ff167c248bb5f13021e125c15ecfe626554c6c710fca9041a9682c7f9c624b9f9c0bc86e4fb1075d27930dfc4ea431e63095630693abbe

C:\Users\Admin\AppData\Local\Temp\AC57.exe

MD5 b41150e5b4d5a450cadabfa67b02d0a2
SHA1 28d69f8aca2daeb799685487a8262cb0c6666eb6
SHA256 c971824dae57a547a10e35fa141228730befedf27dadfe160171acff85b6727c
SHA512 cd39c550182c19884b7c934e08566ddf04648d7d8481ebd71df62e4bc878601257cfc4b01e80a0d2514f709b0569c1ea358f35d5fecd281ec1e930454acf2967

memory/560-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-68-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB673.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44e370d6dd35a2ca9d54aee3cc7e353f
SHA1 858efa31f097690117106aee67a8af27252f2091
SHA256 1213e3ee84910409a14a460646ab4f8ee16245f1dcef511607bf2ba26b4c9979
SHA512 a944f931b48a6f4c9e238abd23282b69edd82aa66126fe59d510815c779142bde4f9b955c333c59ae8eb890a52dcb10e1c0265d90e68bad4b3cd480033a5569f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a085b8d3a143cbb54317e4257cc3bf8e
SHA1 70f06591ee02c0d73cdfb27e20ab1ad29a7194cc
SHA256 1ef8d84afb6194218f65191e109c1eee101da8694109caab311da8eda1871471
SHA512 1d8509fbb1f3f54b4d4c3693a502ac9110819db2b71617adddff9be731ad59e567b9768bb354abc5efa854efc2e4d6dd3252288c36096d8dea64ade10a41775d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 28baf5fd68df59a9964b94cb39ffee77
SHA1 b3fddc328582ee68eeb23616393db9abb9e27380
SHA256 c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b
SHA512 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 375f4e1f28d60738dbb55294d4dc87f3
SHA1 589f99ec9ad5c47f762039d6c9e6c6004ebb5312
SHA256 5adab77cf434959cb1f58caa4af35aa57c77d3e994091164983742fb519d2649
SHA512 06996ab03ab4d3320d77974077cd2a6f7b492a4d487b680cf563ebfed08cc32d6b99c4027f06e660cc006a51e1d9ede4d7522adc2da8d3b4713b4ca9780d8287

memory/560-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-95-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

MD5 044ebce26563d94a76933620d1e46d5e
SHA1 8c61d993fc3daeadc3ae2e1a7cca5d85f71eb2fd
SHA256 cd921a90c0407cc97311e400997d9261e6aaed578ea3d73e752494a175e3570d
SHA512 c2929c94c87cc80df7f26021d2440759c76edb58c3ffd65a790d0e3dd007e54ddc518355540086b088e770fa445f9f783b868386783d9beae30800f59fb75e7e

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

MD5 9b00df1cca53e81d90dfc2548f8d9114
SHA1 a783bde9346c8ece56aa6fec12348fea40fdf6ec
SHA256 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe
SHA512 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc

memory/1692-111-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1692-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/852-113-0x0000000000540000-0x0000000000640000-memory.dmp

memory/852-115-0x0000000000230000-0x000000000025C000-memory.dmp

memory/1692-116-0x0000000000400000-0x000000000063F000-memory.dmp

memory/1692-117-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

MD5 1c260741a4c8c0a31f92d879f0ecf8f7
SHA1 61f5b8cd90865a7e7b0cfbc9d83aea316bf4af8d
SHA256 18de2554bb72d55d6bfd27cfa395e0b021790fdb3427a21e4e2de4541a31e540
SHA512 6a1726003f1f5cc7a76d94b5d9c8804490e2b122343241a5b94e2c4d581cc6d79a1d2aa4cf053114a2b8c7a4966477a11e1cdb7e66b4d537888698401f643a8a

memory/560-118-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC7E2.tmp

MD5 5170bdaf3f4d15203f4b79498590e81e
SHA1 ae45b412ff3fc20aae07aa6b7513a54be3d41d6c
SHA256 9514cc14ee665f728a3e985824dee43711ad64b1be8e7461279c8f086a64772f
SHA512 91b47839dbd2b2bbab015f10fece6425f4e2811e14833e518f8d9cf1e98391d87db5c391d8caff8958b46644a2b714859fb36653a489ff6da30f3805f81288ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe6495bda784966aac4fa8b63dc7997a
SHA1 099e305a08db27c582e3442ab6a39f8904ca30b0
SHA256 ff61b701ed677888ef39761af3f9b6edec177c32eb29ac21d72cb6b6bdae834f
SHA512 76415c5ee9aa7e5f7e5fcbfadb398441623f55a700e140ff55bf2094f1a6a9905f0ad293e317d09a52f3557bc1fa7ab66d3808b8b0e9a630eaed260a2de42e2f

\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

MD5 92f52218e3d0191fc91584b3ff71fb02
SHA1 09b07718a39eb597e572fa59ccaeeca3b71fa348
SHA256 d537aefa07608e67d098240488fdbffeeaa760dcd0a0e61c6d2adbee9ef895ac
SHA512 ad7b04e2a00729a5fc162f0263b66b6f1f9adfab1448f5072539d22d829a190123b178210ea797d80af05d39664dcf3cf2b8c7f19015a6e7a8a3067745f79557

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

MD5 ee64192523d465c22ce0a439e72e5eec
SHA1 593e33ad392d50b1d03deff06b003968b67e4af4
SHA256 3140ad5b9013795ba73ef0fe8113f04aa99bdf071d90c0f6f79144728a31007a
SHA512 f0e513eab3ee5e684e5dfa9020c4b340664766ff0bb680303478fd3dd310351a67c01fc02df291dc3fa68ebad248e0ec2399ff9b86bd68fc48de77cc8e781806

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

MD5 315f195ce59fc5c0235175bf76dcfa9d
SHA1 68c4eeeaadfedc5939ff429a93479f89d676e249
SHA256 9887a91bdebff455998a63cbfc95e1899a6a30e7d0c635c35fee34a2c2a4e7f0
SHA512 7cd1e0b5532a5a6530a9ee900f80571c6e7f809018ddaf074cea8308c078739764e35d7f0b016a170beaaa7f44c208eae701ed2cca3864434255a97b0b194a53

memory/560-190-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

MD5 198e2903cdf599af5f0c793673d472ff
SHA1 868a7d09a2344284ecf8bc98c543148d380553a6
SHA256 a7740883c43684823171af8dc5dbfd5d55681549d7e4bbdd89a491c21525ad20
SHA512 bfa5da3718b8fe227aaea9ef12f1f464c43236956cbaefb3433ca8fe0853c0a677c99d0e5d378ffbfc82f10046100dc7c6fc895147e47c0aa18a654b9aef58aa

memory/1804-231-0x0000000000860000-0x0000000000960000-memory.dmp

memory/1864-237-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1864-239-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build3.exe

MD5 0d37a94868e9b5cd7804dfece3297f91
SHA1 5415ac03b02ff1c0bd1a839ea5443e5c972296a2
SHA256 e5f00ac1b0e1ccdaad7e8cd9e6ea3e51bcf1d098e6e3ac10ddf7d2f27d709505
SHA512 12933d885bf0eedcc753724baed9cc7197208797d64d829fdde6f7024d6e8e6ceb31c0082af8ec21f55f84f1b4d0c7cdbc5b0254f544dd15afad54c6916703f7

memory/1864-234-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1804-232-0x00000000002A0000-0x00000000002A4000-memory.dmp

\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

MD5 633f6053796a35a53478cab3db82a30f
SHA1 c53149580f8a7c3bc052fa6bddfcd980ac081a66
SHA256 e671c5845722f5e6914be4175ab97685e909b30d9a1c938db07ab821d550acbf
SHA512 5a8d2080bf3ddd8f183fd7fa29f9683f5569f4303867a30ac0665b5c762c98c72b9c56aa21ba67bfca4bf0a3ee9d94beb337eaba97a68ef335636747a0b273bd

\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

MD5 58f2e433607fe95db002f2fe21211cd2
SHA1 a4193bc250e004904ebaad72af3d3e9e0ba0bd4c
SHA256 0718fbb39dc12a0af825ea3cfe9a69e937d1a012d7d4b2d981ae9e722381aab9
SHA512 349bd64872cc1995535ffd4d6878486dfaa2e427f4e3abb808583e9dfb3e131547d5bb3422ce8839b617004d3889dc4db9d427b8f7b73b9af028c00b72eacc7c

\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

MD5 cc1e2e5e11088917aee302355c6e529e
SHA1 0e2d6c139923b4a25125ee6fa661de2dcc71b28f
SHA256 2c71db965f17f85f2961aa103cde4580b46d732d1a56fe60a191bdfc45ac9541
SHA512 8ae23ec31bec41e5604704c08dadd95d5ad509bf02dd1938f3af3255b2c4738fb67ae681464f2f61aac390c017fe8f24a9820f0ec046066e2990bd99d12b780d

\Users\Admin\AppData\Local\d03dd689-26c6-401d-9373-dfbf704b405d\build2.exe

MD5 e7fb172287de130a8882d8fa7444901c
SHA1 510ed8b432f52411c5dbc097b0eb75d379d790e3
SHA256 d4389046d624a7687ca6de57435ba161ae36812ef5b8c91c793cc90b4fcaefcd
SHA512 12ccf361c3c1ece041c435b276344eab4d231a3052670235f8d9517ddae395af58f2ac8d31943ad060b787084abf6981447caaf92b6de929e4f65d06c546cce0

memory/1692-266-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db6ca8871b7c61ab7da487227318c9cd
SHA1 167ba87f7bbe03a7e2d7d57d8277cf4970dd78e3
SHA256 7fccd458fdada40e1b62b2791557f1345cabcb80313efce8f62e6cbb3fcea322
SHA512 8c0e0945a04c0279234ead1124f5f925435bed2193f6e8491d111edffa68f6eb506ee2723fa04cf23423936ffaf428d395ce064a64a22d946adb8e643755b759

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c882bc12ac29a903042d271ee9668b4
SHA1 9d7f4d4f386dba0432d9eed5f90a83ecae2cd13f
SHA256 3b5f2fc96d472b665d5d4070fbc357045e9e12cec6e0fe9b94288530e0f6b521
SHA512 0e6eba08cd094e0c81c66fbede6a9af917beb2ef0fc6c79813826e92f9f88dad94e1a093bb6d7f6b585e5ed59d5a540e73a4a438ad88ec4aab5871955ea8d435

C:\Users\Admin\AppData\Local\Temp\16DB.exe

MD5 bbb443209263029bce215a3ba34634d8
SHA1 20514a28111052705fff77465364bccb70394d27
SHA256 010d993812bea3045c1ba94894897e0df36d19aca6e2cce89b0d4663c3925e9e
SHA512 7e85acdc0f65de67923fe57e95fc024fd1b9325899923085fba75c097157a51e1057d954408eaccb361e68c7cfd79b6547765480844d1521aaf4130e1f4c5f96

C:\Users\Admin\AppData\Local\Temp\16DB.exe

MD5 d23cf8d242ae066463bf8647f3c0b851
SHA1 1bb312970a36d55e9346d4e90a157e38a9fd86ff
SHA256 64f6473bdab3b8531af6fb26f642c53f1b30001d4ca8bb8b681f3f5e7c0d3c48
SHA512 f51a0852c7d8dc1bbd5525ceea9a2da63d191ad428186937bc2b5398070f8b16bc403e34a1c8ccd6b5fabe2f3e5403a6021390481cad569eb02cc649a566fb1e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 02854cbad0296bc25662d3c307c0c031
SHA1 f94aae0cca9e6971f7ce37f3b02eda67961ab6ac
SHA256 85e550afad4aa76fa5734e2266fd8edae0769abf67d868f1a813a04b9da2a72f
SHA512 bc530c06227ac5515b6cbaac442af05714a246dc65bfc66e8b5525fcd342ab4eabb69dcd8f260a95ca9bfd8aac68be75058113c15838d67f79c9a273e4dc5d60

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 1355e4ec8207b40f9e3534b2c75f085f
SHA1 67c2349128474c826ed05409ecd156bc8773db2a
SHA256 85d2ebe3449b97cd1896d4b34e4b9fd6a79bb95097a86df40c34275f17449629
SHA512 bcd7368e84522e89345a40d856a8808aa0e39860bba835c7874a37ee660db7f1f14b4a9b0ca97e0fd36ec54a0c33190bbe3810926201b72f9d195b7ff992f543

\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 b28abec15940b5ee3f53e0dbcc619ecd
SHA1 524ab7bec2c35c531968d68fb749e802fc595bc5
SHA256 c015f94db8d1c33a5843ce9d2e738ac71ebcccbc4badeea970696a9377f3d06f
SHA512 6e86244834fabf9bf5ce0424dc4b5682548321baa0cf17edb9b1d9eabfb23f5db64fe08f2efb3adeb9f9ae6189dba35b500da1e71906d52df9d87646295bf7b1

\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 d2f5cc792f97fcf3b6968a189d10320d
SHA1 abe7ac36e5e99a7d13f71a60803492c9bd439676
SHA256 1e06b9fed59ddd1e1b53e044dc2881dec9168f5e342864ef5dd2eec9f1565a63
SHA512 6fd2a417c696c2f985a557a94d27c0440e4f0d2d3d63a044d178bf7c2c73c597ef8dcdeccb650f7e5037ed4d61c4e3fd9a681f13dc6c31d6ce40e2a75690a09d

memory/1728-373-0x0000000003760000-0x0000000003ACD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 ac1affd3e58924ae679fd5b4cc5ac424
SHA1 e597ed8b6c7d958285c2f5153c9e7081cd92f18b
SHA256 1eed922f831550da0e2f70f24aa79a2f551511d1683a7c3c9bd40b6636ae5cd9
SHA512 34693a7e5ad0b39200e466472f4ce8546c18c5eff0ebac3a5b8c8798f4cd4999396c9a89ae7cc1428f5bc723dc8c5cd3ba5bfb895738043dca93b50d336134ae

\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 bb1f3a8f91f09d6eab3eb00336105478
SHA1 9b0104800dd2f3c3731a9683593c8d78beb4e765
SHA256 c68e82f877fccce2e97ddb7a6b968cbcc5dc60e166c9cb0ffd325b4db68832a5
SHA512 f626429b62281e0306084f2c1fad1bb304ac1e34e377e4168c8ecd08a49035c5d1c38c6816e8c06e4705cdfdd1d7ae296be985eccc6959cd81e50033db9b9c5e

memory/1728-374-0x0000000003760000-0x0000000003ACD000-memory.dmp

memory/1728-375-0x0000000003760000-0x0000000003ACD000-memory.dmp

memory/2052-376-0x00000000003F0000-0x000000000075D000-memory.dmp

memory/1728-377-0x0000000003760000-0x0000000003ACD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 f76fb97975a7a82485283409e7392ad2
SHA1 de8b95965c76adf82a4c9b76106c4322ca5af75b
SHA256 f330bd0625f0fd1b9104eec9b06ef81a3054f4a1acb7550dbfcf38a49c978b9e
SHA512 0bec8b23d692f1b8ed228749a476bb2c7ffe68a84327c5906be0fe9ac1422c9d63ebe6e572ef02282c9076887942aad980013a474e7309c7e05d032e36597c15

\??\c:\users\admin\appdata\local\temp\rarsfx1\fesa.exe

MD5 e118aff2bfba65865c059189899ee76d
SHA1 bda5316df47dd409be41e889c32c835732bcc09f
SHA256 e87ae63caa9555385b26850b8da75c4a564570ee1c173777f5b66eb68f8ec5aa
SHA512 f1b1a2eba38c61d8afcfd22e10ed62f4915aa7c1971c8fbea2c6801ce6dfe24de6afc7dc6ea9477432731d82f759e66ee43a7dd86b81fc349dbac0a1c7c269e0

\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 5de7230a7fa131c0f3daca7a177ae443
SHA1 e522429d2ffcbbb3fbc96d46e27add17116772bb
SHA256 5e34dac91e9106d009abf99424dee4c3bfdb88c6c2b8bda0bcf57d1be09dc960
SHA512 26a60246e8441eb70948fd6badaf2fac893954a3e3a5466e4e35596247ea5926d453539a68a7694a7e13efb48020983199cb8b3766602adba66aaaaddf8ffb4f

\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 568d3de870dda8a255763f5c28ebe984
SHA1 adf1dbdb02fa6b0e9efc3bc52c45017368bcc0ce
SHA256 a326d35df0281661f29f27cc95f28ad7b186cf536b8a3718209973bc8d99d8de
SHA512 bdcd6ea5bef5f9f04ccaa3e9177bfac6c87f8bfe42e7f5b377079cdcbd730118cbf2b5de088648a798a26f41318beda8e061e9391b52dfdf12379bcc3724891d

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 981b7a407189abc0834226f32c56e23d
SHA1 f9ff016d25dbb1dc45e2cb5502c254b62f26ed4a
SHA256 4b1bf5ab0676b5caf36faeb72991b18d1383562ae61a721db0e9935ed128ff38
SHA512 6189a6a60db08379425747b098b4521f7709c1509025a6b70b67d71c15aefe511f35d22352d7cdf8ed317b519f9d36f6dc77f1bf9d708f810994e09220f1fabd

memory/1404-385-0x0000000000290000-0x0000000000390000-memory.dmp

C:\Users\Admin\AppData\Roaming\fwactwr

MD5 ebb7ef2eb8ce2b4a91a3638a13fb394c
SHA1 d13c8a2275a2eeb54251c5bbc8dc6e466509be76
SHA256 c0e727bf5ca186bb83f85796dc25da0b6645a6371b33b722200e55a7124ef5e1
SHA512 608dc1649771bca9aefd945af51a3fd591b6afa114419ac583165169dccc5d6e1b32993ed887e426476c69e4877f228cbb18f9373f99971fd683a72c837a0802

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 21a0f4bd469cc6ca5f50595f77836eb0
SHA1 c03e75c4ee88b98d50f55406b0070f496500da79
SHA256 ae0decd9310dc5c6c86831181d24e6f6febfa7b58e0b55d73dbedb6955d9c016
SHA512 262ced57b7965cf29d6571191328b3a355d20f31a4c38157103250413d83f37d05be54f849a18221ce80449ce205e56abf4ec91f914e17b326306d2fd45e0e3a

C:\Users\Admin\AppData\Roaming\fwactwr

MD5 94919d50ff439256225f5c48baad3ae8
SHA1 54d309499581cee2a9e42a873982a3d4b9350f50
SHA256 ca713b99670400637496c64001b373ab67950db162741ed1ee82d7deabd19dfb
SHA512 cc4e7543b93be55fe51dc2f58fc3db6dac469bbd1dc01c556f605bdbebf2f06c7eea75d424d6227732de4cd30a0de1b0120fd2a8a401bf2b45f60c0267cfa6f5

memory/1404-386-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3007.exe

MD5 5af884fbfb5162efb2bc85b6908e76ab
SHA1 82dcaa9ef03bad180f1c68100d8ab84930bb929b
SHA256 fc561ba3d30c2e7c1948b9b28df86fe33fb240dfef92e5f2c7483a507aeb6403
SHA512 5ee66867a41ed4e32b3d6d1487021fd1c70824055d70ad6af445bb9c798315de1eda3398a6968c8b142a42689436c86a15342c5f2f3840f2fd695b833152475f

C:\Users\Admin\AppData\Local\Temp\3007.exe

MD5 525fdd908d0f021b0965645466a764a2
SHA1 8403e06b289519a4af9ffb80fd79733f0cbad6d6
SHA256 c08678c21155324e639c4a44ee64d3c01d74af73c9d0b1bcb541a3977c425fc4
SHA512 0e47fc224815f6cd936a65597c11ed326fa68b92fdd439039d58de41125c1a4d1de199a3ac5f90e560691a6ffe58d0ffd02e623c4f33c21948fb1ae82e08328e

memory/860-392-0x0000000000200000-0x0000000000201000-memory.dmp

memory/860-395-0x0000000000E80000-0x0000000001831000-memory.dmp

memory/860-398-0x0000000000200000-0x0000000000201000-memory.dmp

memory/860-404-0x0000000000210000-0x0000000000211000-memory.dmp

memory/860-412-0x0000000000270000-0x0000000000271000-memory.dmp

memory/860-409-0x0000000000220000-0x0000000000221000-memory.dmp

memory/860-407-0x0000000000220000-0x0000000000221000-memory.dmp

memory/860-405-0x0000000000220000-0x0000000000221000-memory.dmp

memory/860-402-0x0000000000210000-0x0000000000211000-memory.dmp

\Users\Admin\AppData\Local\Temp\3007.exe

MD5 95395675707fe93a49ed51830c5e8431
SHA1 763fc3cbcb79b18654bea53b67036a6226751492
SHA256 fdf724a908125bbbfa35724f7140402a6ec61d8d7bae2ed232c2b22ad7705465
SHA512 2d8de5f51e66a4790ca8f7896190581cda55eb8b10039fd5d9ef438f29a2ad80848356bca804a46a0bd8151afe11ebf431c820e43c9ff57e4f9f1fea41511f50

\Users\Admin\AppData\Local\Temp\3007.exe

MD5 910bf5e8766bd8de944bc5b0ceaf27a6
SHA1 22e3fbba70bd42115856e5a31adbe82ebe7e3294
SHA256 c6fb7c192ebda7714034293926254cee8e24bb7ac0cd6bbcc6ddfbbac0e9e68c
SHA512 58fb53de2d6b297ee765d3f8aa962b53a862f3fcd1c9b5a9022b6fcf9490c7993c24a8bd1176227d093a5a14796fc78661148cc334e790f1a2957eb19fa5d044

\Users\Admin\AppData\Local\Temp\3007.exe

MD5 8eeb7a49ddb462b247c54c0a7984ee2a
SHA1 e05c8ffef90a333fa01a32a6d23854c0cecd9a95
SHA256 2d0d8e67b37ec53eab453c82835fe3cde5c2628eec4b56582ff96fc35a9e604f
SHA512 19647d04cb9d5af9d39f5a92a1c6b6b96c10c08c82154948c6a8e8ba3fd51507a9d1e749b2d2f0b56fe1538b0b61bd913814264f0077197340079ac7070ef2de

\Users\Admin\AppData\Local\Temp\3007.exe

MD5 7d9fc7d66e28b88261cee289d8047957
SHA1 bcaa7777455e13b07f183ab31143096fcc810a0d
SHA256 20576e42d36b01e4a3bca64ef232cc5124be5f9bd85a2253700bda78144da84b
SHA512 4903aa88e05cb593b933f672de8daf4f69682116c9150114cc1e16eee34a413bb6a759dd9353200ff78639757f494d783eb6c68625ee98c6af9e787695ed4a03

C:\Users\Admin\AppData\Local\Temp\371A.exe

MD5 e5e40c1b4525474c1f8a6c37373df09f
SHA1 2a079b3c3f518804496ffdcc41c4f6a8ce431b81
SHA256 e04d57e1134fdd8e587c7b1918eb30d310d504d69f694b9767c3a49d2cfcdac4
SHA512 3dee71465cf469b63ce1266fca744703d0545d6dbaf4cc825a2d866e29f6cfab7193bbaab7281cfa50bb9942eb9d774c7e69c4a945e0dac4b7784ab1e9579c1b

\Users\Admin\AppData\Local\Temp\3007.exe

MD5 cc99deada35aa2c59a03cf2761f82160
SHA1 c8a4ca5717f8a2e741df60c839ffb08d770bcca2
SHA256 5f7a00f1d20fddd8850ae4b9825a58d8385417ca15115dfc28f74e608e54b61b
SHA512 757df9d1aed9047aded3c03e254a0ba2ec11e94edeff15b4ec2597c136267f387eaa23c8fb4421efc51d2e6e83f32d8837b0af674c9dcddde204b4bb92ed1704

memory/3028-443-0x0000000000E80000-0x0000000001360000-memory.dmp

memory/860-433-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/860-400-0x0000000077C70000-0x0000000077C71000-memory.dmp

memory/860-399-0x0000000000210000-0x0000000000211000-memory.dmp

memory/860-394-0x0000000000200000-0x0000000000201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 384b9fb7ec244ff146d8415fbce021f5
SHA1 831230dd688fd3de5a26684e85102e4949194988
SHA256 08eb9ef72a049de4d13b3e4b073c07bef072d4e8b6a2e9583d0c23a318e2c2e5
SHA512 1ac008b472bd1af67f8eb056758003012fb915fdfff91b923577b20410e2da1e85d7eda85c76ed0278d017c2cbb126e70413a0d9ffd90a41c2b54ebf92d16f9d

memory/2052-450-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 1c3b130f0309c6f8166160f0bd20d6ec
SHA1 0cad034a8f615843d68743357a6f24de456c994d
SHA256 a1312ece539d7b0d55ca5c862272dab30aa42c8a7d20c63bb2192eb8431c778f
SHA512 d10f3e524716c76d828f709905d8a970805da6aa07271c2f1dfadabfef4917bc3104cb481fe444da3343cb6546f21c60e97553ba5fe1be90d19385c99348cebc

memory/2052-452-0x00000000003F0000-0x000000000075D000-memory.dmp

memory/1956-453-0x0000000000C00000-0x0000000000D32000-memory.dmp

memory/1956-454-0x00000000732D0000-0x00000000739BE000-memory.dmp

memory/1956-455-0x0000000004910000-0x00000000049DA000-memory.dmp

memory/1544-480-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/1404-482-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1956-1402-0x00000000049F0000-0x0000000004A30000-memory.dmp

memory/1956-1404-0x0000000000200000-0x0000000000201000-memory.dmp

memory/860-1403-0x0000000000E80000-0x0000000001831000-memory.dmp

memory/1956-1406-0x0000000000460000-0x00000000004AC000-memory.dmp

memory/1956-1405-0x0000000000B70000-0x0000000000BD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 7eda6fc800500c5fa97df13391f79956
SHA1 254be705c613e058da36bfdb79c0ec6d1cadde93
SHA256 ac6322ce42837db2224b052555736631f90ac9e88b1e33806b41a2f1a0febe99
SHA512 be34f0378ebe8deed88de267a6427158eb943a7e68f37de90751fc077f5ef7f2874c5df87d0be1762d69592e6004fc178331518e028e00af89c2c265269c0256

C:\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 fb44d20e89b3a6b22749c72c815eec81
SHA1 e9d6b04c0e547ddd872b97fc66ba4513150582f3
SHA256 af2796efede38928b2a58015a79f23e3759165838af208c3df11e4c0ef1d5291
SHA512 e384de851dd966fdd9d5cd3b96bdc864d8bfc4f6d6525334e0adc82116188aabaa8b69145942fe2c4587ccc01667a754603396d484ea8f4e46a3371b7af6ea62

\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 8e6491e94fc0db51a23b8325710903c0
SHA1 30270eb2b0f781788836d505929fe8e0bafc7501
SHA256 0f2790297e57c14e9b216dcfc4b0fcd390dd2ff953c11c1a69c19061abeb90fb
SHA512 dbf92376b8a73e3eebce97e3e6ed68d8ec643f84f90bede7e7b89bbe155aa631391ac5413c989a8a1c296522f5c51cba6fee6172fe7847a1d774be8e745f0886

\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 28b225bd64faa306158a2f13a99550e3
SHA1 75380a3afb8918909f52f4d80464828b330aa5ba
SHA256 18d883ee911b6cd6df483989b7bcdd56a319349b5278da55b406479e46034049
SHA512 675900878a374cbf12307fe5e2effd15e0ae3fe90391ee0fe9fd0ccd287be92301eedb349c00ef56c7da9e3c5e933f331338e40bc6f3ac214bd110c677cad8e1

\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 9bd1ee0ca5b2ff2224e19d2bae0db3a9
SHA1 9f74d687711180523c75d2491138fe1262a20b7d
SHA256 adaa9f4927b121c3fcdf86d4855a5cd5aee1959320053df38c105b3e7cb1f09d
SHA512 37893c504340fe6bac6da793a3015dd83cd39e367bac41f1ce98a52fd91d822d55e502fa6ce56d4cfaa0e038c10a0f8b3b7d8b5aeb6957185a3e559cd518df4a

memory/1956-1424-0x00000000732D0000-0x00000000739BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 50b591ec9222c0d3571c72d111385031
SHA1 0dc8bfe4111b515fab7fbc8bda8dcc98c5e3a129
SHA256 6b4baa891eb9e996d19671c177afdfe896a9fc21978e4c39f1503e5f721daeda
SHA512 7ea8f80c6875090a91caa4091e31795be491831e79eb1a288a49c8057f931f50dc215fc6f59115b7d131d92079f143e71165e1659fd5625061076035a050fc2a

\Users\Admin\AppData\Local\Temp\3B20.exe

MD5 ed51799d4c4740a92ebd7b24fb7e2bc5
SHA1 de6ff5db004ee76c4778f84928a1a1402b95e070
SHA256 1ce240af6f9fd677d8cc6064216385139209df9557affbb2f66a9bef82f876d6
SHA512 904e1eaf9dce28b45af9537f53e1d30e60beacc9aeea611fc32ec028f8dddd1f73a32bce6205d8d564ef9607f18b600b4403e46b1e4d2064ee8c6589d9efee09

memory/3028-1432-0x0000000000E80000-0x0000000001360000-memory.dmp

memory/1660-1456-0x00000000009C2000-0x00000000009D2000-memory.dmp

memory/2652-1491-0x0000000000912000-0x0000000000922000-memory.dmp

memory/2888-1500-0x0000000000992000-0x00000000009A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 22:28

Reported

2024-01-28 22:33

Platform

win10-20231220-en

Max time kernel

300s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe"

Signatures

Amadey

trojan amadey

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

Poverty Stealer

stealer povertystealer

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD91.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F416.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54D6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jahrivc N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7224.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76D8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76D8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76D8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eb849e61-72c6-46c1-942c-915b400011db\\DC96.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DC96.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3580 set thread context of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 set thread context of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 4772 set thread context of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 5116 set thread context of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5080 set thread context of 4596 N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3932 set thread context of 4564 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
PID 4520 set thread context of 4296 N/A C:\Users\Admin\AppData\Local\Temp\76D8.exe C:\Users\Admin\AppData\Local\Temp\76D8.exe
PID 4256 set thread context of 2808 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 8 set thread context of 4132 N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
PID 3876 set thread context of 1204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2704 set thread context of 4404 N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
PID 720 set thread context of 2116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4528 set thread context of 828 N/A C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe
PID 2056 set thread context of 1216 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\76D8.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jahrivc N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jahrivc N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CD91.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CD91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jahrivc N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CD91.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\76D8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7224.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD91.exe
PID 3384 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD91.exe
PID 3384 wrote to memory of 4432 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD91.exe
PID 3384 wrote to memory of 3580 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3384 wrote to memory of 3580 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3384 wrote to memory of 3580 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 3580 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 1044 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Windows\SysWOW64\icacls.exe
PID 1044 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Windows\SysWOW64\icacls.exe
PID 1044 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Windows\SysWOW64\icacls.exe
PID 1044 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 1044 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 1044 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 924 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\Temp\DC96.exe
PID 4392 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4392 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4392 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 4772 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe
PID 3384 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\Temp\F416.exe
PID 3384 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\Temp\F416.exe
PID 3384 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\Temp\F416.exe
PID 4392 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
PID 4392 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
PID 4392 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\DC96.exe C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\F416.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe
PID 3384 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe
PID 3384 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe
PID 5080 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe

"C:\Users\Admin\AppData\Local\Temp\fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a.exe"

C:\Users\Admin\AppData\Local\Temp\CD91.exe

C:\Users\Admin\AppData\Local\Temp\CD91.exe

C:\Users\Admin\AppData\Local\Temp\DC96.exe

C:\Users\Admin\AppData\Local\Temp\DC96.exe

C:\Users\Admin\AppData\Local\Temp\DC96.exe

C:\Users\Admin\AppData\Local\Temp\DC96.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\eb849e61-72c6-46c1-942c-915b400011db" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\DC96.exe

"C:\Users\Admin\AppData\Local\Temp\DC96.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DC96.exe

"C:\Users\Admin\AppData\Local\Temp\DC96.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe

"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe"

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe

"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe"

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe

"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 2080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\FA41.exe

C:\Users\Admin\AppData\Local\Temp\FA41.exe

C:\Users\Admin\AppData\Local\Temp\F416.exe

C:\Users\Admin\AppData\Local\Temp\F416.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"

C:\Users\Admin\AppData\Local\Temp\54D6.exe

C:\Users\Admin\AppData\Local\Temp\54D6.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe

"C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe"

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\jahrivc

C:\Users\Admin\AppData\Roaming\jahrivc

C:\Users\Admin\AppData\Local\Temp\7224.exe

C:\Users\Admin\AppData\Local\Temp\7224.exe

C:\Users\Admin\AppData\Local\Temp\76D8.exe

C:\Users\Admin\AppData\Local\Temp\76D8.exe

C:\Users\Admin\AppData\Local\Temp\76D8.exe

C:\Users\Admin\AppData\Local\Temp\76D8.exe

C:\Users\Admin\AppData\Local\Temp\76D8.exe

C:\Users\Admin\AppData\Local\Temp\76D8.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 912

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 17.118.160.158.in-addr.arpa udp
US 8.8.8.8:53 brusuax.com udp
BG 95.158.162.200:80 brusuax.com tcp
US 8.8.8.8:53 200.162.158.95.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
BG 95.158.162.200:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
AR 186.13.17.220:80 habrafa.com tcp
DE 146.0.41.68:80 tcp
AR 186.13.17.220:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
DE 88.198.191.199:2920 88.198.191.199 tcp
US 8.8.8.8:53 novoscanais.com udp
PT 194.38.133.167:443 novoscanais.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 199.191.198.88.in-addr.arpa udp
DE 88.198.191.199:2920 88.198.191.199 tcp
DE 88.198.191.199:2920 88.198.191.199 tcp
US 8.8.8.8:53 167.133.38.194.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
AM 92.246.138.149:80 tcp
AU 176.97.69.235:443 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 154.8.185.41.in-addr.arpa udp
ZA 41.185.8.154:80 tcp
DE 146.70.169.164:2227 tcp
FI 109.107.182.40:80 109.107.182.40 tcp
US 8.8.8.8:53 mealroomrallpassiveer.shop udp
US 104.21.47.178:443 mealroomrallpassiveer.shop tcp
US 8.8.8.8:53 40.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 178.47.21.104.in-addr.arpa udp
IT 185.196.10.146:80 185.196.10.146 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 104.21.1.205:443 braidfadefriendklypk.site tcp
DE 88.198.191.199:2920 tcp
US 8.8.8.8:53 udp
GB 23.44.234.16:80 tcp
N/A 45.15.156.13:443 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 udp
N/A 172.67.211.25:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.21.1.205:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
IT 185.196.10.34:80 185.196.10.34 tcp
IT 185.196.10.34:80 185.196.10.34 tcp
US 8.8.8.8:53 34.10.196.185.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4040-2-0x0000000002C00000-0x0000000002C0B000-memory.dmp

memory/4040-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/4040-3-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3384-4-0x0000000001520000-0x0000000001536000-memory.dmp

memory/4040-5-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4432-16-0x0000000002D10000-0x0000000002E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD91.exe

MD5 01fb175d82c6078ebfe27f5de4d8d2aa
SHA1 ff655d5908a109af47a62670ff45008cc9e430c4
SHA256 a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3
SHA512 c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

memory/4432-17-0x0000000000400000-0x0000000002B04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DC96.exe

MD5 45c8c53b0572d2431e750524c46e79b4
SHA1 1e0f02ba52efd7c8a6e7a68642c74a6c8c19106a
SHA256 846f2b11662452610f5d4b180b7602142c1c3c7875274c181355136dd64b8ed0
SHA512 a534ab24248235053f9998f4cb355174c50872bacf3fd15e07152eb8659ae0898dc0f4dce1216e29b714e802f8440cba542e27280227afb8c70784e6b4ce5024

memory/1044-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DC96.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1044-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1044-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3580-27-0x0000000004850000-0x000000000496B000-memory.dmp

memory/3580-26-0x0000000002CF0000-0x0000000002D8B000-memory.dmp

memory/1044-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DC96.exe

MD5 5c6994011c913c8d2065f591d2ec44e7
SHA1 2184e2552e8c474f961c0e87188d5939863e9de8
SHA256 68fde2dbc602e92d3d66e26d4d170507be9893cc619d1525b3140dcf727e63ee
SHA512 1837ccb607a653740dcf6258c44381073df20d65f6f6d6f17032d4ee8be895ae6edf0ac249d03fd7af64e3e027168d2af5535a29ff9161ffe3cb3247bc4c46d0

C:\Users\Admin\AppData\Local\eb849e61-72c6-46c1-942c-915b400011db\DC96.exe

MD5 974adcfe032ccd9da86e80f7f3303dc0
SHA1 e457b910f857418faec6ae0db4c8b0df8ccd4aec
SHA256 f4b883275eed0fa75e9ff6e564b51a13e2bdcc39c47f93450ce6bd724e6e0e30
SHA512 b5c6a3276e7a74f2835b6c18d2699e714052221e8f18d87846d991e7fb65b65bc19fa3dfb33a9650071b3681c8f0bca5ad94daeafc15d5361a6c847e9364a1f1

C:\Users\Admin\AppData\Local\Temp\DC96.exe

MD5 d359c527ccbe5f109eaa5774d2190040
SHA1 6df6f31888a35cadcd10d97e0a10928a267fbb31
SHA256 320b229411ea210758a5719cfce4e23ec6b75111e04b32fa30a63c2e2199e460
SHA512 30ce3e4fee4504ddd53a1497c35f0a8e45ffff0df787acf7810570bb7127167fe92b950821e95316d88e876740c789e8628d4eea66ad64b8b71d716047509c53

memory/924-44-0x0000000002D00000-0x0000000002D9D000-memory.dmp

memory/4392-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4392-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3384-50-0x0000000003390000-0x00000000033A6000-memory.dmp

memory/4392-48-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/4432-51-0x0000000000400000-0x0000000002B04000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fad9e0108550621571d40ac977d303d9
SHA1 de172f5d41ef53284d5a9542e4deb380f8de71dd
SHA256 58f271a871d3cc751d2c3d5895274edd659f0043c35133dce33cf0859f1d008b
SHA512 5ac3f4d694557400926d2dc0901249dd7de66258602dcfe728e27a664528a6b40ada95be7f563741b641e477c257e8fecfb68bdea109761c1da7f11ecf5a4146

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 28baf5fd68df59a9964b94cb39ffee77
SHA1 b3fddc328582ee68eeb23616393db9abb9e27380
SHA256 c5dff2b8854fb9ed981ebdb1d6b621cf681bd1ac18ac44b14c138cd05352365b
SHA512 1487962f4c57144dac2278d6a0f04da56f6ba4f03c5467f9df1cc04896fe4fb8bb7286027ae274a95e46e6c0baad836384fe4ee969824efe295d4da2200ebcb7

memory/4392-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4392-59-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1ab4406c45f8e8beb4d32e895dcdbf91
SHA1 7b603ebec505428365c1f4dcd76bd65adfea9bb2
SHA256 ab9e60e2458968b5235fdce73a96b870949f0ef6624c375c47402e86e2c6d470
SHA512 1aba31f1578072ba5f41d0051d35078d5c38a800525ce278361a8b644ddccd7b8f59576a65484bb8d2ce0aeed42ae4bf6da751804b8b017fed75acf29ff9d531

C:\Users\Admin\AppData\Local\Temp\DC96.exe

MD5 cb211490f31778b78da375e6bef4ad70
SHA1 cab5731867fcbbf73466a674649afeaeed06d8fc
SHA256 e80f8b588fb5dc80377e3fe015857ed4a60402db6f1cd1513af9a31046d7ad2e
SHA512 c60cc39a98d367eb1247221ec59f68bcacf787ee77131bf70709304aa1d6d984169686ad08573b7e28857d22d282f000dbe8cb692371a79ba20c3dea0c243073

memory/1044-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe

MD5 6134c934b98893109928b4cd9289d743
SHA1 72c9f652baf79bd260e1cc27cf1f444c84964927
SHA256 0f8f5a5c914179cab891cb7e68cdb76a09aa43e10774e21c420170049da85b1f
SHA512 47a1b64a99000d35034d0f115a6bd9a7c46ae262d9b43acd5dd65d5a23b075f3d1cfe75574ada297b6afc3c58927723748c4140f19b6efb4c5cd1c3fb52599c4

memory/4772-68-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/3244-73-0x0000000000400000-0x000000000063F000-memory.dmp

memory/3244-74-0x0000000000400000-0x000000000063F000-memory.dmp

memory/4392-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4392-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4392-80-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe

MD5 2a1b46c2f932747bb144634a9da6dfde
SHA1 4485f91d328f854081d3024bfcb81c52f9f760d2
SHA256 3700a2243b314f930f0f9aedfece902c0dd4045ad28e8d76f7447c766c1412a1
SHA512 18e18eda4384191d89bb1a2f2a74bd6fb0dafe8c31ea5d60a2d7dc5220fa4c8d27071ccd72e91632849d4bfc676bbeb075e01ca1923826ee636a53a0def6f35d

memory/3244-70-0x0000000000400000-0x000000000063F000-memory.dmp

memory/4772-69-0x00000000005A0000-0x00000000005CC000-memory.dmp

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build2.exe

MD5 40781463f74e5be27d262f71d7d17958
SHA1 7e91415b23a9be1c5fe33e844a3bdb1a0848b71c
SHA256 6bcd8b4ff2f3b4c16c03af55976642b5dd0618ce0625d7f77ac734a454523698
SHA512 910039eb53593e61b879753d3f9aa0f21ec2e9c3fa60f5c43699f5b7bf7b37298a16cee15984b2dfef0da6de63be659ab87dd1378a626bf0c0a1c6a332900aea

memory/4392-94-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F416.exe

MD5 3c4a9ea2e94c66b185864bee10e4a44c
SHA1 9ae30069be1089dece321398baa97df2dc4338d1
SHA256 b9cbad125791eaa7fba8c8ff3a0c6cce3d2f107bd842bf38af081cb41dbc0b49
SHA512 cdc2a2d58223db62daca19d9c7fc176c7b4f42d7ab04ad2e4157dafcd09f78f933256fa3837f7b1e9acd28c84ce5a5c5cba37ab3f442886dda71a1224d3e2155

memory/5116-106-0x00000000717F0000-0x0000000071EDE000-memory.dmp

memory/5116-109-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/3580-112-0x0000000004850000-0x000000000496B000-memory.dmp

memory/5116-113-0x00000000027B0000-0x0000000002848000-memory.dmp

memory/5116-115-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/5116-114-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/4740-118-0x0000000000400000-0x000000000048A000-memory.dmp

memory/5116-111-0x0000000004DE0000-0x00000000052DE000-memory.dmp

memory/5116-110-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/5116-121-0x0000000002880000-0x0000000004880000-memory.dmp

memory/4740-125-0x0000000000400000-0x000000000048A000-memory.dmp

memory/5116-124-0x00000000717F0000-0x0000000071EDE000-memory.dmp

memory/4740-122-0x0000000000400000-0x000000000048A000-memory.dmp

memory/5116-108-0x0000000004CC0000-0x0000000004D58000-memory.dmp

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe

MD5 2b87f0cfa8b7ba96c5e08365a2452bd0
SHA1 8e40fcf3677d49d1292e432ef0cd7d3779fb62d2
SHA256 957f069d706cb05e1fb6c316c8c154c5e278ae181bb904dd4479aee4f6beae8c
SHA512 66383329227afce3b06c116628710b7d450df79246c3bdf0e7faee5f293066affab69858172b12d2928c2cdb6ff1a603bfc6a2c77169cb4f04b73138640cb87d

memory/4392-104-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\21d441b9-28fa-4a7a-8424-3a346bef242d\build3.exe

MD5 cdf1046e35a147627b55a06b03da0701
SHA1 c7e9b58c045213ec788ae104838d5573f3bb8547
SHA256 548bb0932cf5645abce7e7210f24b493510f3b17eeb8e962e2200c9251672bd1
SHA512 7192327c1f4c85fb03d1727c9527f312cd842e4949a055136e03a6668a878836af45f5e4394434d56cb8067b57fe0ffdb79fa65f8fb1c496570fe45019bdeebd

C:\Users\Admin\AppData\Local\Temp\FA41.exe

MD5 315af8cdcb441cb286e31c631eb12625
SHA1 0f0537841540a0047bd5c3df8f9ced566a58d144
SHA256 fff5d4c3de2cc1056a6395f37ac8d6c4eb7423883281caf7fcdb1fcb7c9797d5
SHA512 03bfe10d227df6c529d0b35f5340964da07b28d908bc776a63e43a02755c073868281f8a20d573077ddee5def2bbda1d545ce6d459cd0d53ee5541d00b176681

memory/5080-130-0x00000000048D0000-0x000000000490A000-memory.dmp

memory/5080-132-0x0000000002140000-0x0000000002150000-memory.dmp

memory/3244-135-0x0000000000400000-0x000000000063F000-memory.dmp

memory/5080-136-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5080-139-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-138-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-141-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-143-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-147-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-149-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-151-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-153-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-155-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-157-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-159-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-161-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-145-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-163-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-167-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-169-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-171-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-165-0x0000000004E70000-0x0000000004EA3000-memory.dmp

memory/5080-137-0x0000000002140000-0x0000000002150000-memory.dmp

memory/5080-134-0x0000000002140000-0x0000000002150000-memory.dmp

memory/4596-181-0x0000000000400000-0x000000000062E000-memory.dmp

memory/5080-183-0x0000000071120000-0x000000007180E000-memory.dmp

memory/5080-180-0x0000000002490000-0x0000000004490000-memory.dmp

memory/5080-133-0x0000000004E70000-0x0000000004EAA000-memory.dmp

memory/5080-131-0x0000000071120000-0x000000007180E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA41.exe

MD5 cc99c3247a963cea4b0a6b66c09f652b
SHA1 acbd6d470c80d28a1549daf1cb8ccff938279ae6
SHA256 91aa8041569ac1491c4c253854fe4a9b120a5ed93184baef447a06fedac972d4
SHA512 a1f9eba603c1269beeef1dd55d072dfd04bd7c8f48c665abb1bbe85b57c02b4c1b962a069760981a021d830ed2bb3755f3631ae1bb23e7a23e03886d5e60f64d

C:\ProgramData\mozglue.dll

MD5 f194ed05ba033ed2ccd458383ccc5961
SHA1 9d1f9ce04e76e055be53a408d887ea78f1259e9b
SHA256 c2429137a8a4c6c248e9f29aa71f2fe4f2327e8797e133e91951b4943f9334cf
SHA512 aa4841ec9bc3cfb2fb7c9708ac1e4b6cf643385b13161637966624f2b695bed4a2ed92c8467b0fcdd4035f9e063d7274a0c72c37d44638bf3c81e3377b588e08

\ProgramData\mozglue.dll

MD5 16f38e3eca9f3dd96f5625e660ae1cf3
SHA1 7ae3587b034d681ba63abe85beffd66dde42edc0
SHA256 1691f91103e651d0d5f2e0bf4e019cb726b4bcfa6ad9300a16b99e5175758e6a
SHA512 93e980a0431f1984746ee16cb815da242fcb97d8897eae9a9a9b3298382b9c57b1bfa6f70d0fdfdd04b1ef6e443927ff55868bfe3955faa72f9a1e333ab6d202

\ProgramData\nss3.dll

MD5 b9f13ee223aca2540dd2939d114fb4e7
SHA1 07940daaa4f415f42404afde2b9542dbb23e0623
SHA256 071331d37db6639a43c7c06c0888ce8aec792f358ab99dda184c33a486d6cadc
SHA512 d7ff85f42531ebccc478ab9fcb60105bae7d4ead3df77d48c348a3e8429fa1a087d59bbbb2a56b30748d1b60a684bbba71f8f4b61e87781f40546cf226748871

memory/4596-244-0x0000000000400000-0x000000000062E000-memory.dmp

memory/4740-246-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3932-252-0x0000000000A00000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54D6.exe

MD5 b33ad50c8b053f329aaf42820bb22043
SHA1 118dcab431c056cd00a2e089fdfe40f8cc5c86bc
SHA256 fafa9b06eb9c21c93d95055734b3fa02877b16a48683964fa5cf683914b1bb1c
SHA512 01d555c141af4a623b67e27a0e5b2c0f3d9d5e05c75641320e8561081e1bcb9774906daff4dab8a5ada385b7cc98118faa1c4af58aa68e6cde12ed7d6a4543db

memory/4564-265-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54D6.exe

MD5 ed4fb00c4f36f5402dfbce54cf052cf6
SHA1 95bdae77945d442d2c451b99e8745da9397a7ba1
SHA256 2e54f5fa93d5e09c1a75a76aa498c90cbf125631b0e329e38082e4d40f06c0fa
SHA512 f08f1aa57477d2e7065674c3c810175b63f38139533bb0c560d5ebdce85a4575d749e7079c12d2bb4391e427ee1ab6464f488b664b3739dddf1ada7edb48091d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 04f8bb3d913f0755dbab73837dfd743a
SHA1 a1c893373667c72fab247a8e8cc3597e374a75e2
SHA256 3c4df6df8c253c8c193f1c495fd122c8f12c6e134aa0e09606f3983be959ae41
SHA512 9976bc8ec86d9062c7a8bbe8dd67cc91429724c122f55cc537a49f4ccc352f3992030bbbbdf6c4f002594f5a89cf5922032bff0747d69deaab93ac36141eb4fd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 d2bba198c2ec27f882acaa2a8759e568
SHA1 64e8cfc989fe05002b826886305dfa47d3ac51b8
SHA256 488b588f5001fe472e6d5f12a3ea9ae826698e2a4bc2b32f4cf5553d1b55d05c
SHA512 4e6be465e513145e51b72b8d41dcd9bc955f9832bb9aed10eb74055aebd23992ba1852c6f2d78a4a33d7b22860e78ec8d8a43e3b2e08e9a67acf253c876fb368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 859f69ff3fde85f7bc699d9e125815f2
SHA1 6c8ac2b7c40ab9c2b78796ec2cc634a464309777
SHA256 c2d2087d76b3cd84b98fc01dc2252a934c3c3b2db17f93cff9d96abbaeb8f7be
SHA512 dffe323673624a267504ae314e664066ab19275b0efbb25120cec9480ab8b5d1d02394e57f5c385587e08e8ed7937041689d6a4ec378fd398942d20f3dbf2245

memory/1808-285-0x0000000000350000-0x00000000006BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 d097e641b2224fcb1fa52fb5e170ac63
SHA1 d39956b2d3fcf555a39541914fda04da090bd490
SHA256 c0a28433e8d943cc9647bd8a67c55087d5ca60dc56d10b7e56cdd17bb8c97a10
SHA512 c84cf9ff37137767346fa29f29aa0337241f6bd56494a93aa912c5c5986826c9d40512ddb829513c1257e7b95df1c5d1e49843c5cc3baba3602f8abbd8a2ba07

memory/1808-286-0x0000000002970000-0x0000000002971000-memory.dmp

memory/4564-256-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/3932-253-0x00000000009F0000-0x00000000009F4000-memory.dmp

memory/1808-288-0x0000000000350000-0x00000000006BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

MD5 d9f61f2e886b5a2dc4608bdaecc04fea
SHA1 b881bdf6ad24354ba9fdd6a6465c9e588ea3bfe2
SHA256 4871eadabeff43b0b05d199cbb05a95c27cc50793f480079a8780ef61c80fb6a
SHA512 6a6cd50eaf2f3d6c9d8b941ec2a94ee40a0188d5967e8735f76b16dd545f1abb6fe8bf1efc0e77bbe1ffa16b7e6ad51b11936b404da175d5407a4638ea0dfa84

C:\Users\Admin\AppData\Local\Temp\6AFF.exe

MD5 5d44ef7e5bcdec40769fd06e605cba67
SHA1 cd837d208ff00b1573fe4712a5a29334156735e9
SHA256 7965c69a165c76d1714297c503fb5d5b726cb5f1a268ce87ec403ffc3e1e7db3
SHA512 565dbef917b5e3c071ecabde5fa9a6382ffddeb01a7c6a33dc06c3b597193483c4229a41a8f5f28e6cced475c83e97b03ab9e13080bc08eb976c4ff545dcc517

memory/2276-295-0x0000000001020000-0x00000000019D1000-memory.dmp

memory/2276-299-0x0000000000760000-0x0000000000761000-memory.dmp

memory/2276-298-0x0000000001020000-0x00000000019D1000-memory.dmp

memory/2276-309-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

memory/2276-308-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

memory/2276-307-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

memory/2276-306-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\jahrivc

MD5 a6aaf1c14caeb87c027f256394d8cec9
SHA1 acd55dd0662f610ad8111f50aa729e06dabb43f5
SHA256 fef1325325dc2115dc99a3c5b4148eb7df9a72b8233c695b364cb92bd3f3020a
SHA512 7d169b8d161b75ddee913a97f0cfab01f363ce2abc39bfeb31b572728622579138c77ca9084b93fd586f2d51f3da86fac4a992aae814731fa567ceab9656c7aa

memory/4852-313-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 565d74df5c6b3398ab3e1ecd0e802794
SHA1 98c278959a7dcbbcc94da9bf6ce410c9e366a458
SHA256 465796cbf89ec8ea153a81c6058167905845e3d10727b6010b778a971b9abc89
SHA512 69d359fc2fe37f551581465f44eecc89035f195dfcbd92183a1206607871d91192f8f9d7ddc9074fc70464f0cf0334783d49934693436226adb765be190ca6ce

memory/4852-316-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7224.exe

MD5 e80440894d7a309eb917aeec158af821
SHA1 9ce1b578487cff9f7c2eab3cfa5316579b2ac1fc
SHA256 4a5a3f94604237fd3db8eb5e5d301e6b667d6048c6de4b18f8f1a6c9b9b356c1
SHA512 82951e254cb5abb33a5cc7836551b3f2df987120b1613cd5acc2f5581ad782e357f263a7f67e5d84ddda22b93ee763b229dc18d9d861ed29cab7bd081bd0381e

C:\Users\Admin\AppData\Local\Temp\7224.exe

MD5 33f7fd3303fd8f5c019750f958a39b9a
SHA1 fdc2a5870edf9ac105e115ce678558aa44ff4319
SHA256 89c551be5728760d9e4795d1b24491fb8a785d68ffe72e4fc1f171068ec109d8
SHA512 f375bbdf30b9e967f995cdae2c60461ea76214393627043ad9fd95c8d454c3ee132e6e7824571ff5830ea741015bbe3e56744d3fba5b97830b61d3db19a9a08e

memory/1704-321-0x0000000000900000-0x0000000000DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\76D8.exe

MD5 443579a51beba0b31d638b4045529ca2
SHA1 bcb043d71bc602f04fb8b2fa974b4424afe775a3
SHA256 2503a5001c3756f567772d31937f9c591383b58a12176b138bb66be74cdcf7e4
SHA512 14d300ee7f508fa8f5de4189fd9dc734c055724beba50a47d8157dbf7bc27650a6a034d05154194c6f3ad69cfa048dc1c2244aa3e248f21664d7bb97bfb369d1

C:\Users\Admin\AppData\Local\Temp\76D8.exe

MD5 bb2147c255360691841f2aef6b211eee
SHA1 60aaaa99f7aeb353fd3811993900674521026b65
SHA256 ebdb00465857ef516d1a3a42193d911a1f70b9974e29ff8bb20033605941f97a
SHA512 6f2679833eea962f9ecae257729dba6a6a5723e6a395fd5a86b453c3dbbdb030a7c6fa578b09c7b73064b56747bfbc516efb5a34e5ce0b64da4d4bc69da2eabc

memory/4520-329-0x0000000005120000-0x00000000051EA000-memory.dmp

memory/4520-328-0x00000000708C0000-0x0000000070FAE000-memory.dmp

memory/4520-327-0x00000000007D0000-0x0000000000902000-memory.dmp

memory/4520-1263-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4520-1264-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/4520-1266-0x00000000052B0000-0x00000000052FC000-memory.dmp

memory/4520-1265-0x0000000005210000-0x0000000005270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\76D8.exe

MD5 9ec578f8958c835c2d6dcc29b5d89c2f
SHA1 47b90a9d713c41d90afac00c0a3ba922d44b06fb
SHA256 6f86df42fde5727ed2969342ef862fbd9cf71ae05267208909bb2ff76c4bdbda
SHA512 e0ae7ee9343acdfac059ba49f3b73c7d3819ce6fbf19360fd7b64892fc91ccdd674fd6e6699733261293dcd2720692cea332ac82e46885508fd41f800c30631d

C:\Users\Admin\AppData\Local\Temp\76D8.exe

MD5 612c46aa3ba8a76b35eae8f088013e7d
SHA1 a7304cc69779442c1bfc9f7b1d5a6eb9a1ec8109
SHA256 a00651a2926e3ae5c1988c8ae8f52e306b5089e3565f268a9f0926b46c82f8c9
SHA512 f010c053851fe11f0447a53a08fc752ef9fd305867bc66b032c407e2382bc5f4d80599884520b1d978da2ab912e8cc4bb3b4db713efd107d7dcf400770596761

memory/2276-1278-0x0000000001020000-0x00000000019D1000-memory.dmp

memory/4520-1275-0x00000000708C0000-0x0000000070FAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 8ff384ccd31dbd7663ebbb0937e5ba6b
SHA1 9f3f70034e4424b08cd98c3288a26fd6f1ba21f8
SHA256 7b1287aa7990c5a6fdacbf94477cc8f4eaac86ba9ecd667af77c5e1fea43ac14
SHA512 67fac944eb69efd0c6f0fa7f6ca717f9b2b22bc12ada3699ae4c5cff6277da3da1f0106b5f694542dea327a5611c65287cc41559e6225ad7259ed9f4c631ac08

C:\Users\Admin\AppData\Local\Temp\eff1401c19\Dctooux.exe

MD5 58d5a4054fb2b552c02250a2ba355421
SHA1 cad1c48f5cff5d6bdabedaf9a3ff1961ee650a71
SHA256 49b524dbe9797e4a8905bca4b74da0f7aac977b07a5f72c66e7f3d22597a86e7
SHA512 182092ae43d0ba0fb8035ab92ac07aae902593bc8f0900c51dfb2629e8958faf1e1d89bf3e8f897f4cc971e49ebc8b224004defdcd717cc2b382eabd5f87f60a

C:\Users\Admin\AppData\Local\Temp\934047325409

MD5 ec7bde544f4fcfe6d7e78bbef47855e6
SHA1 1fcfbea9910086258564fcb1e3486a750a4f7433
SHA256 8757782a7fba58946b55faea802afbd2cebcbb749107efa3c264f07784c71458
SHA512 a587fd701e1c181117fa0b1fe5546ef3b403cb1027bb4ac9d171b175fc33206a9fde8df85d9466a76ad9c7e3951f934d9ede90f327a1d0e81b1443774713ed24

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dctooux.exe.log

MD5 ffe7bf10728fcdc9cfc28d6c2320a6f8
SHA1 af407275e9830d40889da2e672d2e6af118c8cb8
SHA256 72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522
SHA512 766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c