Malware Analysis Report

2025-01-02 11:11

Sample ID 240308-dtnhssfa8s
Target fb8ddd837ad8b94f1faf0b4920ce7b2b.bin
SHA256 800530878e98abcca258c08a58304dedeed1f5fe3e792b7bef8c6586b61084f6
Tags
dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

800530878e98abcca258c08a58304dedeed1f5fe3e792b7bef8c6586b61084f6

Threat Level: Known bad

The file fb8ddd837ad8b94f1faf0b4920ce7b2b.bin was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma

Detect Vidar Stealer

Glupteba payload

Djvu Ransomware

Vidar

DcRat

Detected Djvu ransomware

Lumma Stealer

SmokeLoader

Glupteba

Modifies Windows Firewall

Downloads MZ/PE file

Deletes itself

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-08 03:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 03:18

Reported

2024-03-08 03:20

Platform

win7-20240221-en

Max time kernel

134s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\93807114-f534-48d5-b1e4-250b12fbfd4a\\EA9D.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EA9D.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\93807114-f534-48d5-b1e4-250b12fbfd4a\\EA9D.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EA9D.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\harcbch N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\harcbch N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\harcbch N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\harcbch N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\41F3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 1200 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 1200 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 1200 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2528 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2392 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2392 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 2824 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\Temp\EA9D.exe
PID 1960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 1960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 1960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 1960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 1960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 1960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 1960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 1960 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\EA9D.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 2064 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 3044 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe
PID 2124 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

C:\Users\Admin\AppData\Local\Temp\EA9D.exe

C:\Users\Admin\AppData\Local\Temp\EA9D.exe

C:\Users\Admin\AppData\Local\Temp\EA9D.exe

C:\Users\Admin\AppData\Local\Temp\EA9D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\93807114-f534-48d5-b1e4-250b12fbfd4a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\EA9D.exe

"C:\Users\Admin\AppData\Local\Temp\EA9D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EA9D.exe

"C:\Users\Admin\AppData\Local\Temp\EA9D.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe

"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe"

C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe"

C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe

"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe"

C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

"C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1444

C:\Windows\system32\taskeng.exe

taskeng.exe {4753503D-9C6A-40C0-A96F-E3DB8D6AA53D} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\harcbch

C:\Users\Admin\AppData\Roaming\harcbch

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\1F16.exe

C:\Users\Admin\AppData\Local\Temp\1F16.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\32E5.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 124

C:\Users\Admin\AppData\Local\Temp\41F3.exe

C:\Users\Admin\AppData\Local\Temp\41F3.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240308032022.log C:\Windows\Logs\CBS\CbsPersist_20240308032022.cab

C:\Users\Admin\AppData\Local\Temp\6369.exe

C:\Users\Admin\AppData\Local\Temp\6369.exe

C:\Users\Admin\AppData\Local\Temp\41F3.exe

"C:\Users\Admin\AppData\Local\Temp\41F3.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x51c

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
BA 109.175.29.39:80 sdfjhuz.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
BA 109.175.29.39:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
BA 185.12.79.25:80 sajdfue.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
BA 185.12.79.25:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 abdullahholdingsltd.com udp
DE 85.10.200.92:443 abdullahholdingsltd.com tcp
DE 85.10.200.92:443 abdullahholdingsltd.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:80 topgamecheats.dev tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 fd9f2912-7059-4173-833f-757577f77ab2.uuid.realupdate.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

memory/2208-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2208-1-0x0000000002070000-0x0000000002170000-memory.dmp

memory/2208-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/1200-4-0x0000000002A50000-0x0000000002A66000-memory.dmp

memory/2208-5-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA9D.exe

MD5 fed6be759155cfd181809b6037a91abe
SHA1 41cc6892cc5ee0a7c2bffbb4fbd0df3567d16936
SHA256 f4bdcf13d4fdd1f30458719c10f7e27c2388cd0a7f9c70ee24d3c4f21dd3e58b
SHA512 187288dc2b379ef4c4e3ef6f2469411f1d152c1f459dca077bc485bb9d977bc267c950e6d12991e8fd1338be26f5a715009ad353d60e25daa8cf73ce68e133cc

memory/2528-17-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2528-19-0x0000000003410000-0x000000000352B000-memory.dmp

memory/2392-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2528-18-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2392-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2392-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2392-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2392-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2824-51-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2824-53-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2824-59-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/1960-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1960-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f1a1355c24cea347e0b9839d27266ff2
SHA1 aa16684d6ff980f252d753931830de0cb9dcbe00
SHA256 04bba3927fa7ceca147277002c36d32e6352a989d91d81afd7011949ad6bd6ef
SHA512 150b2f84f1461cda01092125a51c6bdd249cf448560367f08275192faa936e03526f9eda21c98458e057b7fe09a0a1c8f1cd3492d9662b8bd5041ec9dca21056

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3ff1bc7c53cf232b58189187c7079204
SHA1 defd944164108bb59e7f8f8d7481b772eb7e8645
SHA256 9dc09a0cb90bd61414059817047e59b78e96af2aea1ee2fd8feccd419ab9c756
SHA512 fb8950828dbba95a5749f0a95e2be818ab50e585df36df18cf997f01ba6783dde692968436619f86b32d08464aeb0f122e71174db00b586a9fcdeec2757eea1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d090cdf599f93236b4bdf0039372b90d
SHA1 0473ed06ebc9d985f458cd287cb741ba925efa82
SHA256 9ce2b4a227293e203a6989feea2286f1e39c2adaef54512e3a4ccade7805b5f5
SHA512 a7197d6a317ebd44811bcbbe9a8a801d63a2d99115989cf3072ec9cb3c6ffac6631aab48a614da5c8ac524b55d5d19baf2cbb615fb5378e44ebd8487e2afe911

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a757a2a5fb2249733650563a36836fc7
SHA1 0e3f0f05d3fb61398e507bcde88a32ec5a88b4a8
SHA256 5b75679110beb7d514c1f6c7b993cd540dd29856da2e2e995bafb70e77d2bf4b
SHA512 8ed6aa61e91d640f2a8983fa67d937b2abcc5f5c43375a739773b991414094121efc4a049436dd39e45d8e627e57779f1c89352a606dffa406382d875de46b97

C:\Users\Admin\AppData\Local\Temp\Cab1890.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1960-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1960-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1960-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1960-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1960-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1960-83-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build2.exe

MD5 d37b17fc3b9162060a60cd9c9f5f7e2c
SHA1 5bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA256 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA512 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

memory/1960-106-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

MD5 5c883ef6d1ad03173f30db4fc691d0a7
SHA1 4007444885a94ad3092e287a196249bc6c1301ef
SHA256 b1e0b896d1cdbe0cfe16d1d6f604640e2b22aeb144eb411086fa31d2073f316e
SHA512 125b18de452ee08cc42806f15864bb5429403ca696e385d5fb32d87cde841629e12f0d64c308c8ff7444d36c5da71e75fdc66733418bc886cad6a6e9ba7eb816

\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

MD5 164bc11a628ff1722c833c8e2642aca5
SHA1 56d2d17695a85b876b736933a7f1cd5cf2acfdb1
SHA256 e76e2fa66070991fff3747fd12185ec795651b8506f290a3f1214b0eab40d330
SHA512 099d1715e47a2c4ea346b432f186ffb6fcd94f9ec6b28ffcf5047a57b686a0135e765db75150ac14420cb9285fb02c8d390751b239a2a9446219da587a89ce9b

C:\Users\Admin\AppData\Local\158376c1-3f07-49f5-bd97-d0e095628c21\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2104-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2064-112-0x0000000000240000-0x0000000000272000-memory.dmp

memory/2104-114-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2064-110-0x0000000002080000-0x0000000002180000-memory.dmp

memory/2104-118-0x0000000000400000-0x0000000000645000-memory.dmp

memory/3044-119-0x0000000000890000-0x0000000000990000-memory.dmp

memory/3044-120-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2124-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2104-121-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2124-125-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2124-128-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2124-129-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar651A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar6723.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b036c055f4aad0c00b50c463e387b40
SHA1 6588eb4c56777b71f2c7511eb8018da84ec4d19f
SHA256 063827a24a9dde07629920af417623ab1e3c082a8b4ed9c4978bbacf927e4429
SHA512 edacb63b8f88904dd5fcc108f2bc1f8079662317c05deca9e38764a41897062781d5a4942a0bc9beede69aab39bb3af570ad8bdd8d17efa4a139431b898b3eac

memory/2104-261-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2104-267-0x0000000000400000-0x0000000000645000-memory.dmp

C:\Users\Admin\AppData\Roaming\harcbch

MD5 fb8ddd837ad8b94f1faf0b4920ce7b2b
SHA1 c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b
SHA256 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
SHA512 db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74

memory/1956-282-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/1036-290-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1036-291-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F16.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/1936-296-0x0000000000A90000-0x0000000001775000-memory.dmp

memory/1936-301-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1200-306-0x0000000002C90000-0x0000000002CA6000-memory.dmp

memory/1936-304-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1936-303-0x0000000000A90000-0x0000000001775000-memory.dmp

memory/1036-311-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/1936-308-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32E5.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

\Users\Admin\AppData\Local\Temp\1F16.exe

MD5 a608f61eaa0defa4af7c6779114e10ee
SHA1 8e8e6e9c91a6932681a6748565cdf54ad9ac01cc
SHA256 3e3e07470c28d903408e581394a479fb15911212ea26b85c335c1bdeab87dfa6
SHA512 4c02c4c5ae7f0e876a030f84bf8646bcf8bb694566f6e3ad8fd23ff3107b937f24b2871288b4cb36bc09234b952e7d329b3c0a1046ea2a15e2ce26af34a9a219

\Users\Admin\AppData\Local\Temp\1F16.exe

MD5 1d017007945d9fd40318c4d1e2bef800
SHA1 f014362a16b798c2475e54f13d6918421cd00871
SHA256 d463f17969d74e8ac1ccd7b1e1ca21fc5ccf025920f1a1be3aeeaa0eb03f0fdf
SHA512 f0f0778f820fb840f585dcf13c4793dcc8c0f908e3b0a0baec388d6c8696b7ca5f59902b5e84f21070bebd6e897b2a6a1a12312fd0575129e2e8a6cf9a0c7167

memory/1936-348-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c770d8b00ba45736a2e680300799e20
SHA1 ea5b9b8fdd4037e0d10ef0556404bdf1206a591d
SHA256 f27af90da678568af3a833934cea24f1707bebdcb35826d30969f7ba729e367f
SHA512 035b409f488adc436ed4763eb6dc6e60eeb4ecd0925d07af7edec24718af520690592697a112318166e3765086688d15e46a2a7f98d6f64a370ab138664498ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3efb4ad1a28ca69ce0471253b644400
SHA1 027b0955063d057c244a92624e9b1d562a27f12b
SHA256 42ae11f65fa99fd18ac5c0b07d87d6764372ca71e085df94ed79d9910ecec74f
SHA512 b76f6b06994187f570fa1107a2e3de5c5890ec4b9790459e64fa78dd99bb1bd0f36f67fad5f184d7529512ae32b4a0890694b52b23071f8d6e594604cc32c201

C:\Users\Admin\AppData\Local\Temp\41F3.exe

MD5 531e650166bd34380a22fc420d157565
SHA1 d2746da211530bc003ffc48904aade9edea63749
SHA256 0446eebb9e91bfb557179d9e0ebccd42b8270554cca6ef696fd1b86c1a0290fd
SHA512 ee2011bcfac0d470f9adc2a7972901d93a0ac81225393195e771c1b14fc603da19309883e960ef80918fc20b1f60e8aa2524ff34941986b98d5685080ad30f5f

memory/2472-434-0x0000000003700000-0x0000000003AF8000-memory.dmp

memory/2472-435-0x0000000000400000-0x0000000001E13000-memory.dmp

memory/2472-436-0x0000000003B00000-0x00000000043EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41F3.exe

MD5 35c893e969426e8575c90e31140b4418
SHA1 3c7081254af5161ed32d2cd180957f7c177143e5
SHA256 3c1539b6cc4d4c166736ca5ac4fd2af4f847916417e269e9d8e72c7abb7dfca0
SHA512 c6d6754ccf0c20d66f619f75520a4cb0e7811b9d8df390580a573351474cfe3e551192296c7991abf8fe9fec43db5af9b50c6dae255efa281354f4d26255c055

\Users\Admin\AppData\Local\Temp\6369.exe

MD5 2bd1aca75be77faf41c4bce644b4fc8b
SHA1 a4b2767b2163173aae22124d4e78715ae9eaf188
SHA256 e2480e0438058403732c979ee61fefe67d2502fbf9aaee8e7b956dda7b9085eb
SHA512 cf144941ecaf50b768d94c4f43305fe809218833997e2099622802e5a5247a1ff64bed3f41b96ad0d914ad12700b0e737c26b545a4ef403520095c99c0a0d9c8

C:\Users\Admin\AppData\Local\Temp\6369.exe

MD5 6ae4f4b0c586a01c107f80dd6355354f
SHA1 384550d5f815aade2ca06586c54e4732862b3b52
SHA256 b8aa2c428216817d3879531763c4a18c93f949b16105eab19d777960540a4d6b
SHA512 5021e9a7b6845b0acc951b0d9c89622c3eed1a978944e9ee87231d4d59e57fde5d211c6e8705e2ac61396e8334670c01528aefbbbf0b10bddb1ff5a8818d8031

memory/2472-451-0x0000000003700000-0x0000000003AF8000-memory.dmp

memory/2472-450-0x0000000000400000-0x0000000001E13000-memory.dmp

memory/2548-452-0x0000000003830000-0x0000000003C28000-memory.dmp

memory/2548-453-0x0000000000400000-0x0000000001E13000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 19f916293b92fe0442fa99a063133136
SHA1 8546eea89ccc6a14d49989ad4dcd3a61b5b506cb
SHA256 26386feb18e3de155565c3c59a7a1c750c237033011ddce042a50a58ff4f2960
SHA512 610c60faa230ac11a0df3adfc6588e3f859ba821eaf483a7654a6980822772772466d19d0d447d71310c9c8a60ef78d679b1a62f4de3287fb7e0b49d5b9031c6

\Windows\rss\csrss.exe

MD5 c7cfac667cecc66fd8ed28c6b21e7f3c
SHA1 b18f4285a7e0a08a33c1a9bd5f18733d7de3083a
SHA256 954be76c57653e85459fc1213daffa1e9b9489a0ebda7b20a41f2dea4ef44fb5
SHA512 609efd107b717d7537054ebad93e0d065926cc208e05855f4394b7040d71474b468cf8a74fe845503cd048615087bf2196d6d952a5c140946a852be8e25fde74

\Windows\rss\csrss.exe

MD5 241ee2ba95babc9e093d2d579824864c
SHA1 2264e7489180768976392e51ee8dea62c12a0277
SHA256 b4f4da977eab5e59a886a8aa0f26d42484bd9af56aa93e299126cb952a3a04cd
SHA512 2d58f91991d71b66d5dcb3048f30b6af495385b537f1e353ae73e1943c5f578dfab28c0149d08a980b76bd95eaed3dbbd9c19b81d5fdebefcb7e483ffc1370d6

memory/2548-464-0x0000000000400000-0x0000000001E13000-memory.dmp

memory/1936-468-0x0000000000A90000-0x0000000001775000-memory.dmp

memory/2676-476-0x0000000003570000-0x0000000003968000-memory.dmp

memory/2676-477-0x0000000000400000-0x0000000001E13000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 79d239e8c3993b4122bc6c69aa75b98e
SHA1 00b153573dbb5e073483ed20fa52c0e858ef50e3
SHA256 416f2e005ca28fe636aa88cdf9a58d1301053d93a29d4201fb0eb711885b3e52
SHA512 52c1a997f64b317071d37c114d3869055c5085802c1742ac7f471b6960671927707edf27ee44907912d47533a7c0be274279af1ab78fd1da3803c524af5a27ba

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 03e03703fe5fc79e7f1d5e44e3c27b1e
SHA1 8f25ba10b5e479ae63c4c3867475502e1a6499fa
SHA256 504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e
SHA512 1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 9d1816a549b92f97216a11d5e541b2ce
SHA1 02abed0ad44b8cde7640ad8661816ea0c0f68572
SHA256 a3549e3cfff43ae683b5b5a40a881e979c176e4bb67f13ece117f2f96c20d9bd
SHA512 a29425491cc9db686223586a7a88774065a064fe0582221e19d81b5edd575ad939e0bc98d4191d93ca45e70d9580ec1c55fed25c91ddb253ab1ef5c251cf1967

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/744-500-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a05839f32656c4e266f2b31fe4bed21
SHA1 3ae8b7dfe496ec329fa5ba7647e2acdfab97a05b
SHA256 9bafe38819a2e8878e8280cf3b03ffe8c84c31c1395d1741eed2fa311234f7b9
SHA512 9bea2d55b970cf1d7a8ceb269364044199897b00a79b7190fc207cd962956b94ea80a043f770578f0137eae008c942e4ffea57069c1fc38119b1550f234feb61

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 03:18

Reported

2024-03-08 03:20

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41D6.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\51a9255f-390b-435a-a03d-578945d2dea1\\41D6.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\41D6.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3336 set thread context of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 set thread context of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ificwsh N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ificwsh N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ificwsh N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ificwsh N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 3336 N/A N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3344 wrote to memory of 3336 N/A N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3344 wrote to memory of 3336 N/A N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3336 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 2580 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Windows\SysWOW64\icacls.exe
PID 2580 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Windows\SysWOW64\icacls.exe
PID 2580 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Windows\SysWOW64\icacls.exe
PID 2580 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 2580 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 2580 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 4588 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\41D6.exe C:\Users\Admin\AppData\Local\Temp\41D6.exe
PID 3344 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\Temp\8729.exe
PID 3344 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\Temp\8729.exe
PID 3344 wrote to memory of 2000 N/A N/A C:\Users\Admin\AppData\Local\Temp\8729.exe
PID 3344 wrote to memory of 4368 N/A N/A C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 4368 N/A N/A C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4368 wrote to memory of 3472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3344 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CD6.exe
PID 3344 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CD6.exe
PID 3344 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CD6.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

C:\Users\Admin\AppData\Local\Temp\41D6.exe

C:\Users\Admin\AppData\Local\Temp\41D6.exe

C:\Users\Admin\AppData\Local\Temp\41D6.exe

C:\Users\Admin\AppData\Local\Temp\41D6.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\51a9255f-390b-435a-a03d-578945d2dea1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\41D6.exe

"C:\Users\Admin\AppData\Local\Temp\41D6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\41D6.exe

"C:\Users\Admin\AppData\Local\Temp\41D6.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 568

C:\Users\Admin\AppData\Roaming\ificwsh

C:\Users\Admin\AppData\Roaming\ificwsh

C:\Users\Admin\AppData\Local\Temp\8729.exe

C:\Users\Admin\AppData\Local\Temp\8729.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BAE.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\9CD6.exe

C:\Users\Admin\AppData\Local\Temp\9CD6.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 211.119.84.111:80 sdfjhuz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 77.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp

Files

memory/324-1-0x00000000021C0000-0x00000000022C0000-memory.dmp

memory/324-2-0x0000000002160000-0x000000000216B000-memory.dmp

memory/324-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/3344-4-0x00000000024B0000-0x00000000024C6000-memory.dmp

memory/324-5-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\41D6.exe

MD5 fed6be759155cfd181809b6037a91abe
SHA1 41cc6892cc5ee0a7c2bffbb4fbd0df3567d16936
SHA256 f4bdcf13d4fdd1f30458719c10f7e27c2388cd0a7f9c70ee24d3c4f21dd3e58b
SHA512 187288dc2b379ef4c4e3ef6f2469411f1d152c1f459dca077bc485bb9d977bc267c950e6d12991e8fd1338be26f5a715009ad353d60e25daa8cf73ce68e133cc

memory/3336-16-0x0000000003740000-0x00000000037DC000-memory.dmp

memory/3336-17-0x00000000037E0000-0x00000000038FB000-memory.dmp

memory/2580-18-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4588-35-0x0000000001D20000-0x0000000001DC2000-memory.dmp

memory/2060-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2060-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2060-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\ificwsh

MD5 fb8ddd837ad8b94f1faf0b4920ce7b2b
SHA1 c3bc51f18a1180be27c4ee0978aaa9e1295dbd4b
SHA256 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
SHA512 db218213ee139583f69b00ea7e33986857cbc73f0e549f996e0dc3b0b34282c838f874a65c13fa7e21adfb8d876ca6cef9421a19171c214b1ea98b1a99f1bc74

memory/4380-47-0x0000000002030000-0x0000000002130000-memory.dmp

memory/4380-48-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/3344-49-0x0000000002680000-0x0000000002696000-memory.dmp

memory/4380-50-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8729.exe

MD5 0a2ce3c3650ff5a51aef60b7f14f30c2
SHA1 2332b0b94b614205f45a43d1d025f4985f056de0
SHA256 32262f826b78815fd8f9043bea69e04d4d8bd9ff85c10b831f85472bafa5f0b8
SHA512 683478df64cd1bd8790fb96e2999ea8e0d1bd35afc8c164974741c13163e133366140b5f400c05d1e92cf5f37f3a33cebd182771c3b85c637e6b5509f3c3568c

C:\Users\Admin\AppData\Local\Temp\8729.exe

MD5 f288edcc3a1f8e8d2e3b0ce1989a3312
SHA1 024df82d2ca4830c4ccbd0afee9f2e5ae764436a
SHA256 3f61c08f68e1683c10ee02753c70dbe3d9774b9b9e377d844ffeac63a31dbc5e
SHA512 c9e4113b66db3fd37e8e1ae9599787c1bcc04b0fedcd9e1451013a25cc8c66b042a4d89e3a9ab30796f3b924f6d9ca6050db39296d2e01d898283e803e3e39e6

C:\Users\Admin\AppData\Local\Temp\8BAE.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2000-63-0x00000000005C0000-0x00000000012A5000-memory.dmp

memory/2000-68-0x00000000032B0000-0x00000000032B1000-memory.dmp

memory/2000-70-0x00000000005C0000-0x00000000012A5000-memory.dmp

memory/2000-69-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/2000-71-0x00000000032F0000-0x00000000032F1000-memory.dmp

memory/2000-72-0x0000000003300000-0x0000000003301000-memory.dmp

memory/2000-73-0x0000000003310000-0x0000000003311000-memory.dmp

memory/2000-74-0x0000000003320000-0x0000000003321000-memory.dmp

memory/2000-75-0x00000000005C0000-0x00000000012A5000-memory.dmp

memory/2000-76-0x0000000003340000-0x0000000003372000-memory.dmp

memory/2000-77-0x0000000003340000-0x0000000003372000-memory.dmp

memory/2000-78-0x0000000003340000-0x0000000003372000-memory.dmp

memory/2000-80-0x0000000003340000-0x0000000003372000-memory.dmp

memory/2000-79-0x0000000003340000-0x0000000003372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CD6.exe

MD5 531e650166bd34380a22fc420d157565
SHA1 d2746da211530bc003ffc48904aade9edea63749
SHA256 0446eebb9e91bfb557179d9e0ebccd42b8270554cca6ef696fd1b86c1a0290fd
SHA512 ee2011bcfac0d470f9adc2a7972901d93a0ac81225393195e771c1b14fc603da19309883e960ef80918fc20b1f60e8aa2524ff34941986b98d5685080ad30f5f

memory/2000-86-0x00000000005C0000-0x00000000012A5000-memory.dmp

memory/1188-87-0x0000000003B70000-0x0000000003F72000-memory.dmp

memory/1188-88-0x0000000003F80000-0x000000000486B000-memory.dmp

memory/1188-89-0x0000000000400000-0x0000000001E13000-memory.dmp

memory/1532-91-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/1532-90-0x0000000002720000-0x0000000002756000-memory.dmp

memory/1532-92-0x0000000002350000-0x0000000002360000-memory.dmp

memory/1532-93-0x0000000002350000-0x0000000002360000-memory.dmp

memory/1532-94-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/1532-95-0x0000000004D40000-0x0000000004D62000-memory.dmp

memory/1532-97-0x0000000005690000-0x00000000056F6000-memory.dmp

memory/1532-96-0x0000000005620000-0x0000000005686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4004tl3.ie3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1532-107-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/1532-108-0x0000000005D00000-0x0000000005D1E000-memory.dmp

memory/1532-109-0x0000000005D60000-0x0000000005DAC000-memory.dmp