Analysis Overview
SHA256
66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029
Threat Level: Known bad
The file 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Stealc
Djvu Ransomware
SmokeLoader
ZGRat
Detect Vidar Stealer
Detected Djvu ransomware
DcRat
Vidar
Detect ZGRat V1
Lumma Stealer
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Reads data files stored by FTP clients
Modifies file permissions
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Runs ping.exe
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 04:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 04:59
Reported
2024-03-14 05:05
Platform
win10-20240221-en
Max time kernel
233s
Max time network
307s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d4925fb-c6a9-4a76-ae2e-ab87ac92e1f8\\3D44.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\3D44.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1356 created 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | C:\Windows\Explorer.EXE |
| PID 1356 created 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | C:\Windows\Explorer.EXE |
Vidar
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9C2D.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d4925fb-c6a9-4a76-ae2e-ab87ac92e1f8\\3D44.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\3D44.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\60AB.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7DC5.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18578\Http.pif | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe
"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B22.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\3D44.exe
C:\Users\Admin\AppData\Local\Temp\3D44.exe
C:\Users\Admin\AppData\Local\Temp\3D44.exe
C:\Users\Admin\AppData\Local\Temp\3D44.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1d4925fb-c6a9-4a76-ae2e-ab87ac92e1f8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\3D44.exe
"C:\Users\Admin\AppData\Local\Temp\3D44.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3D44.exe
"C:\Users\Admin\AppData\Local\Temp\3D44.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe"
C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe"
C:\Users\Admin\AppData\Local\Temp\60AB.exe
C:\Users\Admin\AppData\Local\Temp\60AB.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1652
C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\26EA.exe
C:\Users\Admin\AppData\Local\Temp\26EA.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BCD.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1012
C:\Users\Admin\AppData\Local\Temp\586C.exe
C:\Users\Admin\AppData\Local\Temp\586C.exe
C:\Users\Admin\AppData\Local\Temp\9C2D.exe
C:\Users\Admin\AppData\Local\Temp\9C2D.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\6C10.exe
C:\Users\Admin\AppData\Local\Temp\6C10.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit
C:\Users\Admin\AppData\Local\Temp\7DC5.exe
C:\Users\Admin\AppData\Local\Temp\7DC5.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 18578
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 18578\Http.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 18578\F
C:\Users\Admin\AppData\Local\Temp\18578\Http.pif
18578\Http.pif 18578\F
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SYSTEM32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\992D.exe
C:\Users\Admin\AppData\Local\Temp\992D.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Closing Closing.bat & Closing.bat & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 183.100.39.16:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 149.150.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.39.100.183.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| KR | 183.100.39.16:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| KR | 211.202.224.10:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | 166.138.96.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.224.202.211.in-addr.arpa | udp |
| KR | 211.202.224.10:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| US | 104.21.38.37:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | 37.38.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.154.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 104.21.80.130:443 | wisemassiveharmonious.shop | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| US | 8.8.8.8:53 | 130.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.221.75.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 243.51.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | 114.16.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | 59.39.141.209.in-addr.arpa | udp |
| TR | 94.156.8.100:80 | 94.156.8.100 | tcp |
| US | 8.8.8.8:53 | 100.8.156.94.in-addr.arpa | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | 195.20.16.82 | tcp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | safety.co.tz | udp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 8.8.8.8:53 | 152.213.227.67.in-addr.arpa | udp |
| FI | 37.27.52.220:80 | 37.27.52.220 | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | 220.52.27.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.46.152.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 159.30.91.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
Files
memory/3068-1-0x0000000000B10000-0x0000000000C10000-memory.dmp
memory/3068-2-0x0000000000AF0000-0x0000000000AFB000-memory.dmp
memory/3068-3-0x0000000000400000-0x000000000071E000-memory.dmp
memory/3380-4-0x00000000009D0000-0x00000000009E6000-memory.dmp
memory/3068-5-0x0000000000400000-0x000000000071E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2B22.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\3D44.exe
| MD5 | 607c81ba743760322e1b6d4a09f824b7 |
| SHA1 | cd29d301323484514a062b3cfc35c232678c84a5 |
| SHA256 | 7cca9d86a545c0b50667713e3af1cc8ecd931d6f2d310b2e90f016c43ce7bdd4 |
| SHA512 | 8e5996c99c8bb2b7ba93e0f6f2325b6c337a6f962513cead5e4fde7373be2acbb0cf7ea4cc902beba480adba51a7a12d838af9a65efd98fe2f91d67d97df6da1 |
memory/4480-20-0x00000000007D0000-0x000000000086B000-memory.dmp
memory/4480-22-0x0000000002450000-0x000000000256B000-memory.dmp
memory/392-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/392-21-0x0000000000400000-0x0000000000537000-memory.dmp
memory/392-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/392-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/392-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4780-41-0x00000000023F0000-0x000000000248B000-memory.dmp
memory/3564-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3564-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3564-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2ff14fb732157b20816afe0e355cc84a |
| SHA1 | a711e7eb1a3738b3303cab8789d4a2aca26b4243 |
| SHA256 | 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92 |
| SHA512 | 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b3365ea5926662bf7dc8ac66bf615b21 |
| SHA1 | 6ce13d41787c4953229c5ceca065b52617aba712 |
| SHA256 | 83aa102074818fa254a5cb0f9b90a36d8380ae5c68172c74477a4302a115e120 |
| SHA512 | e9499351d1376420807031068ca953e09da3c176311faf4f798c4b6baea22117f8517387a4ba36d49c84d097345d7bd3d6911259b9b02f2af4a0db78da0d4529 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | cd4853b296f1772145da48037f408fcd |
| SHA1 | d079b3c2df41d7f8236599d9b59976ed7cac69fc |
| SHA256 | e1bcf73fac0d462cf42b472d5bbc46c3fd9b9f6e6a84f877fc5dd2ea8185368f |
| SHA512 | 50d74b0ee26428633b46ab75da6d5f719eeca2c4c44dcc555f1cc2a5a7b7a207aad044786593a17810b5b5b97fcebddf7ce96861fb62f734f1930de7cac7fdba |
memory/3564-51-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3564-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3564-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3564-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3564-58-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/3100-69-0x0000000000A20000-0x0000000000B20000-memory.dmp
memory/2884-68-0x0000000000400000-0x0000000000644000-memory.dmp
memory/3100-72-0x0000000000880000-0x00000000008B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\60AB.exe
| MD5 | b0500750ede1bc70901508bacc7ab0b8 |
| SHA1 | c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8 |
| SHA256 | 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc |
| SHA512 | f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5 |
memory/2884-76-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2884-78-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2752-80-0x0000000000440000-0x00000000004CE000-memory.dmp
memory/2752-81-0x0000000072A90000-0x000000007317E000-memory.dmp
memory/3564-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2752-83-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/2936-86-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2936-89-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2752-91-0x0000000072A90000-0x000000007317E000-memory.dmp
memory/2752-92-0x0000000002740000-0x0000000004740000-memory.dmp
memory/2936-93-0x0000000002740000-0x0000000004740000-memory.dmp
memory/2936-95-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2936-94-0x0000000001140000-0x0000000001141000-memory.dmp
memory/3564-101-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
| MD5 | 53bc6c328281928e94ac312f63f13f05 |
| SHA1 | d49275ca0cd7f367733a365323b466ad588e5ce0 |
| SHA256 | 7278f0c920ff8dad67e62751745e858817abb1c5b461414162311e57eb833e7c |
| SHA512 | 48e55739728038066eeb2fca5c20e5c6c25587860b2ac7f021218e66fe7c77894c09e0301c4ceb78b72ebc19d85203d8bd66e8c15a1e1aed9eee58c6d465fb77 |
C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2884-109-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2716-112-0x00000000009C0000-0x0000000000AC0000-memory.dmp
memory/2716-114-0x0000000000930000-0x0000000000934000-memory.dmp
memory/3016-116-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3016-111-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3016-117-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3016-119-0x0000000000410000-0x00000000004D5000-memory.dmp
memory/2884-122-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2752-125-0x0000000002740000-0x0000000004740000-memory.dmp
memory/2936-128-0x0000000000400000-0x000000000044B000-memory.dmp
memory/3068-134-0x0000000000A00000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\26EA.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/3040-149-0x0000000000E30000-0x0000000001B15000-memory.dmp
memory/3040-155-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/3040-156-0x0000000000A40000-0x0000000000A41000-memory.dmp
memory/3040-158-0x0000000000E30000-0x0000000001B15000-memory.dmp
memory/3040-159-0x0000000000E10000-0x0000000000E11000-memory.dmp
memory/3040-157-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/3040-160-0x0000000000E20000-0x0000000000E21000-memory.dmp
memory/3040-161-0x0000000003130000-0x0000000003131000-memory.dmp
memory/3040-162-0x0000000000E30000-0x0000000001B15000-memory.dmp
memory/3040-164-0x0000000003140000-0x0000000003180000-memory.dmp
memory/3040-165-0x0000000003140000-0x0000000003180000-memory.dmp
memory/3040-166-0x0000000003140000-0x0000000003180000-memory.dmp
memory/3040-167-0x0000000003140000-0x0000000003180000-memory.dmp
memory/3040-168-0x0000000003140000-0x0000000003180000-memory.dmp
memory/3040-163-0x0000000000E30000-0x0000000001B15000-memory.dmp
memory/3040-173-0x0000000000E30000-0x0000000001B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\586C.exe
| MD5 | 4c0fac716de3a76115851da17c1f6d52 |
| SHA1 | 3ceaf8e5fa0284a5a034a1268953a4ef50b8b1c3 |
| SHA256 | 3863ed55d4d98da6eee2ffa9ab56aa36400fa02c3722b2300b750cfc2170a4a4 |
| SHA512 | 1b44716a7cf879c91f246dbac56c0db5329f2c5eda5a584689dd40388698fc960312ef9d30f1e92f5bb1040da6ae80315155af65da632356982635ea706a04af |
C:\Users\Admin\AppData\Local\Temp\586C.exe
| MD5 | 64c23b15686981a42f0c41bf04b40534 |
| SHA1 | 8af173fa7c0fbcf7087b8ea628092f437d9d174c |
| SHA256 | 64a537783cb5954bec9bf2878c1ccb4ae074e5ed2159bac81f87efcd71cbdd36 |
| SHA512 | bcdfe78899d206a14f338e9a4f7cac2171fb6dee090375ff19e1bbe07a9b60ef90dc30a404fcfd2c382ca25aa7690dddebe2b2d4fb48366af0a0d2552ded4729 |
memory/4212-183-0x00007FF6250F0000-0x00007FF625D52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C2D.exe
| MD5 | 622939e81b389026b6a84cf1b4b591ed |
| SHA1 | 3e107fdfc37a218893e2af7de943f89eea8cc942 |
| SHA256 | 9ba91fb7966f2165ef55283606de31147756b5591932ee333247b67710fdef77 |
| SHA512 | 6a5c81645a01e73da9e9e88a8692d6732eb7edf49b40726a0216f816f25ec5cd4cfa63afc52fb1ad35d3f22229a55df25e4c506cd393b1cc7a37d04b29d95f7f |
C:\Users\Admin\AppData\Local\Temp\9C2D.exe
| MD5 | d9a0b196f6067f6dee7d4aba57ac4b8d |
| SHA1 | 68d33c4654b62a6292c3cec5e8cae9b4e6f3acd0 |
| SHA256 | 631e9158803ed6952e8074858caa79097a20ebe5e96f809842c4e2e169fa2611 |
| SHA512 | f14e96014980f167e2369fdf607d1f66d2a3abf038d4444f964db2183f47be027fe849bebd4c56ad80cd9f782573dde73655b9ab51fa0de3ecdc81a98b0f6ef9 |
memory/4624-192-0x0000000072120000-0x000000007280E000-memory.dmp
memory/4624-193-0x00000000003C0000-0x0000000000914000-memory.dmp
memory/4624-194-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4624-195-0x0000000005170000-0x000000000520C000-memory.dmp
memory/4624-196-0x0000000005910000-0x0000000005E3C000-memory.dmp
memory/4624-202-0x0000000072120000-0x000000007280E000-memory.dmp
memory/4624-203-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/5104-212-0x0000000000A60000-0x0000000000B60000-memory.dmp
memory/4624-220-0x0000000005E40000-0x000000000607C000-memory.dmp
memory/4624-221-0x0000000005640000-0x0000000005652000-memory.dmp
memory/4624-222-0x00000000071B0000-0x0000000007342000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/4624-229-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4624-230-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/4624-232-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4624-231-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4624-233-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4624-234-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4624-235-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/4624-236-0x00000000075F0000-0x00000000076F0000-memory.dmp
memory/4624-237-0x00000000075F0000-0x00000000076F0000-memory.dmp
memory/4624-242-0x0000000072120000-0x000000007280E000-memory.dmp
memory/4632-243-0x0000000000400000-0x000000000063B000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4632-304-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6C10.exe
| MD5 | 7769e93085751e0b35729827dc22e8d5 |
| SHA1 | 1d20bac0f5e0e8e28d466834463463cc911a5baa |
| SHA256 | 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402 |
| SHA512 | b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c |
C:\Users\Admin\AppData\Local\Temp\Jeffrey
| MD5 | e121db542d18a526f078c32fd2583af5 |
| SHA1 | 69e677442ccb6d6fe1d2a3029cf44aac473f5f55 |
| SHA256 | fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2 |
| SHA512 | 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe |
C:\Users\Admin\AppData\Local\Temp\7DC5.exe
| MD5 | d88c9297da5b7b0a3f96d33e6eca33e6 |
| SHA1 | 808e8a222cd131679b4feda2834eaaa92f866143 |
| SHA256 | 92a59655997ea6a17d871d12965738dfa1649751774129b4fbeea2bb01355723 |
| SHA512 | e854cf3f4e4b119e040e00d56adcd56749099ddcb1956433a31156afc88e643972b690917ac09deadb8860e5b6982d55085a372d4f509996ded7e5e3e1f05066 |
memory/2208-367-0x0000000000A70000-0x0000000000ADC000-memory.dmp
memory/2208-368-0x0000000071D30000-0x000000007241E000-memory.dmp
memory/2208-369-0x0000000005540000-0x0000000005550000-memory.dmp
memory/2208-377-0x0000000071D30000-0x000000007241E000-memory.dmp
memory/2208-378-0x0000000002DA0000-0x0000000004DA0000-memory.dmp
memory/4856-379-0x0000000000400000-0x000000000063B000-memory.dmp
C:\ProgramData\JKJECBAA
| MD5 | ce732f4f447aa2f766cfbdf8a4f5e19e |
| SHA1 | 318043823c8dc77670f7dfa5b672b313321898fa |
| SHA256 | b7cb765a763c053cded7e6e8cda3bcc581bbd10ac756abf495a265be80300191 |
| SHA512 | 7ce0abbbeaf17458f864d4f39326f492320fa6e85524da3ce9d7dd991db4a10080780121dc5a6a755a515022d13f2894692fdc302385da285d8abc77738bafeb |
C:\ProgramData\freebl3.dll
| MD5 | 56b9b01de3282fcb7ead7190344d4894 |
| SHA1 | 37887894647859a2013ad35893e1b5a7c6745260 |
| SHA256 | 14cc9da93c9fd0e0c31e6bac04e303cfa423769a670ffd0fd6e5a2d113041b44 |
| SHA512 | d3621893907f544c7b7ffeba2c5c95612ed99408c5ad5d9c01f2aa21fc1499b4c9d26caf5e578f78428860cc35f1d0666913989f5beb09a98ddbbfd4d701a624 |
C:\Users\Admin\AppData\Local\Temp\Cdt
| MD5 | ba823d75b6712149e7241d1c2f6695ef |
| SHA1 | 9f351074e85afc8254aaa5df0561377c8b68874c |
| SHA256 | 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377 |
| SHA512 | 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167 |
C:\Users\Admin\AppData\Local\Temp\Thumbnail
| MD5 | e68e0d804f78aadf2b7da5190971cc56 |
| SHA1 | b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9 |
| SHA256 | fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee |
| SHA512 | e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda |
C:\Users\Admin\AppData\Local\Temp\Powers
| MD5 | 0c851a1587662cb3c4b3f4e79b9d40e4 |
| SHA1 | 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5 |
| SHA256 | 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26 |
| SHA512 | c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8 |
C:\Users\Admin\AppData\Local\Temp\Neural
| MD5 | 4c5c9f5368402dd77d8f8e0c31951625 |
| SHA1 | 719e5a648399121cf1402d36734631f95c723d18 |
| SHA256 | d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7 |
| SHA512 | 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba |
C:\Users\Admin\AppData\Local\Temp\Patricia
| MD5 | d9bd01e58c378e5a43b47b93ccf11b30 |
| SHA1 | 4f57381303c5cb2d6f0012d190ce11d696efde77 |
| SHA256 | df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a |
| SHA512 | 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755 |
C:\Users\Admin\AppData\Local\Temp\Debut
| MD5 | 309a79e7ee30ead5653c0e33c937bf20 |
| SHA1 | 808165ca516179e0749cd74b57ebf2ec92e77a9e |
| SHA256 | a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233 |
| SHA512 | 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8 |
C:\Users\Admin\AppData\Local\Temp\Translations
| MD5 | a40fabfc3d4fe0e77cf03156b0541015 |
| SHA1 | 7a8c301d0a3834a212af25812cb9f51afa8425d4 |
| SHA256 | fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864 |
| SHA512 | f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11 |
C:\Users\Admin\AppData\Local\Temp\Mpeg
| MD5 | af66ed102029338945a5ae7af6e68867 |
| SHA1 | 2a590d37a9e25203f41fe28be7b3702bdac34e28 |
| SHA256 | 4f5603c2539d330e9576ab577fe08cd58e6a191620e962c570af439ec4808c6b |
| SHA512 | 83d5afa258752706ce85f5e57a59e04e0c8e2e856eb12d4e419237eaf2669bf1ffbd1ab87eabc34e0e7c3e4584a4288aa39285cfbfd398d04f8bd2248cf27609 |
C:\Users\Admin\AppData\Local\Temp\Drain
| MD5 | 99667047563ffb1f92319045c1fa496f |
| SHA1 | 9eba1534190dac88d7231e00cf2372477479a262 |
| SHA256 | 3f6dfc93ffd2c876839d824993a4234df1d16a3f0b5d284c66e32bc2264867ea |
| SHA512 | e8d39f341df2decde92d2bf7066de6ccf3b3b2d6c4e57d353a60ee409fb7d54444d55e8c02a266da4ec94e719e149685120c72c6db7c35e863cef7f1f844c9d9 |
C:\Users\Admin\AppData\Local\Temp\Go
| MD5 | b153dbfec41fa6a8b005978bc571befe |
| SHA1 | 9752d98549edff58b4c0ede5a654832c22f97d38 |
| SHA256 | f59cbe377d6d4df992d6caaa0ccbbe7a5506741c9e63a716a0284cb2ae720814 |
| SHA512 | eef43707eb9b7e047a8c8307ffac9ce4b1eb0383186280b9112eb278e4fb97c339e14cbbb334eaf9e13719280978a12c7d8d3615e8ab25e176530836799c002a |
C:\Users\Admin\AppData\Local\Temp\Greg
| MD5 | 265344b2c8ca35ae60227ff6639481f5 |
| SHA1 | 49bf4e7aab05a697409a4cc8f04c5b2ed1e78e79 |
| SHA256 | 349c58fc4a15001ff0875d2a9f797d536045804c99350e0f43203ade07c41b59 |
| SHA512 | 2248bd383433d3dd541eb74f3e2404f83e1f379b11d9e7de9bf6903460cfba9b1955d089439883126ce6c08a67a3e12beb63126a74a1a86dc461ca8f232f442d |
C:\Users\Admin\AppData\Local\Temp\Plans
| MD5 | 5e136f53a54f61eeb099c76021dba233 |
| SHA1 | 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3 |
| SHA256 | ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041 |
| SHA512 | 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8 |
C:\Users\Admin\AppData\Local\Temp\Ancient
| MD5 | a02c222cf530ee003a3893c4c78770c2 |
| SHA1 | bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3 |
| SHA256 | 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5 |
| SHA512 | 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368 |
C:\Users\Admin\AppData\Local\Temp\Shapes
| MD5 | 7aaaa1a6965448912a128a631bbd06be |
| SHA1 | d3917e8d8780c9296c6bba2066a3fccd08e04253 |
| SHA256 | f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85 |
| SHA512 | 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52 |
C:\Users\Admin\AppData\Local\Temp\Warner
| MD5 | f83e3a79f793337194e79e4bb5c3b073 |
| SHA1 | 6d4ef4fc71fbabc6f56265388d87d997e47194dc |
| SHA256 | e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844 |
| SHA512 | 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775 |
C:\Users\Admin\AppData\Local\Temp\Able
| MD5 | 13fd06533f068d719a2b9f300096ca41 |
| SHA1 | f054659e3fb8516b759b8f819d12acb9c173ab6a |
| SHA256 | b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9 |
| SHA512 | f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422 |
C:\Users\Admin\AppData\Local\Temp\Fist
| MD5 | 71afb2f733859a29cfcf25e58625284c |
| SHA1 | 248df6b7026fd2771dd65ed3b542ca0185dbb6dc |
| SHA256 | d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120 |
| SHA512 | 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af |
C:\Users\Admin\AppData\Local\Temp\Hobby
| MD5 | cd17d8568d3cb4f7a115c0c9657aa3c1 |
| SHA1 | 389429708df886ee004b3d4c54cbb9a2e089859e |
| SHA256 | ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d |
| SHA512 | 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33 |
C:\Users\Admin\AppData\Local\Temp\Canal
| MD5 | c3a1a56b238bd452b6b59169cc99ec03 |
| SHA1 | 88a35ade6f7f14e2df8d731317afc72612074a51 |
| SHA256 | a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f |
| SHA512 | 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525 |
C:\Users\Admin\AppData\Local\Temp\Breach
| MD5 | 9324e493902fe2c6ffcf04f088c34e08 |
| SHA1 | 866c7b4c73f99f673dd3f2035e34d843c262f256 |
| SHA256 | 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222 |
| SHA512 | c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0 |
C:\Users\Admin\AppData\Local\Temp\Cos
| MD5 | c8599aa35a19083f6c5f80151f55315c |
| SHA1 | 3e315507bc934d0ebdf68328b5d60e7fcab41a3b |
| SHA256 | 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f |
| SHA512 | dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1 |
C:\Users\Admin\AppData\Local\Temp\Novel
| MD5 | 9c5c2a336e6c94e60e8ca1a981235806 |
| SHA1 | 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617 |
| SHA256 | 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070 |
| SHA512 | 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb |
C:\Users\Admin\AppData\Local\Temp\Capabilities
| MD5 | d34ef2c6ce15a8747df5431a864f0613 |
| SHA1 | fe62b64f13b149525066fe73f227df044255cddb |
| SHA256 | 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9 |
| SHA512 | 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24 |
C:\Users\Admin\AppData\Local\Temp\Tamil
| MD5 | 5b825ccfab154d5de20e806e687ecb89 |
| SHA1 | d311d7b23a70f5e1ba875e020d37e05a3a4c4552 |
| SHA256 | 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436 |
| SHA512 | e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03 |
memory/2208-454-0x0000000002DA0000-0x0000000004DA0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 04:59
Reported
2024-03-14 05:04
Platform
win7-20240221-en
Max time kernel
300s
Max time network
209s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jvejbgr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1595.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29F2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74dadc62-0861-40f2-992c-f733c7213548\\B4DF.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2576 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | C:\Users\Admin\AppData\Local\Temp\B4DF.exe |
| PID 1932 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\B4DF.exe | C:\Users\Admin\AppData\Local\Temp\B4DF.exe |
| PID 560 set thread context of 308 | N/A | C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe | C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1595.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jvejbgr | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jvejbgr | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jvejbgr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jvejbgr | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe
"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\65C5.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\system32\taskeng.exe
taskeng.exe {20320EA6-1659-4EA0-BACA-09550EBC2A64} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\jvejbgr
C:\Users\Admin\AppData\Roaming\jvejbgr
C:\Users\Admin\AppData\Local\Temp\B4DF.exe
C:\Users\Admin\AppData\Local\Temp\B4DF.exe
C:\Users\Admin\AppData\Local\Temp\B4DF.exe
C:\Users\Admin\AppData\Local\Temp\B4DF.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\74dadc62-0861-40f2-992c-f733c7213548" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\B4DF.exe
"C:\Users\Admin\AppData\Local\Temp\B4DF.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\B4DF.exe
"C:\Users\Admin\AppData\Local\Temp\B4DF.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
"C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe"
C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
"C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 1408
C:\Users\Admin\AppData\Local\Temp\1595.exe
C:\Users\Admin\AppData\Local\Temp\1595.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\18F0.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 124
C:\Users\Admin\AppData\Local\Temp\29F2.exe
C:\Users\Admin\AppData\Local\Temp\29F2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| MX | 187.204.100.64:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| MX | 187.204.100.64:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| PE | 190.12.87.61:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| PE | 190.12.87.61:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | safety.co.tz | udp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
Files
memory/2932-3-0x0000000000400000-0x000000000071E000-memory.dmp
memory/2932-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2932-1-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2932-5-0x0000000000400000-0x000000000071E000-memory.dmp
memory/1212-4-0x0000000002D50000-0x0000000002D66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\65C5.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Roaming\jvejbgr
| MD5 | 3b4224203121c702ba8573f7936a6732 |
| SHA1 | c541bdac782799e6c0e3ab6b8dce08f8e06d2f96 |
| SHA256 | 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029 |
| SHA512 | 202f37fdebcb63e13227364f060abfff926e8be8e21d5c139ae17bf457556cd835886459e67a2b1e39ffba7f043491474892897481f3b4c17e99bcc1ba71f896 |
memory/2676-23-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/2676-24-0x0000000000400000-0x000000000071E000-memory.dmp
memory/1212-25-0x0000000003910000-0x0000000003926000-memory.dmp
memory/2676-26-0x0000000000400000-0x000000000071E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B4DF.exe
| MD5 | 8d76e42cbd333b2d7c3946ea1351ac7a |
| SHA1 | 800bd806ade43fb2d4f5c81a7929f3e8eeab7019 |
| SHA256 | 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498 |
| SHA512 | c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b |
memory/2576-35-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1428-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2576-41-0x00000000020E0000-0x00000000021FB000-memory.dmp
memory/1428-42-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2576-36-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1428-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1428-46-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1428-67-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1932-69-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1932-70-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1932-77-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2700-78-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-79-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b60c7ec1f4d3091a16bcda40616d6f86 |
| SHA1 | 36a4b462a06afce99a952ea90cf57ba59fb26caf |
| SHA256 | 0d2cc968a8ed13c4d89603c25f79486f400fde11c3aa9a4b8901cbfe5d863f84 |
| SHA512 | 3350a3092dc1bcee1bdff13a83996b15b7fae073ab1c3c8b8885df504653f3e893ee64155d7543a4fb8d6c02ea65f20fe55f2ce6fcc97beb41424722a9605d2f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | abc79c2d8417ea57138c6dea857ca443 |
| SHA1 | 7dbb7973045f0d1f7d87e654b5ba32cd2c23bf26 |
| SHA256 | 4c5cf57ac8e9c7ce280d2489f3d8844e484679f9fc2a9839f1fa5dc8c73cf946 |
| SHA512 | df4648bb97054b01aea71b6b5e456e32bc453f6c6da8321a8dcb9d02611bf0b738d1c21b6a38c1d0eb5b2a08d41f58a6b3e8ed2a5dee1f0b0d2f4532f5ab6352 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2ff14fb732157b20816afe0e355cc84a |
| SHA1 | a711e7eb1a3738b3303cab8789d4a2aca26b4243 |
| SHA256 | 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92 |
| SHA512 | 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 01e276f57ae149f88dff4cbd38c69992 |
| SHA1 | 434a2c5ef081d0ebcd16cbf8d4561a173b64b798 |
| SHA256 | 03e2d7acb20f2942a46a9965343fc92674d04c74eecc1177ce4b9403d5231c3b |
| SHA512 | e1526726b21ac2240064039f80c7055fab45ed3250c34333aed127425ffc9a138cb8d4adb610e32bc4b47ce794a93f1354e1e0350e0f73f12a0560f187aef446 |
C:\Users\Admin\AppData\Local\Temp\CabBD18.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2700-92-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-93-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-97-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-99-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-100-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2700-101-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
| MD5 | 9166ac4cb92fbceff65f16b591dac7e0 |
| SHA1 | ebd8e40107d8899b1bc0086ab92df52f761378a7 |
| SHA256 | ffd6e5496762d41d616ec25d9c83e5a7226824a405a17f765149342512003c20 |
| SHA512 | 6d0fa48aa5e6febd3b31acdebcb965b194add4688c24524b6c0f7d66a9073b51b17f79f4f70f62183ab5c85d7292b5d4c5e628da3c42bc6fe314e839286e70cb |
memory/560-116-0x00000000007E0000-0x00000000008E0000-memory.dmp
memory/308-121-0x0000000000400000-0x0000000000644000-memory.dmp
memory/560-117-0x00000000002F0000-0x0000000000321000-memory.dmp
memory/308-119-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/308-124-0x0000000000400000-0x0000000000644000-memory.dmp
memory/308-125-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarAD.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar507.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2700-168-0x0000000000400000-0x0000000000537000-memory.dmp
memory/308-175-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1595.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2484-195-0x00000000009C0000-0x00000000016A5000-memory.dmp
memory/2484-212-0x00000000009C0000-0x00000000016A5000-memory.dmp
memory/2484-211-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2484-217-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2484-215-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2484-214-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2484-208-0x0000000000100000-0x0000000000101000-memory.dmp
\Users\Admin\AppData\Local\Temp\1595.exe
| MD5 | 9c37be9f36c42a84fa152514750892dc |
| SHA1 | 1bc1ef1e1c6385e5d2c06692b1044e76d1b425d3 |
| SHA256 | 615274824986c29a64d8a3e25f163c491a81adad58a8f815260336fd5e0281fa |
| SHA512 | 82f51b96650c5ac4c2ce8f223b930a40f0567d055d0ac3378fe51acd468c8370d38ba5bf1ae475020c6c045770f0a2663f5a393d359e8940a6c4d59fe170f432 |
\Users\Admin\AppData\Local\Temp\1595.exe
| MD5 | abf4b9118979fbe566517ca6f47e25da |
| SHA1 | 9968d168c7c2803b86f4008429325304f5454bb8 |
| SHA256 | a3b74f449254e8ec55dd5978aaa0274f4863fb59f76d5e3fcff4044d21e874b7 |
| SHA512 | 3292bbfd1594727fcb4bd83414b67fbf575725c261e996a2b5dace2a97b4241654c16a25f7c407a3202739f7b945e3b5adc5f2f4d007c7f838e9c68adcbdcf30 |
\Users\Admin\AppData\Local\Temp\1595.exe
| MD5 | 2a3a037a7cc9766bb924506b379d9b6e |
| SHA1 | 6b2cbb0bfd69c2c59daaf81f91c339f2139c486e |
| SHA256 | 8780dfb3267a9b57794ce0be8c76eadd79094263a3e0c1f90ec2736aad50de59 |
| SHA512 | 03d537d3b27a2a1744f9875d51fb48f470b3b97ea9ea85cbd447ad480f331c755ab56dabafb249a951b8a765f613acf8c246b8e107fa66808c312e5eeb267357 |
memory/2484-245-0x00000000001B0000-0x00000000001B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\29F2.exe
| MD5 | 5be6826ddf9c112257f74aa7b772bd15 |
| SHA1 | d59e099401a95bdad302f0b838f0a4bc80f5a4ac |
| SHA256 | ed481b3c2b9eda3e4e7e49f3d6ed21d81900f6166feb098dcae9c29ebb221a17 |
| SHA512 | 8334034f02c8abf5d5e2c30c265df55f1b62d7acdcb18e32b622e80bdc7e2be55fa9f331c99dfd274dd96eba1ef3b5f5c17147e2b35576df8ca156242d9817c0 |
C:\Users\Admin\AppData\Local\Temp\29F2.exe
| MD5 | e05eb7cea791a87c33f6c71e65469756 |
| SHA1 | c20affd9a4324958e328c94dd1a56fb865054f35 |
| SHA256 | 13e8dfb9e60e7759a925a48b8b891293e45061dea23f5a195f2c09be4e408ede |
| SHA512 | 092438fc57ce114e915467de8187af4a41047d91247f6b7777558a91b8cf035bbaa9adff82f2eed780992bc805a8cee4ed9844424bb95aafcd7c3e8166ed081f |
memory/2484-255-0x00000000009C0000-0x00000000016A5000-memory.dmp