Analysis Overview
SHA256
8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Threat Level: Known bad
The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Amadey
Vidar
Djvu Ransomware
SmokeLoader
Detected Djvu ransomware
UAC bypass
DcRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Uses the VBS compiler for execution
Deletes itself
Loads dropped DLL
Executes dropped EXE
Identifies Wine through registry keys
Modifies file permissions
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Checks SCSI registry key(s)
Delays execution with timeout.exe
System policy modification
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs regedit.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-13 04:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-13 04:55
Reported
2024-03-13 05:00
Platform
win7-20240215-en
Max time kernel
300s
Max time network
302s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3577.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3577.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3577.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\3577.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d6b6f262-097b-46f2-8397-4a74c32605ab\\64DC.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\64DC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\455E.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3577.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\3577.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\B2ED.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hebijig | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hebijig | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hebijig | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hebijig | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\455E.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AC3C.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3577.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7BD4.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\64DC.exe
C:\Users\Admin\AppData\Local\Temp\64DC.exe
C:\Users\Admin\AppData\Local\Temp\64DC.exe
C:\Users\Admin\AppData\Local\Temp\64DC.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d6b6f262-097b-46f2-8397-4a74c32605ab" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\64DC.exe
"C:\Users\Admin\AppData\Local\Temp\64DC.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\64DC.exe
"C:\Users\Admin\AppData\Local\Temp\64DC.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe"
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe"
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1404
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
"C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B62C8D17-9261-427B-BC08-535E87AFE89D} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\B2ED.exe
C:\Users\Admin\AppData\Local\Temp\B2ED.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 124
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B7DD.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
C:\Users\Admin\AppData\Local\Temp\3577.exe
C:\Users\Admin\AppData\Local\Temp\3577.exe
C:\Users\Admin\AppData\Local\Temp\455E.exe
C:\Users\Admin\AppData\Local\Temp\455E.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\hebijig
C:\Users\Admin\AppData\Roaming\hebijig
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
C:\Users\Admin\AppData\Local\Temp\AC3C.exe
C:\Users\Admin\AppData\Local\Temp\AC3C.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| MX | 187.211.202.16:80 | sdfjhuz.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| MX | 187.211.202.16:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| PA | 190.218.35.32:80 | sajdfue.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| PA | 190.218.35.32:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | hadogarden.com | udp |
| VN | 103.75.185.76:443 | hadogarden.com | tcp |
| VN | 103.75.185.76:443 | hadogarden.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | demo.nessotechbd.com | udp |
| US | 192.185.16.114:443 | demo.nessotechbd.com | tcp |
| US | 192.185.16.114:443 | demo.nessotechbd.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 185.215.113.45:80 | 185.215.113.45 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | tmpfiles.org | udp |
| US | 104.21.21.16:443 | tmpfiles.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valostar.org | udp |
| US | 104.21.18.207:443 | valostar.org | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | artemis-rat.com | udp |
| US | 172.67.140.87:443 | artemis-rat.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | www.callmanpro.com | udp |
| US | 172.67.140.87:443 | artemis-rat.com | tcp |
| AR | 200.58.108.2:80 | www.callmanpro.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
Files
memory/1540-1-0x0000000000650000-0x0000000000750000-memory.dmp
memory/1540-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1540-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1540-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1188-4-0x0000000002E00000-0x0000000002E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7BD4.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/2412-26-0x0000000001AB0000-0x0000000001B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 3dfc8542fbc11f1718d2bad085b8873c |
| SHA1 | 2d9e06da7f34812b0333dacc2c4a615a74c6bb04 |
| SHA256 | 5bbf2510ea14d41d2d24bf1faf2771ce864ba69017dc44ad93b153a4cffc6964 |
| SHA512 | 9212fe73409d42f7eceabb157c83f4a88a0b20fa9564343fc6f32c81987fe12328f3c7e16e0459c6efd6042f5144eaac39076c50e3dce8e631a98a3769c742ea |
C:\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 6f7c970ae7d7a5acd6509473e79a0730 |
| SHA1 | 699efecbbc1c276d684584f92fba75e7d16413b5 |
| SHA256 | 76796b8285e9ce4940438d53c5bc6ff04a6a799b3beff3bfbe7b52ad2e3544b8 |
| SHA512 | b3014c3821ace9012a0f2576ab87521937461d3c89c2c1aa34deb73762b62d7826c40146e39094437e0e5797e073cc25b4379862f217de75c58bf685b8b3407e |
C:\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 3dbeb2e1cbac80fb84bd670ae1738620 |
| SHA1 | 30f67b0f9aa5a4dc230abb40dd1ed8a6f11eb1d4 |
| SHA256 | 6e4bae3a43b6db76d57669e953115f02b3e66d56a1f4f14019b566af9bf52a3c |
| SHA512 | 60b4ca73a93c08e7a7e56a42674d8db9884ee9a86d89f5e833e673a8576fe17e944ef7249bf23ef8f7af60fcbf9dde18525835d36647eb02e8e93ba61726e967 |
memory/1984-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2412-36-0x00000000032D0000-0x00000000033EB000-memory.dmp
memory/2412-35-0x0000000001AB0000-0x0000000001B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 946144fc338bdd6b1862d357adcc4de8 |
| SHA1 | 32218909ddf3b0057b01f174bb56285213bf7b54 |
| SHA256 | dfa58f6e985b4d1472037bb56ebf2fe25d7b47beb2e0f902bdbe914954bb3385 |
| SHA512 | 929ab0f72fdff7bd0ea08a1750539761487c929e281317d84b32eea8ea34143f6237496286e7134deca9bdb4d3cc0bea3a23569d20e8717e61dc1b220f85f574 |
memory/1984-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1984-38-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 902dbdcab024e24fd892bdaa5cb38ce8 |
| SHA1 | 737981744d08c3af5ce53d99668f261b1f530d77 |
| SHA256 | 1b5b64f53c194425537dd344bf815130f30f209da374cd42c221ff48cf343f14 |
| SHA512 | 676a58255e7f81794d9542f642062668375e413a083677ea1d08207f3d519ab29223f653d71e3ebf2d2d117e80c9b4d08745167a8e473ff8b70e81c84b10cbb8 |
memory/2412-27-0x0000000001AB0000-0x0000000001B41000-memory.dmp
memory/2028-61-0x0000000000310000-0x00000000003A1000-memory.dmp
memory/2824-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-70-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 614748cb8835fb699d714d2499f6171e |
| SHA1 | 4db5da4f1a2eaca25c72612191d4c8cad12faec1 |
| SHA256 | cc040b2eab18098799da32592854f594d3bdc7b91d5ea7cc9765ad1b9c37d11c |
| SHA512 | dcb6d1917c77d328212a9124f98826dcd72d0c9ac985aae2b548ad6315fcd6b72ca9cea7ac777c14141afc007aa4a582dd1d80c2b057dd7aa7d7cabeb7a108ab |
memory/2028-63-0x0000000000310000-0x00000000003A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 71d78c2b1f5fbfb5f008c2245fcadb25 |
| SHA1 | 17d53e16ecdf37ae8c27a5996d5756eb9bd2aabc |
| SHA256 | 5b80f166dabef6eaa108585708c4713de778f882deae5f5f1a41d37948f9be7e |
| SHA512 | ec46918307fa27f33841eed3c7222eca81ac33ce94ed94390c4c74bdd772857092fe2951bf599129620add6a61b3e68f98df7eee186432495f9032da982cff70 |
C:\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 3279958f604bf9306faaa1d44b27065c |
| SHA1 | f57beb49cc627ddd2b8dcd0f8d65974130198bb5 |
| SHA256 | 8684efa68906f84f4e347d3f6ca4ccd02aaff20ae6cc9eafd17d946feb42c5c6 |
| SHA512 | 9e6853b72f600be42cd327b2233d0fcc8b0f61ca7fa052468bd970e636c0de9ef387be7a2ba8453ab65fbc78542eeae11d17b847183c4f4ecf9d998019defb5c |
memory/1984-59-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | 448013e06e7902465301a27cda737605 |
| SHA1 | 4e0da95f31215e9a7179efca3b99df64a1d8a3f8 |
| SHA256 | b4636ed88d3237980efc209fb6f998483c7549bb5803d46d8d41ec77a70bf5e0 |
| SHA512 | 559feec62a8640edf99603d10510b881e5cf017ba912c369a7c1faadc33226d8d84838f3d9b44168b96ccdaeb2f2281adcf9d00063f4dc51c2ddcf093e876189 |
\Users\Admin\AppData\Local\Temp\64DC.exe
| MD5 | c9eff2a0b9f3cbae78b782dd0624dd21 |
| SHA1 | ab1fc871b847576456a9dc276b5cb05aee6d8ce3 |
| SHA256 | 38d4ce30f34c8ab3e442e91b4cb0bbfb03c8816217117cb44503d3a35f386b27 |
| SHA512 | 42cb7ba64fb140340f7f0105ef27909f99e1b0254890bf8a15bab76678834a44004eb3d45cda9f46c2e80d3c2c3a5bf8d1820ef21ad9a7c44e7509e597fc0681 |
C:\Users\Admin\AppData\Local\d6b6f262-097b-46f2-8397-4a74c32605ab\64DC.exe
| MD5 | c8ad6fa2a63f62791aff9befebeb2f68 |
| SHA1 | 3a95161d36a24dcf683d7f5d90eb1fa9f400d81a |
| SHA256 | f6a0404e51373a43b5c07b154eab43e8b55506a453ea03dcbfaadc1a642494fa |
| SHA512 | a10db67c387b6864c304112927293e873166a55e0d291618d4405ccc05cf1ce89094ac128de64e611caaf5c8d43a645c4943edb41971f7fe5ca736d9ef4c9602 |
C:\Users\Admin\AppData\Local\Temp\Cab706F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88932cd54725d73e8efca23516272287 |
| SHA1 | 02ef667107591b0b56cadb3fe7b4b9d464a56b5f |
| SHA256 | 5304c96af09ccb94448e57556d5c166a3af7ee0db1086bef5bff519a9865692f |
| SHA512 | 86d1c9635641591936ff823b9a4ee1ad3ffec053ddeaf3c04d8b2cddfb1571a3722a8398ac12b57057d2c30fb4b7d11ae37a06ddce41ea0af418de0d41802d76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | fc34c062b2bb455d9c7a373ccf3a7d04 |
| SHA1 | 6d489b7f670fced329466b4fd0b7ff77a7c22a0d |
| SHA256 | a14a3712229a25f124930369e2d3aae6f67de378b64c22ecdc282fa2c1f11ec0 |
| SHA512 | 3b9006994cdc7364f51060d67a09f80c6fb970ef03acd5d4bb2d4c3342c3a68a994e1ff7291abaf9ce67fa7be19f66d14ab10ac4e92b15740e2eb15c418782c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a76a4d2836ddebbb5640efb5ffaa566b |
| SHA1 | 0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7 |
| SHA256 | 315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac |
| SHA512 | 4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314 |
memory/2824-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-84-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 48263008937d64e9875a2b866802a8d5 |
| SHA1 | a9311ae766d7433783dcb0dd167a1838d340fde5 |
| SHA256 | d4257c406ecafa2aae85bd86b63580fae6f99464e931a69443709074a164e2d3 |
| SHA512 | 6d3ba9cdba07dc9d0fc5bb8799cec88ae2339e6eed2949d2f22e55aaeab6bc8745000f85d820da295363fe6b78e6764837ef47f7281d078b340871d243ac6241 |
memory/2824-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-91-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2824-92-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | 34f19f7f121365a4249717e4435a0a8c |
| SHA1 | 37df557888cfc5ddebd060655ee6c8746d50e63b |
| SHA256 | 78c3e1c5889160b8315dff109e49024b099451342c31406c116c1f5648bc2568 |
| SHA512 | 4fcf0550176bb8ca48da1dcc5017b3f67aad0b5fc8b3f5c33b5e7a73711d865137e23d2a9a64ac58303d62656dfbc73a82c1acb7f84d74ecd5061ee8a966eeaa |
memory/1620-109-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1620-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1620-115-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1620-114-0x0000000000400000-0x0000000000644000-memory.dmp
memory/3008-113-0x0000000000230000-0x0000000000261000-memory.dmp
memory/3008-112-0x0000000001B87000-0x0000000001BA2000-memory.dmp
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | e4ec3d781ecbe743ba7d446db2c67096 |
| SHA1 | f4f66c61f6ef794519d184e2615ae4dadc0da409 |
| SHA256 | 56026c0161c5d4bfcbb0072eb80ad36b69bfefc89353b91a83f693a241c23207 |
| SHA512 | f79ee4a0be8f4f952e6f0dc37f8ba72e3be4697cdf608aad204f7318678e72d771ecb88e6a4e7b9e1e38a7d4768c0885621d2a08d887d31e807c72052126b58e |
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | 88c5ca503e8fecbca8ee889a892b165c |
| SHA1 | 2ec61a72dc88584abda48f19fb8e4d2847264aed |
| SHA256 | 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153 |
| SHA512 | 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9 |
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | 02d86f9571c3dbd274a28190309bb1a6 |
| SHA1 | c19d850cc14af9b3b85bbeb198aa966b7e272fc2 |
| SHA256 | 14d8636e1811a0497ffeb84366df17796d2be14eb94960efd317ef014bbe0d46 |
| SHA512 | f5c5566c53d33089a70667295bf502a9a6ea786ddef7c211d792a1673fe0d71c105d10e4aaaab1675a3899bedec075e9a42fc1af165d0d87ead48a37230f6dda |
C:\Users\Admin\AppData\Local\Temp\TarAEF6.tmp
| MD5 | 90885b555e9b222dfc7398beffca7b46 |
| SHA1 | 2962991e6410771d22ffe66c42762bf001e2c5c1 |
| SHA256 | 3bc25b9311e65807b4e4908ffca695c9199a967ffc0176a68b60d4608b881bcf |
| SHA512 | 4df085b2190b9428bdd67a47d93529bf386dbb614c42d86371b65ccf4b287b526754226a2b196f0786c97c3f182dc641fe1c4735b6bf64b45bdcb64e70290af1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | a0b78d48bdf45f90582af04786b04ee3 |
| SHA1 | 83356e84b4431582836c039151d1dcad7bdfb616 |
| SHA256 | d209243cde1f8fe5822fe5afa7adcf26edb9c85f063f619b5eda57ca1a859dc1 |
| SHA512 | ea797e6c9d892d6a8a5737a070ead2e217b05a26cb740d6f9823b2a419408108bbcc083157ac422716de5935fa0f9cd8a9a44239bc62ec4387c3d943f338a581 |
C:\Users\Admin\AppData\Local\Temp\TarB0B0.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
| MD5 | 6b99207030116c21861963cdc4debfdb |
| SHA1 | 056b357f2e6768de12f4e03cb35f2c061c608822 |
| SHA256 | 49c519188ae464b2d41d99703dd63e6315356856f4bc1ebc4fb6d4c55956a025 |
| SHA512 | 907a495e90b881b9c7ae9710d4b116bfcacef7cade93c64746377ee577da4ad44ee029977521ca50d69f080a7cfb4aafc6ea8877a32c0e54ac7b20963930a866 |
memory/2824-164-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
| MD5 | b5cb8946d2e58e3bdc9acc7835f3f066 |
| SHA1 | dc234d5fc27c2788ed13d84244157bf6622882c6 |
| SHA256 | 83e9885b020d373938f3e5c2a44e4e9cbb6ede67645c5232583e4169b0bc13f5 |
| SHA512 | c24d61a2598c50d0a2b0c9a09c5a7c82e688f51d972284707fd0ef2016ae3aa15ba6a2b1f0204f0d6d52ac3f452ac21e0ababdf5fa4f52d94bdda3c3d6814923 |
\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
| MD5 | cd1daefbe2f3399fdaa07d200486e143 |
| SHA1 | da202756c0510fbdc3b14db31dfcbf9b1a53cf79 |
| SHA256 | 1c60cba4195bc69193d78278556c9206228ce900537c18215ea95ebab831eed4 |
| SHA512 | 2ea8352e339d649347370c35081295ebf7ba5f9127d86448a5532470bd5250f43748ba1e09cbe0f13b7f73c61f1a043bb6c0986688be4fca7501aee845abdac2 |
\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
| MD5 | e1df82486b4d96ece5dfa184ad6ef3b2 |
| SHA1 | 0228e054025dd0c4da465306633226565c891f0e |
| SHA256 | 43baf9f89e8246625a7c15714ef83f53270313e4ae2a58b172702c41e36f1aed |
| SHA512 | 9036ab857d6bbe2d848be9797c9e04fb4e67a231ed3eba87db6030dff44ba25e275258ce8da8223b76ec0fe6bda9d7a8f882a97a8102f08a76e41cccf5d26c7a |
\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | 115b27e2126c6c571eb0e7c51e958732 |
| SHA1 | da833f9f812b5bd4da5ba1895a0ab506f82508ab |
| SHA256 | a291bd9e78c267b2131bfff094cc37ac0e692b11864fabb6f8f5a8d7973a7a09 |
| SHA512 | 4c86a3aeca78d85bc3660ab474fd07e760f8ded709012e459c31fc84f4565b452914fb7a3c77043ce30d6bc166fd45b56542916a99c31ec4a721ed589d4f3553 |
\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | a90447ba8560044f5943349e59eaacc6 |
| SHA1 | 5a3f945d8bbea21cee605e8011020b973d06e7ac |
| SHA256 | ff2ff0f6d4ee2441f272b7f7a03ca6a149601e28ce7066ad994f36384ef17075 |
| SHA512 | 6ece1cdc4c2cb0b79c0bf38210cff30647ca44ce971172f8d3a613385fb3a38029ef657982b87ed334ad1f897266045662a54efc298df1f8bb41f45591898216 |
\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | eba90198a44bbdee6ae61b2b96027aab |
| SHA1 | b72a9b4cfa3f4988022df41e42a10f198edd1754 |
| SHA256 | f56e2dd5f931e6ec53ffeeabfde0d146682351868792e7a591066285abe155af |
| SHA512 | 5caca1b6c32d3d679694dc89f72419f6ed9b6b006ee2c0c7111674afcff8d908f39eb6de544afc600e81d196f32d860dcb06717959f2c3d7c6dac0240341b081 |
\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build2.exe
| MD5 | 529e1d20df82e1a01197b810fb57657e |
| SHA1 | 01a4297cef48c9205577d53fded47504bc4bc697 |
| SHA256 | c0fef2ca89a8195c47fb9495d3b60a75f2fa6e204951f75b816083e0e734e81a |
| SHA512 | e28220925a39ed4b4bd46f0bb8ed93f5ad8298e4f40b5fb67dce818497e3e5f4e589a78cb70264e06044eee8d5463adce81e5f82ac730605aaa6aec3af80bcf1 |
memory/1040-177-0x0000000000332000-0x0000000000343000-memory.dmp
memory/1040-179-0x00000000001B0000-0x00000000001B4000-memory.dmp
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
| MD5 | 32d1ecf7e41e5a43a377acd3e6efd29f |
| SHA1 | 611d64000651fc557e845ae21c5c41f82354d626 |
| SHA256 | b33b60894da4a2ed85904389c3dc7b702a4efc9eed5ab753b4fc5743bcbf5706 |
| SHA512 | 301be0c472a2fd6f3aeb17f0f3ed94843a94aa924416ad136fbd11452c410dd5d4f85d8853374eabdef66789ca0dc7a75ec29aaa7d23f1bbafee8ef7dfbc13c2 |
memory/2220-182-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2220-180-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2220-175-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2220-173-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\fb5eb7d0-22b1-4fa6-b67f-d9c47c4204bb\build3.exe
| MD5 | 4fca64d1fefe25cf89d109d2376a9d65 |
| SHA1 | 121f2e704a4e15af6d12b43590cc914f9f0c09f6 |
| SHA256 | 0f59eca19de161a63a3d69aabe08b0af1dd6fcf5ca5196a1d2c7023644a650f5 |
| SHA512 | 1eb7ee8319578d853580deea0d00a1472f2964f39a9a709ed0e25284d9a7dfbc79d7183e594bdb1bab066af5c4153c9e76aa57d5cb46514a78552674dce74f65 |
memory/1620-184-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1040-188-0x00000000001B0000-0x00000000001B4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1364-204-0x00000000002B2000-0x00000000002C2000-memory.dmp
memory/268-231-0x0000000000C92000-0x0000000000CA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B2ED.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/3028-253-0x00000000009D0000-0x00000000016B5000-memory.dmp
memory/3028-283-0x0000000000430000-0x0000000000431000-memory.dmp
\Users\Admin\AppData\Local\Temp\B2ED.exe
| MD5 | eefc844b4e4ddd44a375f780ac4c36d5 |
| SHA1 | 9bbbe7da2992204d60b0a0fc1e667ecdbaae5be2 |
| SHA256 | 8bbe04e589e1f0a6c77abf1367eed9cad34de531b55cdb98b482e592785aa2c6 |
| SHA512 | d44cdaa9ebee844dfeb50db7cf2a37904523663a17e43ddf42992f95f3d6f9da880ca5988dd68a359615493fd153599230dcfb7feca8275bf469935e462ab3d6 |
\Users\Admin\AppData\Local\Temp\B2ED.exe
| MD5 | 03a2f604151f8278af8ca4eefa0df58c |
| SHA1 | 6daca600f46df42e23866e4fd743ec024e122dee |
| SHA256 | 4a30661261d3d180f5dc456e587171d6fb2ad17491721dc87cd230601eb75bbf |
| SHA512 | aa299fba7358b2e3aa50fc1e4c83b915a719a8329175896cd21395af03843d40e44e71cb05f3f920abc543f7bac77f12c4a580ae658ae32fd982cf114196476b |
\Users\Admin\AppData\Local\Temp\B2ED.exe
| MD5 | 4c540058c8f2a15594c0393b28fc6047 |
| SHA1 | 0afb832bb60e6201007fac44d4d74528a352252e |
| SHA256 | fdb874a646ec299818bf5cfaf8383d061c72f4668e05340981af95b4f4da98d3 |
| SHA512 | c37da264d34add48a1e89f4d3e06ac92b7e04cc4f28d92d053b4b668efb6de4c54de5850c1d03b7f05a659d799db779a411338055dbc699d559dda7f68cc04dc |
\Users\Admin\AppData\Local\Temp\CE1C.exe
| MD5 | d8133933c35b3641839b23fd75109c45 |
| SHA1 | a80e7473903a2d79fac4198bb5a80fc6ea968c87 |
| SHA256 | 9393404a775a29519a48dedcefc783a2063e69a2c66cf106d23fa4d1c60ae547 |
| SHA512 | 9bfdc4fdeaeb87c737aeb54ee0575a2bb1e0e13636a173e144f97559c88d05971910c7f3c569ba8a361eea349960eaf1066c41afafa4b4b35f8c91bdd20f66a4 |
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
| MD5 | 96baed0a5a1457e2cd34fe3d07c2c5f6 |
| SHA1 | 2aacbc3af9dd46946d3ac82ff61b1585b47ab152 |
| SHA256 | 1df36bc73ac4849edd93d83c5d0d291ffd66ca268615797974e836dd8a634241 |
| SHA512 | 8925bc98eba987406398ddc31c6f2e9b37fd20ecd7bf997c9caf3aaa3147ff393b959c304dfa16dde3e1dd4b8cc669eed6ac1a30ae1fee6eabebe8ea0737e255 |
memory/3028-308-0x00000000009D0000-0x00000000016B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3577.exe
| MD5 | 2b5e7dcf3ac39936ce5e23363b7f1ebb |
| SHA1 | 162abdb723234b8bbc9acf187bfca4c24cd60c7b |
| SHA256 | ce82279fd80069f3135ed59d2dfebe2ec81e0b8c468785acfaabb3bec8759205 |
| SHA512 | 93aba7c72311ebd98acbea00f87fe374fd933346a3a3b0d6dead83e2a1167513c9264740b0b62f6650ab513231ea52251528d507e9a695b6bf1e292c55c3e322 |
memory/1432-318-0x0000000000030000-0x00000000004E0000-memory.dmp
memory/1432-319-0x0000000077800000-0x0000000077802000-memory.dmp
memory/1432-320-0x0000000000030000-0x00000000004E0000-memory.dmp
memory/1432-332-0x0000000000C80000-0x0000000000C81000-memory.dmp
memory/1432-331-0x0000000000740000-0x0000000000741000-memory.dmp
memory/1432-330-0x0000000002630000-0x0000000002631000-memory.dmp
memory/1432-329-0x0000000002240000-0x0000000002241000-memory.dmp
memory/1432-328-0x0000000002410000-0x0000000002411000-memory.dmp
memory/1432-327-0x00000000021E0000-0x00000000021E1000-memory.dmp
memory/1432-326-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/1432-325-0x0000000000720000-0x0000000000721000-memory.dmp
memory/1432-324-0x0000000002780000-0x0000000002781000-memory.dmp
memory/1432-323-0x0000000002230000-0x0000000002231000-memory.dmp
memory/1432-322-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/1432-321-0x0000000002420000-0x0000000002421000-memory.dmp
memory/1432-335-0x0000000002790000-0x0000000002791000-memory.dmp
memory/1432-334-0x00000000021D0000-0x00000000021D1000-memory.dmp
memory/1432-336-0x0000000000730000-0x0000000000731000-memory.dmp
memory/1432-337-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/1432-343-0x0000000000030000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b89fa2989233d124e0c4ad1483e38aeb |
| SHA1 | 8d73ae424817db20211ad6ee6b22a3a5574626eb |
| SHA256 | 7de600e7f26a410ced1e94a30871251fb292c4b9f444e4fc6c3f0667b9746675 |
| SHA512 | 9cd37581c4578d6e3619363412c0507905df5cb3534cdddda7614c424f7570000c511d883549874bac04c3dda09b2bd1d54741dace8270ae615332f51320e82c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1dc8cd24143e122d09ba9335342e8a4 |
| SHA1 | 8b64856446c398b5f814e2221d0439d2d60d882a |
| SHA256 | 756215924786430743c3d1fee8a0a1e8f8fccc3d681973b41ac80971c320de9e |
| SHA512 | 910c0a5f8b1d242d7a2502447b98c1a061d466ed49939de07078f6d2e9f986770e171aaf1b50ef3f1b8ef5c86a92cb4e00aee2a121290b16e7fa7566581384f1 |
\Users\Admin\AppData\Local\Temp\455E.exe
| MD5 | 151b0a97c3b2438a5836e1a5b0d22564 |
| SHA1 | cea6f6ac5ccd04240325c156a9c1732f3e236958 |
| SHA256 | fb6c3148fc0a185e86f8a72b3983be50d0cafdc4efabbdb28c1727f1518d6c81 |
| SHA512 | 0778e039c406867aa78a247ec11fceb595e68f8edece55db1aa8b1137887bd21fb56a133de85a6df58dd3d51de07e1135655933fbd627d4711764c53e094f740 |
C:\Users\Admin\AppData\Roaming\hebijig
| MD5 | 762c43c78ccf4d3b35574149b834f7a7 |
| SHA1 | b024585ab11a867a05b97f4de4336c14bb4e54e5 |
| SHA256 | 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d |
| SHA512 | 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827 |
memory/2472-416-0x0000000000EA0000-0x0000000000F3E000-memory.dmp
memory/2472-417-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp
memory/2472-418-0x000000001B360000-0x000000001B3E0000-memory.dmp
memory/2472-419-0x000000001CB60000-0x000000001CC50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4C5C.tmp.bat
| MD5 | 3cd1925b3a397119505ed4096c34a437 |
| SHA1 | 7f6b6e6b59497ce1192d2979ce653a7a0ca13168 |
| SHA256 | e9414a7cc8f8ee512e142c78192e0f3222da22dd8e36bad8037f907c2a519760 |
| SHA512 | 88079ce9319c09db92fe8c91a7de884cd3ce210eac526fbac85f2e969835f5af5d048c526680a3da0c79c52e717aa24f61dca0d62494ab4449aee40284b25551 |
memory/2472-428-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp
memory/1452-440-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/1892-442-0x00000000005C0000-0x00000000006C0000-memory.dmp
memory/1892-443-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2452-449-0x0000000001040000-0x00000000010DE000-memory.dmp
memory/2452-450-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp
memory/2452-451-0x000000001B290000-0x000000001B310000-memory.dmp
memory/1616-457-0x000000001B6B0000-0x000000001B992000-memory.dmp
memory/1616-459-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/1616-463-0x0000000002D34000-0x0000000002D37000-memory.dmp
memory/1616-462-0x000007FEEE1D0000-0x000007FEEEB6D000-memory.dmp
memory/1616-466-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/1616-465-0x000007FEEE1D0000-0x000007FEEEB6D000-memory.dmp
memory/1616-464-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/1892-478-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2452-505-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmp
memory/1452-508-0x0000000000940000-0x0000000000A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC3C.exe
| MD5 | de64b9ff08505d9472c154bbaf03ea02 |
| SHA1 | b698c25fd9c0cb522116912a46c64c0ccc252d65 |
| SHA256 | 39d86cf02270b0b019cf0f30f1456f06df25245abaa248c5a67a3c78f9485b9e |
| SHA512 | 47823fcb618782bb14259af83a5b757d7d4b46fa1d141e99d3c4fc7d1cddb10ca90086db0cf16d5fe0565b350a971c4c68f19dc54a690d7a5a73192a0596d344 |
memory/1616-523-0x0000000002D30000-0x0000000002DB0000-memory.dmp
memory/3048-524-0x00000000002C0000-0x000000000031C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-13 04:55
Reported
2024-03-13 05:00
Platform
win10-20240221-en
Max time kernel
300s
Max time network
301s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\07f26ff5-96e5-46da-b79a-78cc234a02a9\\2F5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\2F5.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jvatcii | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3281913400-1494313570-2321515684-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\07f26ff5-96e5-46da-b79a-78cc234a02a9\\2F5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\2F5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2572 set thread context of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\2F5.exe | C:\Users\Admin\AppData\Local\Temp\2F5.exe |
| PID 2180 set thread context of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\2F5.exe | C:\Users\Admin\AppData\Local\Temp\2F5.exe |
| PID 2368 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe |
| PID 3720 set thread context of 3956 | N/A | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe |
| PID 1564 set thread context of 4816 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jvatcii | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jvatcii | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jvatcii | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jvatcii | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3FE.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\2F5.exe
C:\Users\Admin\AppData\Local\Temp\2F5.exe
C:\Users\Admin\AppData\Local\Temp\2F5.exe
C:\Users\Admin\AppData\Local\Temp\2F5.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\07f26ff5-96e5-46da-b79a-78cc234a02a9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\2F5.exe
"C:\Users\Admin\AppData\Local\Temp\2F5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\2F5.exe
"C:\Users\Admin\AppData\Local\Temp\2F5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe"
C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1480
C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe"
C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
"C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\jvatcii
C:\Users\Admin\AppData\Roaming\jvatcii
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 192.44.41.31.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 211.53.230.67:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 67.230.53.211.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| PA | 190.218.35.32:80 | sajdfue.com | tcp |
| UY | 179.25.61.235:80 | sdfjhuz.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 32.35.218.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.61.25.179.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| PA | 190.218.35.32:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 77.154.214.23.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 28.221.75.5.in-addr.arpa | udp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| RU | 31.41.44.192:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
memory/3192-1-0x0000000000780000-0x0000000000880000-memory.dmp
memory/3192-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3192-2-0x00000000005B0000-0x00000000005BB000-memory.dmp
memory/3428-4-0x00000000025F0000-0x0000000002606000-memory.dmp
memory/3192-5-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B3FE.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\2F5.exe
| MD5 | 109125669dc1ccce29f0c630d2d985eb |
| SHA1 | 2d1b211ff69b6d3ff178ee9716263631e8f39027 |
| SHA256 | 1718fb956c30c4a56490ecfc903ef34ed514ec13c1101d44ff4cf87095e5b064 |
| SHA512 | 92bbf2eb15f7083bf5b3d376e15289c5d5e027b38100ec7cf5db6f811fde1a8e21ef32c87b9dd5120c096fdfcb7307fe4987e5c92d81fbd2c2807bb076074ea9 |
memory/2572-20-0x0000000001BA0000-0x0000000001C3C000-memory.dmp
memory/2572-21-0x0000000003750000-0x000000000386B000-memory.dmp
memory/1936-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1936-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1936-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1936-26-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\07f26ff5-96e5-46da-b79a-78cc234a02a9\2F5.exe
| MD5 | beb90153fff9049dabeb0617b49e6553 |
| SHA1 | 4109ed25e21a11e1860b7dd02497e10daa2644c7 |
| SHA256 | 63d0ec2c16b3abcc41b305e438ff0523f5f706b3ada2cb6879a42607b61da779 |
| SHA512 | cc83b2d055905d55a34b6a42c2cec3a73dcd8c5aa7b1492a17b5cc389a2e75204f44d4e77ed5c36147f85f346108423647961428a0cc5ffe29806115dea01eed |
memory/1936-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2F5.exe
| MD5 | 491e2fd8ab6677e7b1b4b3d6e4580e89 |
| SHA1 | 6ac5feef922538d19363172bb235bdc3b53d58eb |
| SHA256 | ec367a666d81934090d1daf27a46760d4e3675ca3a694d8c5673cbf317bb4eb5 |
| SHA512 | 46dfdd44a1a1f4cbe03a15f81251b3e68b59cf1dafa11b5f6384c657671a0f74aba953c81ca53c9ca933eaccc0b4d1ba5f43f5cbec1b77ced0706712e5043d5f |
memory/2180-41-0x00000000035A0000-0x000000000363E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2F5.exe
| MD5 | ecf1380fbc05125477dc2b3c46cf7239 |
| SHA1 | e5000d40128c6b2dfffe467bbec0fafe303dce33 |
| SHA256 | fbfdfe4178178aaec666aaeb66a6015648d85ec63674cd71a4be1d22cb268ec4 |
| SHA512 | 6042c938a06a5e2011aaa96e1c8b064f652f33dfb7dc702f3652c18d7b0eea6a391a1b6161faf599cc99b7ca905128affd9b8e89391d8b85568d5e2f46d39a12 |
memory/2852-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 9ba84fd579eaf6662ca5f34e947a968a |
| SHA1 | bd8dfbb4629cbafc4e075bfc3b1300e1fdab387f |
| SHA256 | 017945b76d4395b77d834bf9cf5fd3f315a57fafed7cfe3853f1aed2bbd8ddc9 |
| SHA512 | b931e47779b4a16fad2d8875a369b8903d1ae8d88332c1f421e95e3cf17782063998b1bc94378a2dc905b757e9bfa8636d352a6915ee51e73fe5c52a64b2419a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a76a4d2836ddebbb5640efb5ffaa566b |
| SHA1 | 0e0a9a04a0b2fa6680a29bfeccdc029fe81bdbe7 |
| SHA256 | 315d52f0713aa99da7c66fa92ef2599d542c068367661a42718c6b90df7a02ac |
| SHA512 | 4033d1a248c418e45dd2708582f32eda17d99724c4c956b6533eda52365453f64102ca3140d1d2e11d87e22e2d10e46c3385cddbec3a20d0c4547fc143139314 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 099b6ede2a67948532447869b8ab1f6b |
| SHA1 | 4fe252f833bbb1ce49eb6691e851c0fd511bf837 |
| SHA256 | 2adc5550986b2051e6787d4e56e80fa3ef58c55eb1440449885876aa83ff85d8 |
| SHA512 | 96e2f9d9d5d1e6c158cfa2ce60a2a96b98ea6c7ea9853be77ebccf9f951c478d7deb4d99f885b06ee27242ddecdcaed0c5255998cae9519ac9faaea152090534 |
memory/2852-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-51-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2852-60-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build2.exe
| MD5 | 88c5ca503e8fecbca8ee889a892b165c |
| SHA1 | 2ec61a72dc88584abda48f19fb8e4d2847264aed |
| SHA256 | 41f6207540f5197717e1c601b43c9c89a5109ff3aab98fe80f6645f0ebd2a153 |
| SHA512 | 366035a481a439854094d13f8a0b9bf26e706dd43100421d92724baa1f9b1ceac74669e42e9331867a3c364f8e2f0c05d3387e5dea9d8669d29832614fa7b4b9 |
memory/4268-70-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2368-73-0x0000000001AD0000-0x0000000001BD0000-memory.dmp
memory/2368-75-0x0000000003680000-0x00000000036B1000-memory.dmp
memory/4268-74-0x0000000000400000-0x0000000000644000-memory.dmp
memory/4268-76-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\3938c6bd-6f80-4fb0-8217-c7380fae36c7\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2852-86-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4268-89-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2368-92-0x0000000003680000-0x00000000036B1000-memory.dmp
memory/3956-97-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3720-99-0x0000000000929000-0x000000000093A000-memory.dmp
memory/3956-103-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3720-102-0x00000000001F0000-0x00000000001F4000-memory.dmp
memory/3956-108-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3956-109-0x0000000000410000-0x0000000000411000-memory.dmp
memory/1564-128-0x0000000000950000-0x0000000000A50000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9c5b5ad54b71959e5196fa14187edc42 |
| SHA1 | e82ed6fefeb714e745309ec7310299fafc2bc554 |
| SHA256 | a33e48833363f7294f6ef27eea2940d2257bcb71598544f68152c3ebc10331f2 |
| SHA512 | 2198b1491317a7bbea1471c5e74f73e2e1e0bf03e0efa4b41a0660f7ebfd5357242c741b157a80c7cc84ccbb0191c3bdbd4e9eb8e9b8a98159bea3eac960ee2e |
C:\Users\Admin\AppData\Roaming\jvatcii
| MD5 | 762c43c78ccf4d3b35574149b834f7a7 |
| SHA1 | b024585ab11a867a05b97f4de4336c14bb4e54e5 |
| SHA256 | 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d |
| SHA512 | 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827 |
memory/168-146-0x0000000000620000-0x0000000000720000-memory.dmp
memory/168-147-0x0000000000400000-0x0000000000474000-memory.dmp
memory/168-153-0x0000000000400000-0x0000000000474000-memory.dmp