Analysis Overview
SHA256
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457
Threat Level: Known bad
The file BF-TL-605877001.exe was found to be: Known bad.
Malicious Activity Summary
PureLog Stealer payload
ZGRat
AgentTesla
PureLog Stealer
Detect ZGRat V1
Downloads MZ/PE file
Reads data files stored by FTP clients
Executes dropped EXE
Reads WinSCP keys stored on the system
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 13:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 13:16
Reported
2024-03-12 13:18
Platform
win7-20240221-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | firstbaptiststjoe.org | udp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
Files
memory/2036-1-0x0000000074950000-0x000000007503E000-memory.dmp
memory/2036-0-0x0000000001220000-0x000000000129C000-memory.dmp
memory/2036-2-0x00000000010B0000-0x00000000010F0000-memory.dmp
memory/2036-3-0x0000000000290000-0x000000000029A000-memory.dmp
memory/2036-4-0x0000000074950000-0x000000007503E000-memory.dmp
memory/2036-5-0x00000000010B0000-0x00000000010F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 13:16
Reported
2024-03-12 13:18
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureLog Stealer
PureLog Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fel.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1208 set thread context of 3640 | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fel.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"
C:\Users\Admin\AppData\Local\Temp\fel.exe
"C:\Users\Admin\AppData\Local\Temp\fel.exe"
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe
C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firstbaptiststjoe.org | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.252.215.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 44.215.252.154:443 | firstbaptiststjoe.org | tcp |
| US | 66.29.151.236:587 | tcp | |
| US | 8.8.8.8:53 | 236.151.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
memory/1208-0-0x0000000000090000-0x000000000010C000-memory.dmp
memory/1208-1-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/1208-2-0x0000000002440000-0x0000000002450000-memory.dmp
memory/1208-3-0x0000000002400000-0x000000000240A000-memory.dmp
memory/1208-4-0x00000000055B0000-0x00000000057B0000-memory.dmp
memory/1208-5-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-6-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-8-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-10-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-12-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-14-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-16-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-18-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-20-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-22-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-24-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-26-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-28-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-30-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-32-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-34-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-36-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-38-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-40-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-42-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-44-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-46-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-48-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-50-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-52-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-54-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-56-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-58-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-60-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-62-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-64-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-66-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-68-0x00000000055B0000-0x00000000057AB000-memory.dmp
memory/1208-305-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/1208-4782-0x0000000000630000-0x0000000000631000-memory.dmp
memory/1208-4783-0x0000000000820000-0x0000000000868000-memory.dmp
memory/1208-4784-0x0000000000870000-0x00000000008BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fel.exe
| MD5 | b47c31e89b4cacc864b6279983b4ffc3 |
| SHA1 | b082036aa2adb45f2db952d8dcd200fe766cf3cf |
| SHA256 | 34109344250f9884f7414b7d31de4f6627d4378e0723446fa836b18b60e8ed84 |
| SHA512 | d4febd99d7a9c554aa091ba2a03508bfefcd27ae33f04920865b3802cddcdb1960001acbcb5fab8cf61dc7a1427158b432ffa1c47d377e9417377635a15c994e |
memory/2900-4796-0x0000000000E70000-0x0000000000E80000-memory.dmp
memory/1208-4797-0x0000000006600000-0x0000000006BA4000-memory.dmp
memory/2900-4798-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/2900-4800-0x0000000005760000-0x0000000005770000-memory.dmp
memory/2900-4803-0x0000000003220000-0x0000000003226000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BF-TL-605877001.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/1208-4807-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/3640-4806-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/3640-4805-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3640-4808-0x0000000002E70000-0x0000000002E80000-memory.dmp
memory/3640-4809-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/3640-4810-0x0000000006E00000-0x0000000006E50000-memory.dmp
memory/3640-4811-0x0000000006EF0000-0x0000000006F8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe
| MD5 | 3a44104fb5d035d1cd725732e94a5e8d |
| SHA1 | cb3f89df88e1468bca9d5ca01d22588791884ecb |
| SHA256 | dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08 |
| SHA512 | eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1 |
memory/3020-4824-0x0000000000BD0000-0x0000000000C4C000-memory.dmp
memory/3020-4826-0x0000000002E10000-0x0000000002E1A000-memory.dmp
memory/2900-4825-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/3020-4827-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/3020-4828-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/3640-4829-0x0000000006F90000-0x0000000007022000-memory.dmp
memory/3640-4830-0x0000000006E90000-0x0000000006E9A000-memory.dmp
memory/3640-4831-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/3640-4832-0x0000000002E70000-0x0000000002E80000-memory.dmp
memory/3020-4833-0x0000000005E60000-0x00000000060E6000-memory.dmp
memory/3020-5242-0x0000000074FB0000-0x0000000075760000-memory.dmp
memory/3020-5683-0x00000000055D0000-0x00000000055E0000-memory.dmp