Analysis Overview
SHA256
1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e
Threat Level: Known bad
The file 1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Detect Vidar Stealer
Lumma Stealer
DcRat
Djvu Ransomware
ZGRat
Vidar
SmokeLoader
Detected Djvu ransomware
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Detects Windows executables referencing non-Windows User-Agents
Downloads MZ/PE file
Executes dropped EXE
Modifies file permissions
Deletes itself
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 19:44
Reported
2024-03-10 19:47
Platform
win7-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec563fd8-b598-4da5-b8f8-3eacad193e6b\\5429.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DCBA.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec563fd8-b598-4da5-b8f8-3eacad193e6b\\5429.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5429.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2892 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | C:\Users\Admin\AppData\Local\Temp\5429.exe |
| PID 2384 set thread context of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\5429.exe | C:\Users\Admin\AppData\Local\Temp\5429.exe |
| PID 1616 set thread context of 2344 | N/A | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe |
| PID 1804 set thread context of 1576 | N/A | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe |
| PID 1836 set thread context of 1424 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\32D3.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\5429.exe
C:\Users\Admin\AppData\Local\Temp\5429.exe
C:\Users\Admin\AppData\Local\Temp\5429.exe
C:\Users\Admin\AppData\Local\Temp\5429.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ec563fd8-b598-4da5-b8f8-3eacad193e6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5429.exe
"C:\Users\Admin\AppData\Local\Temp\5429.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5429.exe
"C:\Users\Admin\AppData\Local\Temp\5429.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe"
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
"C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1468
C:\Windows\system32\taskeng.exe
taskeng.exe {8C5FF458-025A-440D-A792-94536AED20DC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\DCBA.exe
C:\Users\Admin\AppData\Local\Temp\DCBA.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\E1DA.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\1318.exe
C:\Users\Admin\AppData\Local\Temp\1318.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| PE | 190.117.160.108:80 | sdfjhuz.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| PE | 190.117.160.108:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| AR | 190.220.21.28:80 | sajdfue.com | tcp |
| AR | 190.220.21.28:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 49.13.89.149:443 | 49.13.89.149 | tcp |
| DE | 49.13.89.149:443 | 49.13.89.149 | tcp |
| DE | 49.13.89.149:443 | 49.13.89.149 | tcp |
| DE | 49.13.89.149:443 | 49.13.89.149 | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
Files
memory/2136-1-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/2136-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2136-3-0x0000000000400000-0x000000000046B000-memory.dmp
memory/2136-5-0x0000000000400000-0x000000000046B000-memory.dmp
memory/1208-4-0x0000000002A00000-0x0000000002A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\32D3.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\5429.exe
| MD5 | 34fde9d03541c0ed5419a5f836e484c6 |
| SHA1 | 06b08899348a41347284ca56cefd02783a2e4e90 |
| SHA256 | 419b2e437adbe8a00d794e190d387ce91a24243227418c33b5a556adcda46bd1 |
| SHA512 | 880c0a3f1b47aeac1b96f6e775e693921803dfcf5fb99352ec92f7cc9d89e1a05cdb01408e7de6580818c2431df022ba953b555711a7e5e4de85de01113a1488 |
memory/2892-26-0x00000000002D0000-0x0000000000362000-memory.dmp
memory/2892-27-0x00000000002D0000-0x0000000000362000-memory.dmp
memory/2892-30-0x0000000001E30000-0x0000000001F4B000-memory.dmp
memory/2648-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2648-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2892-36-0x00000000002D0000-0x0000000000362000-memory.dmp
memory/2648-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2648-38-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\5429.exe
| MD5 | 9bae76361c0ac7402418f89e141502a7 |
| SHA1 | dde58fea1bb0c67f6ac7b79df84215c768862981 |
| SHA256 | 1397728a05b9834b1cd907acb926fa13c82d1b8e51a6dd5438008c39dbe3a511 |
| SHA512 | 0b9e1ce7f898cf236b1dcfa64ad8c028633074647f393316df5723efd42c7122a77143ed8c901132b7bd2fa1c0d61941b6df03f9d7ad247506d8125ce931fce0 |
memory/2384-60-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2384-62-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2648-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-70-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54fcc88719bd16dd01b6f728162c598e |
| SHA1 | b7b18ee4df2c5f059a160396431953166f4b9d5e |
| SHA256 | 7d98dced4a198056905ff491ff2ead9fc20d382f27bfa34417f6176230e9694f |
| SHA512 | 9eb3f1c397db85f8873f4194918ea6292be3a5daed218f911a10ac994ef8f4360e60c417e4ba9c230d59a1b24894f752738d40a6fb127335b03cf47d821874bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 2c0b5c750e841aad9332e8c14bad9d4a |
| SHA1 | 50b504c86dbc47a06ccdcb155d3bafa70e65b091 |
| SHA256 | 8786c222ffffb5a5b216c445c5cc0934d9fbe9d53d088fa66b88ff18fc137ff8 |
| SHA512 | eec8afe69c1774965d7b789cf74f2fed9c63cbe2b9b23a48e940646f29db40f38d6a90d08f4ed4d6efa5e90519c11a1826a135b8e45acd6aaaaa354a9c4886ec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7e8f359f842f63d4f8e11b673e763622 |
| SHA1 | a7865040b538d6aaa80bc37e89372c61b7427be8 |
| SHA256 | f04843e27ab3a622e565eea01945462567d713146b1cbca62c89d2495e924450 |
| SHA512 | f417bf439068b5205190c6ca559d14b0aa4a19af87530fc4e46eda587f80281cb8e567bf6caaa74b02f29f1247afec461eebf2ce1e6a079f675d1f304c9b1fd4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 89448e497b47ab299d1443b597793cdc |
| SHA1 | dce7847680f538bf7998550b8d62c01085d052f9 |
| SHA256 | a6e60ad9c5a08fe2d84a51f14f2d090d9896ec0f2d351ac6607ed730bab36890 |
| SHA512 | f70f9d69ff3c5617f12fcfc95825f2088e48bd067ed2416b0eb788fb65f3b96231c6763d82fd6d70ecaef1a3229319d06cecd65678d0fd1f95b2abd9f1423191 |
C:\Users\Admin\AppData\Local\Temp\Cab89C9.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1956-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-84-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-91-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1956-92-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build2.exe
| MD5 | d37b17fc3b9162060a60cd9c9f5f7e2c |
| SHA1 | 5bcd761db5662cebdb06f372d8cb731a9b98d1c5 |
| SHA256 | 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f |
| SHA512 | 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea |
memory/1956-114-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\9d8d885d-6f8b-41be-8a87-7272248e5d85\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1616-118-0x0000000002350000-0x0000000002450000-memory.dmp
memory/1616-119-0x0000000000240000-0x0000000000272000-memory.dmp
memory/2344-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2344-123-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2344-126-0x0000000000400000-0x0000000000645000-memory.dmp
memory/2344-127-0x0000000000400000-0x0000000000645000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarB990.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarBD8C.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/1804-207-0x0000000000890000-0x0000000000990000-memory.dmp
memory/1804-209-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1576-210-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1576-212-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1576-215-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1576-217-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1576-238-0x0000000000410000-0x0000000000477000-memory.dmp
memory/2344-285-0x0000000000400000-0x0000000000645000-memory.dmp
memory/1836-303-0x0000000000920000-0x0000000000A20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DCBA.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/440-315-0x0000000000F80000-0x0000000001C65000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 19:44
Reported
2024-03-10 19:47
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
176s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EDC8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5450.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\21f12759-31e3-4760-a46e-0a933afd6000\\DBF5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3940 set thread context of 4376 | N/A | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | C:\Users\Admin\AppData\Local\Temp\DBF5.exe |
| PID 2020 set thread context of 3964 | N/A | C:\Users\Admin\AppData\Local\Temp\EDC8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2544 set thread context of 3324 | N/A | C:\Users\Admin\AppData\Local\Temp\DBF5.exe | C:\Users\Admin\AppData\Local\Temp\DBF5.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DBF5.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe
"C:\Users\Admin\AppData\Local\Temp\1b9cb6ae126f7fb5bbbb0ffa6a7ec47cfc6eed1de4b091e1ac2443cf037ca90e.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BF73.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\DBF5.exe
C:\Users\Admin\AppData\Local\Temp\DBF5.exe
C:\Users\Admin\AppData\Local\Temp\DBF5.exe
C:\Users\Admin\AppData\Local\Temp\DBF5.exe
C:\Users\Admin\AppData\Local\Temp\EDC8.exe
C:\Users\Admin\AppData\Local\Temp\EDC8.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\21f12759-31e3-4760-a46e-0a933afd6000" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\DBF5.exe
"C:\Users\Admin\AppData\Local\Temp\DBF5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\DBF5.exe
"C:\Users\Admin\AppData\Local\Temp\DBF5.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3324 -ip 3324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 568
C:\Users\Admin\AppData\Local\Temp\19B6.exe
C:\Users\Admin\AppData\Local\Temp\19B6.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\237B.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\5450.exe
C:\Users\Admin\AppData\Local\Temp\5450.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| NL | 172.217.23.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 70.174.106.193.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| UY | 179.25.61.186:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 186.61.25.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | superemeboxlogosites.pro | udp |
| US | 188.114.96.2:443 | superemeboxlogosites.pro | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 172.67.181.250:443 | wisemassiveharmonious.shop | tcp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 172.67.185.152:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | 250.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relevantvoicelesskw.shop | udp |
| US | 172.67.147.173:443 | relevantvoicelesskw.shop | tcp |
| US | 8.8.8.8:53 | 152.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | 173.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 188.114.97.2:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | hadogarden.com | udp |
| VN | 103.216.113.30:443 | hadogarden.com | tcp |
| US | 8.8.8.8:53 | 30.113.216.103.in-addr.arpa | udp |
Files
memory/800-1-0x0000000000610000-0x0000000000710000-memory.dmp
memory/800-2-0x00000000005D0000-0x00000000005DB000-memory.dmp
memory/800-3-0x0000000000400000-0x000000000046B000-memory.dmp
memory/800-5-0x0000000000400000-0x000000000046B000-memory.dmp
memory/3332-4-0x0000000002A30000-0x0000000002A46000-memory.dmp
memory/800-8-0x00000000005D0000-0x00000000005DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BF73.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\DBF5.exe
| MD5 | 34fde9d03541c0ed5419a5f836e484c6 |
| SHA1 | 06b08899348a41347284ca56cefd02783a2e4e90 |
| SHA256 | 419b2e437adbe8a00d794e190d387ce91a24243227418c33b5a556adcda46bd1 |
| SHA512 | 880c0a3f1b47aeac1b96f6e775e693921803dfcf5fb99352ec92f7cc9d89e1a05cdb01408e7de6580818c2431df022ba953b555711a7e5e4de85de01113a1488 |
memory/3940-21-0x00000000004C0000-0x0000000000560000-memory.dmp
memory/3940-22-0x0000000002200000-0x000000000231B000-memory.dmp
memory/4376-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-25-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EDC8.exe
| MD5 | 756931963ef47d8261e3090770710355 |
| SHA1 | 074e49a53dc0dea819a2ce9b487982f0ac114d86 |
| SHA256 | 6a103e31e7c1990a5f21e6ad483805b01fdbabe9fd9454f42aab0eda9b5d67cf |
| SHA512 | 231458212051567f7549a7d24d0d956219e33480fbba3428b2259d571265802aa9b8727998f6c5bf62e30c1ec673619506b5cb9d1220c738af0685be2ec397ce |
memory/4376-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4376-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2020-33-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/2020-34-0x0000000000D10000-0x0000000000D96000-memory.dmp
memory/2020-35-0x0000000003250000-0x0000000003260000-memory.dmp
memory/4376-46-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3964-47-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2020-50-0x0000000074810000-0x0000000074FC0000-memory.dmp
memory/2020-51-0x00000000032F0000-0x00000000052F0000-memory.dmp
memory/3964-53-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3964-55-0x0000000000DB0000-0x0000000000DE2000-memory.dmp
memory/3964-54-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3964-57-0x0000000000DB0000-0x0000000000DE2000-memory.dmp
memory/3964-56-0x0000000000DB0000-0x0000000000DE2000-memory.dmp
memory/3964-58-0x0000000000DB0000-0x0000000000DE2000-memory.dmp
memory/3964-59-0x0000000000DB0000-0x0000000000DE2000-memory.dmp
memory/4376-61-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2544-64-0x0000000000590000-0x0000000000630000-memory.dmp
memory/3324-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3324-67-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3324-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2020-73-0x00000000032F0000-0x00000000052F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\19B6.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2496-78-0x0000000000400000-0x00000000010E5000-memory.dmp
memory/2496-86-0x0000000001640000-0x0000000001641000-memory.dmp
memory/2496-88-0x0000000000400000-0x00000000010E5000-memory.dmp
memory/2496-89-0x0000000001790000-0x0000000001791000-memory.dmp
memory/2496-87-0x0000000001760000-0x0000000001761000-memory.dmp
memory/2496-90-0x00000000017A0000-0x00000000017A1000-memory.dmp
memory/2496-91-0x00000000017B0000-0x00000000017B1000-memory.dmp
memory/2496-92-0x0000000003270000-0x0000000003271000-memory.dmp
memory/2496-94-0x0000000000400000-0x00000000010E5000-memory.dmp
memory/2496-95-0x0000000003280000-0x0000000003281000-memory.dmp
memory/2496-96-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2496-98-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2496-97-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2496-99-0x0000000003280000-0x00000000032B2000-memory.dmp
memory/2496-100-0x0000000000400000-0x00000000010E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5450.exe
| MD5 | 859a09d58d1c5e2e82dfb047151e8653 |
| SHA1 | 1971adde3e3535f7d7db24a8ef22284b45062437 |
| SHA256 | 6e214982f41ce44d7e768bf8f01484120101afefaddb8b66a7d332709d40294b |
| SHA512 | b040ad6c65dfb1da2d9abbdd99a4adf1abbf357d913780e214938af0d6f7a1b7778fb6ad763d8abfea71f2902fffa7b75d5d14272d248bad8ba07243787c8693 |
C:\Users\Admin\AppData\Local\Temp\5450.exe
| MD5 | 8550a2827ea5838ec8df7ff6fd10e6ce |
| SHA1 | c8ce1f265d516f063f7db92e341a59a4568cc484 |
| SHA256 | 02147ca0fdeec2804183385003397b5b10145d2027327a3b928acc0d2c00d527 |
| SHA512 | d1d6b8ce2411a8c5191bfb948bbfe455846fa2e6357bd5c7aeb78722776abc6ae529b4701439d1389b9de51b6ba00e8bba0fe39f17f39e423563b463bd61b9c9 |
memory/3080-105-0x00007FF6D2F40000-0x00007FF6D3BA2000-memory.dmp