Malware Analysis Report

2025-01-02 11:07

Sample ID 240314-fml3hadd48
Target 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029
SHA256 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029
Tags
dcrat djvu lumma smokeloader stealc vidar zgrat 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029

Threat Level: Known bad

The file 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu lumma smokeloader stealc vidar zgrat 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery infostealer persistence ransomware rat spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Stealc

Djvu Ransomware

SmokeLoader

ZGRat

Detect Vidar Stealer

Detected Djvu ransomware

DcRat

Vidar

Detect ZGRat V1

Lumma Stealer

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Reads data files stored by FTP clients

Modifies file permissions

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Runs ping.exe

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:59

Reported

2024-03-14 05:05

Platform

win10-20240221-en

Max time kernel

233s

Max time network

307s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d4925fb-c6a9-4a76-ae2e-ab87ac92e1f8\\3D44.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3D44.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1356 created 3380 N/A C:\Users\Admin\AppData\Local\Temp\18578\Http.pif C:\Windows\Explorer.EXE
PID 1356 created 3380 N/A C:\Users\Admin\AppData\Local\Temp\18578\Http.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d4925fb-c6a9-4a76-ae2e-ab87ac92e1f8\\3D44.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\3D44.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7DC5.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18578\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18578\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18578\Http.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 1492 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3380 wrote to memory of 1492 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3380 wrote to memory of 4480 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 3380 wrote to memory of 4480 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 3380 wrote to memory of 4480 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4480 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 392 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Windows\SysWOW64\icacls.exe
PID 392 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Windows\SysWOW64\icacls.exe
PID 392 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Windows\SysWOW64\icacls.exe
PID 392 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 392 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 392 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 4780 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\Temp\3D44.exe
PID 3564 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3564 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3564 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3100 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe
PID 3380 wrote to memory of 2752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\60AB.exe
PID 3380 wrote to memory of 2752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\60AB.exe
PID 3380 wrote to memory of 2752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\60AB.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\60AB.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3564 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
PID 3564 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
PID 3564 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\3D44.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
PID 2716 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
PID 2716 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe
PID 2716 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe

"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B22.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\3D44.exe

C:\Users\Admin\AppData\Local\Temp\3D44.exe

C:\Users\Admin\AppData\Local\Temp\3D44.exe

C:\Users\Admin\AppData\Local\Temp\3D44.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1d4925fb-c6a9-4a76-ae2e-ab87ac92e1f8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3D44.exe

"C:\Users\Admin\AppData\Local\Temp\3D44.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3D44.exe

"C:\Users\Admin\AppData\Local\Temp\3D44.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe

"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe"

C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe

"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe"

C:\Users\Admin\AppData\Local\Temp\60AB.exe

C:\Users\Admin\AppData\Local\Temp\60AB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe

"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1652

C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe

"C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\26EA.exe

C:\Users\Admin\AppData\Local\Temp\26EA.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BCD.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1012

C:\Users\Admin\AppData\Local\Temp\586C.exe

C:\Users\Admin\AppData\Local\Temp\586C.exe

C:\Users\Admin\AppData\Local\Temp\9C2D.exe

C:\Users\Admin\AppData\Local\Temp\9C2D.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\6C10.exe

C:\Users\Admin\AppData\Local\Temp\6C10.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit

C:\Users\Admin\AppData\Local\Temp\7DC5.exe

C:\Users\Admin\AppData\Local\Temp\7DC5.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 18578

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 18578\Http.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 18578\F

C:\Users\Admin\AppData\Local\Temp\18578\Http.pif

18578\Http.pif 18578\F

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SYSTEM32\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\992D.exe

C:\Users\Admin\AppData\Local\Temp\992D.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Closing Closing.bat & Closing.bat & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 183.100.39.16:80 sdfjhuz.com tcp
US 8.8.8.8:53 149.150.94.81.in-addr.arpa udp
US 8.8.8.8:53 16.39.100.183.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
KR 183.100.39.16:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
KR 211.202.224.10:80 sajdfue.com tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 10.224.202.211.in-addr.arpa udp
KR 211.202.224.10:80 sajdfue.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
GB 23.214.154.77:443 steamcommunity.com tcp
US 104.21.38.37:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 37.38.21.104.in-addr.arpa udp
US 8.8.8.8:53 77.154.214.23.in-addr.arpa udp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 104.21.80.130:443 wisemassiveharmonious.shop tcp
DE 5.75.221.28:80 5.75.221.28 tcp
US 8.8.8.8:53 130.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 28.221.75.5.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 114.16.185.192.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
TR 94.156.8.100:80 94.156.8.100 tcp
US 8.8.8.8:53 100.8.156.94.in-addr.arpa udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
NL 195.20.16.82:443 195.20.16.82 tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 82.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 safety.co.tz udp
US 67.227.213.152:443 safety.co.tz tcp
US 8.8.8.8:53 152.213.227.67.in-addr.arpa udp
FI 37.27.52.220:80 37.27.52.220 tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 220.52.27.37.in-addr.arpa udp
US 8.8.8.8:53 72.46.152.45.in-addr.arpa udp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 159.30.91.51.in-addr.arpa udp
US 8.8.8.8:53 gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 3.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp

Files

memory/3068-1-0x0000000000B10000-0x0000000000C10000-memory.dmp

memory/3068-2-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

memory/3068-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/3380-4-0x00000000009D0000-0x00000000009E6000-memory.dmp

memory/3068-5-0x0000000000400000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B22.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\3D44.exe

MD5 607c81ba743760322e1b6d4a09f824b7
SHA1 cd29d301323484514a062b3cfc35c232678c84a5
SHA256 7cca9d86a545c0b50667713e3af1cc8ecd931d6f2d310b2e90f016c43ce7bdd4
SHA512 8e5996c99c8bb2b7ba93e0f6f2325b6c337a6f962513cead5e4fde7373be2acbb0cf7ea4cc902beba480adba51a7a12d838af9a65efd98fe2f91d67d97df6da1

memory/4480-20-0x00000000007D0000-0x000000000086B000-memory.dmp

memory/4480-22-0x0000000002450000-0x000000000256B000-memory.dmp

memory/392-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/392-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/392-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/392-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/392-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4780-41-0x00000000023F0000-0x000000000248B000-memory.dmp

memory/3564-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3564-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3564-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2ff14fb732157b20816afe0e355cc84a
SHA1 a711e7eb1a3738b3303cab8789d4a2aca26b4243
SHA256 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92
SHA512 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3365ea5926662bf7dc8ac66bf615b21
SHA1 6ce13d41787c4953229c5ceca065b52617aba712
SHA256 83aa102074818fa254a5cb0f9b90a36d8380ae5c68172c74477a4302a115e120
SHA512 e9499351d1376420807031068ca953e09da3c176311faf4f798c4b6baea22117f8517387a4ba36d49c84d097345d7bd3d6911259b9b02f2af4a0db78da0d4529

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 cd4853b296f1772145da48037f408fcd
SHA1 d079b3c2df41d7f8236599d9b59976ed7cac69fc
SHA256 e1bcf73fac0d462cf42b472d5bbc46c3fd9b9f6e6a84f877fc5dd2ea8185368f
SHA512 50d74b0ee26428633b46ab75da6d5f719eeca2c4c44dcc555f1cc2a5a7b7a207aad044786593a17810b5b5b97fcebddf7ce96861fb62f734f1930de7cac7fdba

memory/3564-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3564-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3564-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3564-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3564-58-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/3100-69-0x0000000000A20000-0x0000000000B20000-memory.dmp

memory/2884-68-0x0000000000400000-0x0000000000644000-memory.dmp

memory/3100-72-0x0000000000880000-0x00000000008B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60AB.exe

MD5 b0500750ede1bc70901508bacc7ab0b8
SHA1 c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8
SHA256 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc
SHA512 f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5

memory/2884-76-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2884-78-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2752-80-0x0000000000440000-0x00000000004CE000-memory.dmp

memory/2752-81-0x0000000072A90000-0x000000007317E000-memory.dmp

memory/3564-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-83-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/2936-86-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2936-89-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2752-91-0x0000000072A90000-0x000000007317E000-memory.dmp

memory/2752-92-0x0000000002740000-0x0000000004740000-memory.dmp

memory/2936-93-0x0000000002740000-0x0000000004740000-memory.dmp

memory/2936-95-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2936-94-0x0000000001140000-0x0000000001141000-memory.dmp

memory/3564-101-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe

MD5 53bc6c328281928e94ac312f63f13f05
SHA1 d49275ca0cd7f367733a365323b466ad588e5ce0
SHA256 7278f0c920ff8dad67e62751745e858817abb1c5b461414162311e57eb833e7c
SHA512 48e55739728038066eeb2fca5c20e5c6c25587860b2ac7f021218e66fe7c77894c09e0301c4ceb78b72ebc19d85203d8bd66e8c15a1e1aed9eee58c6d465fb77

C:\Users\Admin\AppData\Local\297ee761-6bf3-46f9-8d71-eec593092a11\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2884-109-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2716-112-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/2716-114-0x0000000000930000-0x0000000000934000-memory.dmp

memory/3016-116-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3016-111-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3016-117-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3016-119-0x0000000000410000-0x00000000004D5000-memory.dmp

memory/2884-122-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2752-125-0x0000000002740000-0x0000000004740000-memory.dmp

memory/2936-128-0x0000000000400000-0x000000000044B000-memory.dmp

memory/3068-134-0x0000000000A00000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26EA.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/3040-149-0x0000000000E30000-0x0000000001B15000-memory.dmp

memory/3040-155-0x0000000000A30000-0x0000000000A31000-memory.dmp

memory/3040-156-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/3040-158-0x0000000000E30000-0x0000000001B15000-memory.dmp

memory/3040-159-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/3040-157-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/3040-160-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/3040-161-0x0000000003130000-0x0000000003131000-memory.dmp

memory/3040-162-0x0000000000E30000-0x0000000001B15000-memory.dmp

memory/3040-164-0x0000000003140000-0x0000000003180000-memory.dmp

memory/3040-165-0x0000000003140000-0x0000000003180000-memory.dmp

memory/3040-166-0x0000000003140000-0x0000000003180000-memory.dmp

memory/3040-167-0x0000000003140000-0x0000000003180000-memory.dmp

memory/3040-168-0x0000000003140000-0x0000000003180000-memory.dmp

memory/3040-163-0x0000000000E30000-0x0000000001B15000-memory.dmp

memory/3040-173-0x0000000000E30000-0x0000000001B15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\586C.exe

MD5 4c0fac716de3a76115851da17c1f6d52
SHA1 3ceaf8e5fa0284a5a034a1268953a4ef50b8b1c3
SHA256 3863ed55d4d98da6eee2ffa9ab56aa36400fa02c3722b2300b750cfc2170a4a4
SHA512 1b44716a7cf879c91f246dbac56c0db5329f2c5eda5a584689dd40388698fc960312ef9d30f1e92f5bb1040da6ae80315155af65da632356982635ea706a04af

C:\Users\Admin\AppData\Local\Temp\586C.exe

MD5 64c23b15686981a42f0c41bf04b40534
SHA1 8af173fa7c0fbcf7087b8ea628092f437d9d174c
SHA256 64a537783cb5954bec9bf2878c1ccb4ae074e5ed2159bac81f87efcd71cbdd36
SHA512 bcdfe78899d206a14f338e9a4f7cac2171fb6dee090375ff19e1bbe07a9b60ef90dc30a404fcfd2c382ca25aa7690dddebe2b2d4fb48366af0a0d2552ded4729

memory/4212-183-0x00007FF6250F0000-0x00007FF625D52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C2D.exe

MD5 622939e81b389026b6a84cf1b4b591ed
SHA1 3e107fdfc37a218893e2af7de943f89eea8cc942
SHA256 9ba91fb7966f2165ef55283606de31147756b5591932ee333247b67710fdef77
SHA512 6a5c81645a01e73da9e9e88a8692d6732eb7edf49b40726a0216f816f25ec5cd4cfa63afc52fb1ad35d3f22229a55df25e4c506cd393b1cc7a37d04b29d95f7f

C:\Users\Admin\AppData\Local\Temp\9C2D.exe

MD5 d9a0b196f6067f6dee7d4aba57ac4b8d
SHA1 68d33c4654b62a6292c3cec5e8cae9b4e6f3acd0
SHA256 631e9158803ed6952e8074858caa79097a20ebe5e96f809842c4e2e169fa2611
SHA512 f14e96014980f167e2369fdf607d1f66d2a3abf038d4444f964db2183f47be027fe849bebd4c56ad80cd9f782573dde73655b9ab51fa0de3ecdc81a98b0f6ef9

memory/4624-192-0x0000000072120000-0x000000007280E000-memory.dmp

memory/4624-193-0x00000000003C0000-0x0000000000914000-memory.dmp

memory/4624-194-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4624-195-0x0000000005170000-0x000000000520C000-memory.dmp

memory/4624-196-0x0000000005910000-0x0000000005E3C000-memory.dmp

memory/4624-202-0x0000000072120000-0x000000007280E000-memory.dmp

memory/4624-203-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/5104-212-0x0000000000A60000-0x0000000000B60000-memory.dmp

memory/4624-220-0x0000000005E40000-0x000000000607C000-memory.dmp

memory/4624-221-0x0000000005640000-0x0000000005652000-memory.dmp

memory/4624-222-0x00000000071B0000-0x0000000007342000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/4624-229-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4624-230-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/4624-232-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4624-231-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4624-233-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4624-234-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4624-235-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4624-236-0x00000000075F0000-0x00000000076F0000-memory.dmp

memory/4624-237-0x00000000075F0000-0x00000000076F0000-memory.dmp

memory/4624-242-0x0000000072120000-0x000000007280E000-memory.dmp

memory/4632-243-0x0000000000400000-0x000000000063B000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4632-304-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C10.exe

MD5 7769e93085751e0b35729827dc22e8d5
SHA1 1d20bac0f5e0e8e28d466834463463cc911a5baa
SHA256 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402
SHA512 b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c

C:\Users\Admin\AppData\Local\Temp\Jeffrey

MD5 e121db542d18a526f078c32fd2583af5
SHA1 69e677442ccb6d6fe1d2a3029cf44aac473f5f55
SHA256 fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2
SHA512 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe

C:\Users\Admin\AppData\Local\Temp\7DC5.exe

MD5 d88c9297da5b7b0a3f96d33e6eca33e6
SHA1 808e8a222cd131679b4feda2834eaaa92f866143
SHA256 92a59655997ea6a17d871d12965738dfa1649751774129b4fbeea2bb01355723
SHA512 e854cf3f4e4b119e040e00d56adcd56749099ddcb1956433a31156afc88e643972b690917ac09deadb8860e5b6982d55085a372d4f509996ded7e5e3e1f05066

memory/2208-367-0x0000000000A70000-0x0000000000ADC000-memory.dmp

memory/2208-368-0x0000000071D30000-0x000000007241E000-memory.dmp

memory/2208-369-0x0000000005540000-0x0000000005550000-memory.dmp

memory/2208-377-0x0000000071D30000-0x000000007241E000-memory.dmp

memory/2208-378-0x0000000002DA0000-0x0000000004DA0000-memory.dmp

memory/4856-379-0x0000000000400000-0x000000000063B000-memory.dmp

C:\ProgramData\JKJECBAA

MD5 ce732f4f447aa2f766cfbdf8a4f5e19e
SHA1 318043823c8dc77670f7dfa5b672b313321898fa
SHA256 b7cb765a763c053cded7e6e8cda3bcc581bbd10ac756abf495a265be80300191
SHA512 7ce0abbbeaf17458f864d4f39326f492320fa6e85524da3ce9d7dd991db4a10080780121dc5a6a755a515022d13f2894692fdc302385da285d8abc77738bafeb

C:\ProgramData\freebl3.dll

MD5 56b9b01de3282fcb7ead7190344d4894
SHA1 37887894647859a2013ad35893e1b5a7c6745260
SHA256 14cc9da93c9fd0e0c31e6bac04e303cfa423769a670ffd0fd6e5a2d113041b44
SHA512 d3621893907f544c7b7ffeba2c5c95612ed99408c5ad5d9c01f2aa21fc1499b4c9d26caf5e578f78428860cc35f1d0666913989f5beb09a98ddbbfd4d701a624

C:\Users\Admin\AppData\Local\Temp\Cdt

MD5 ba823d75b6712149e7241d1c2f6695ef
SHA1 9f351074e85afc8254aaa5df0561377c8b68874c
SHA256 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377
SHA512 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167

C:\Users\Admin\AppData\Local\Temp\Thumbnail

MD5 e68e0d804f78aadf2b7da5190971cc56
SHA1 b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9
SHA256 fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee
SHA512 e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda

C:\Users\Admin\AppData\Local\Temp\Powers

MD5 0c851a1587662cb3c4b3f4e79b9d40e4
SHA1 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5
SHA256 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26
SHA512 c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8

C:\Users\Admin\AppData\Local\Temp\Neural

MD5 4c5c9f5368402dd77d8f8e0c31951625
SHA1 719e5a648399121cf1402d36734631f95c723d18
SHA256 d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7
SHA512 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba

C:\Users\Admin\AppData\Local\Temp\Patricia

MD5 d9bd01e58c378e5a43b47b93ccf11b30
SHA1 4f57381303c5cb2d6f0012d190ce11d696efde77
SHA256 df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a
SHA512 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755

C:\Users\Admin\AppData\Local\Temp\Debut

MD5 309a79e7ee30ead5653c0e33c937bf20
SHA1 808165ca516179e0749cd74b57ebf2ec92e77a9e
SHA256 a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233
SHA512 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8

C:\Users\Admin\AppData\Local\Temp\Translations

MD5 a40fabfc3d4fe0e77cf03156b0541015
SHA1 7a8c301d0a3834a212af25812cb9f51afa8425d4
SHA256 fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864
SHA512 f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11

C:\Users\Admin\AppData\Local\Temp\Mpeg

MD5 af66ed102029338945a5ae7af6e68867
SHA1 2a590d37a9e25203f41fe28be7b3702bdac34e28
SHA256 4f5603c2539d330e9576ab577fe08cd58e6a191620e962c570af439ec4808c6b
SHA512 83d5afa258752706ce85f5e57a59e04e0c8e2e856eb12d4e419237eaf2669bf1ffbd1ab87eabc34e0e7c3e4584a4288aa39285cfbfd398d04f8bd2248cf27609

C:\Users\Admin\AppData\Local\Temp\Drain

MD5 99667047563ffb1f92319045c1fa496f
SHA1 9eba1534190dac88d7231e00cf2372477479a262
SHA256 3f6dfc93ffd2c876839d824993a4234df1d16a3f0b5d284c66e32bc2264867ea
SHA512 e8d39f341df2decde92d2bf7066de6ccf3b3b2d6c4e57d353a60ee409fb7d54444d55e8c02a266da4ec94e719e149685120c72c6db7c35e863cef7f1f844c9d9

C:\Users\Admin\AppData\Local\Temp\Go

MD5 b153dbfec41fa6a8b005978bc571befe
SHA1 9752d98549edff58b4c0ede5a654832c22f97d38
SHA256 f59cbe377d6d4df992d6caaa0ccbbe7a5506741c9e63a716a0284cb2ae720814
SHA512 eef43707eb9b7e047a8c8307ffac9ce4b1eb0383186280b9112eb278e4fb97c339e14cbbb334eaf9e13719280978a12c7d8d3615e8ab25e176530836799c002a

C:\Users\Admin\AppData\Local\Temp\Greg

MD5 265344b2c8ca35ae60227ff6639481f5
SHA1 49bf4e7aab05a697409a4cc8f04c5b2ed1e78e79
SHA256 349c58fc4a15001ff0875d2a9f797d536045804c99350e0f43203ade07c41b59
SHA512 2248bd383433d3dd541eb74f3e2404f83e1f379b11d9e7de9bf6903460cfba9b1955d089439883126ce6c08a67a3e12beb63126a74a1a86dc461ca8f232f442d

C:\Users\Admin\AppData\Local\Temp\Plans

MD5 5e136f53a54f61eeb099c76021dba233
SHA1 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3
SHA256 ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041
SHA512 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8

C:\Users\Admin\AppData\Local\Temp\Ancient

MD5 a02c222cf530ee003a3893c4c78770c2
SHA1 bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3
SHA256 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5
SHA512 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368

C:\Users\Admin\AppData\Local\Temp\Shapes

MD5 7aaaa1a6965448912a128a631bbd06be
SHA1 d3917e8d8780c9296c6bba2066a3fccd08e04253
SHA256 f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85
SHA512 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52

C:\Users\Admin\AppData\Local\Temp\Warner

MD5 f83e3a79f793337194e79e4bb5c3b073
SHA1 6d4ef4fc71fbabc6f56265388d87d997e47194dc
SHA256 e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844
SHA512 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775

C:\Users\Admin\AppData\Local\Temp\Able

MD5 13fd06533f068d719a2b9f300096ca41
SHA1 f054659e3fb8516b759b8f819d12acb9c173ab6a
SHA256 b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9
SHA512 f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422

C:\Users\Admin\AppData\Local\Temp\Fist

MD5 71afb2f733859a29cfcf25e58625284c
SHA1 248df6b7026fd2771dd65ed3b542ca0185dbb6dc
SHA256 d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120
SHA512 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af

C:\Users\Admin\AppData\Local\Temp\Hobby

MD5 cd17d8568d3cb4f7a115c0c9657aa3c1
SHA1 389429708df886ee004b3d4c54cbb9a2e089859e
SHA256 ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d
SHA512 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33

C:\Users\Admin\AppData\Local\Temp\Canal

MD5 c3a1a56b238bd452b6b59169cc99ec03
SHA1 88a35ade6f7f14e2df8d731317afc72612074a51
SHA256 a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f
SHA512 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525

C:\Users\Admin\AppData\Local\Temp\Breach

MD5 9324e493902fe2c6ffcf04f088c34e08
SHA1 866c7b4c73f99f673dd3f2035e34d843c262f256
SHA256 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222
SHA512 c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0

C:\Users\Admin\AppData\Local\Temp\Cos

MD5 c8599aa35a19083f6c5f80151f55315c
SHA1 3e315507bc934d0ebdf68328b5d60e7fcab41a3b
SHA256 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f
SHA512 dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1

C:\Users\Admin\AppData\Local\Temp\Novel

MD5 9c5c2a336e6c94e60e8ca1a981235806
SHA1 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617
SHA256 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070
SHA512 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb

C:\Users\Admin\AppData\Local\Temp\Capabilities

MD5 d34ef2c6ce15a8747df5431a864f0613
SHA1 fe62b64f13b149525066fe73f227df044255cddb
SHA256 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9
SHA512 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24

C:\Users\Admin\AppData\Local\Temp\Tamil

MD5 5b825ccfab154d5de20e806e687ecb89
SHA1 d311d7b23a70f5e1ba875e020d37e05a3a4c4552
SHA256 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436
SHA512 e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03

memory/2208-454-0x0000000002DA0000-0x0000000004DA0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:59

Reported

2024-03-14 05:04

Platform

win7-20240221-en

Max time kernel

300s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74dadc62-0861-40f2-992c-f733c7213548\\B4DF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B4DF.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jvejbgr N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jvejbgr N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jvejbgr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jvejbgr N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2652 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2652 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2652 N/A N/A C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2652 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2652 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3044 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\jvejbgr
PID 3044 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\jvejbgr
PID 3044 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\jvejbgr
PID 3044 wrote to memory of 2676 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\jvejbgr
PID 1212 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1212 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1212 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1212 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2576 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1428 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Windows\SysWOW64\icacls.exe
PID 1428 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1428 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1428 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1428 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 1932 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\Temp\B4DF.exe
PID 2700 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 2700 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 2700 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 2700 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\B4DF.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 560 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe
PID 308 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 308 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 308 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 308 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1212 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\Temp\1595.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe

"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\65C5.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\taskeng.exe

taskeng.exe {20320EA6-1659-4EA0-BACA-09550EBC2A64} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\jvejbgr

C:\Users\Admin\AppData\Roaming\jvejbgr

C:\Users\Admin\AppData\Local\Temp\B4DF.exe

C:\Users\Admin\AppData\Local\Temp\B4DF.exe

C:\Users\Admin\AppData\Local\Temp\B4DF.exe

C:\Users\Admin\AppData\Local\Temp\B4DF.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\74dadc62-0861-40f2-992c-f733c7213548" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B4DF.exe

"C:\Users\Admin\AppData\Local\Temp\B4DF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B4DF.exe

"C:\Users\Admin\AppData\Local\Temp\B4DF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe

"C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe"

C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe

"C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 1408

C:\Users\Admin\AppData\Local\Temp\1595.exe

C:\Users\Admin\AppData\Local\Temp\1595.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\18F0.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 124

C:\Users\Admin\AppData\Local\Temp\29F2.exe

C:\Users\Admin\AppData\Local\Temp\29F2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 187.204.100.64:80 sdfjhuz.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
MX 187.204.100.64:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
PE 190.12.87.61:80 sajdfue.com tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
PE 190.12.87.61:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 safety.co.tz udp
US 67.227.213.152:443 safety.co.tz tcp
US 67.227.213.152:443 safety.co.tz tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/2932-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/2932-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2932-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2932-5-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1212-4-0x0000000002D50000-0x0000000002D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65C5.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Roaming\jvejbgr

MD5 3b4224203121c702ba8573f7936a6732
SHA1 c541bdac782799e6c0e3ab6b8dce08f8e06d2f96
SHA256 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029
SHA512 202f37fdebcb63e13227364f060abfff926e8be8e21d5c139ae17bf457556cd835886459e67a2b1e39ffba7f043491474892897481f3b4c17e99bcc1ba71f896

memory/2676-23-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/2676-24-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1212-25-0x0000000003910000-0x0000000003926000-memory.dmp

memory/2676-26-0x0000000000400000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4DF.exe

MD5 8d76e42cbd333b2d7c3946ea1351ac7a
SHA1 800bd806ade43fb2d4f5c81a7929f3e8eeab7019
SHA256 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498
SHA512 c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b

memory/2576-35-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1428-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2576-41-0x00000000020E0000-0x00000000021FB000-memory.dmp

memory/1428-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2576-36-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1428-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1428-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1428-67-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1932-69-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1932-70-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1932-77-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2700-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-79-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b60c7ec1f4d3091a16bcda40616d6f86
SHA1 36a4b462a06afce99a952ea90cf57ba59fb26caf
SHA256 0d2cc968a8ed13c4d89603c25f79486f400fde11c3aa9a4b8901cbfe5d863f84
SHA512 3350a3092dc1bcee1bdff13a83996b15b7fae073ab1c3c8b8885df504653f3e893ee64155d7543a4fb8d6c02ea65f20fe55f2ce6fcc97beb41424722a9605d2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 abc79c2d8417ea57138c6dea857ca443
SHA1 7dbb7973045f0d1f7d87e654b5ba32cd2c23bf26
SHA256 4c5cf57ac8e9c7ce280d2489f3d8844e484679f9fc2a9839f1fa5dc8c73cf946
SHA512 df4648bb97054b01aea71b6b5e456e32bc453f6c6da8321a8dcb9d02611bf0b738d1c21b6a38c1d0eb5b2a08d41f58a6b3e8ed2a5dee1f0b0d2f4532f5ab6352

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2ff14fb732157b20816afe0e355cc84a
SHA1 a711e7eb1a3738b3303cab8789d4a2aca26b4243
SHA256 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92
SHA512 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 01e276f57ae149f88dff4cbd38c69992
SHA1 434a2c5ef081d0ebcd16cbf8d4561a173b64b798
SHA256 03e2d7acb20f2942a46a9965343fc92674d04c74eecc1177ce4b9403d5231c3b
SHA512 e1526726b21ac2240064039f80c7055fab45ed3250c34333aed127425ffc9a138cb8d4adb610e32bc4b47ce794a93f1354e1e0350e0f73f12a0560f187aef446

C:\Users\Admin\AppData\Local\Temp\CabBD18.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2700-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-97-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-99-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-101-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

C:\Users\Admin\AppData\Local\313d19a1-58fc-4780-82fd-80c39dda49b6\build2.exe

MD5 9166ac4cb92fbceff65f16b591dac7e0
SHA1 ebd8e40107d8899b1bc0086ab92df52f761378a7
SHA256 ffd6e5496762d41d616ec25d9c83e5a7226824a405a17f765149342512003c20
SHA512 6d0fa48aa5e6febd3b31acdebcb965b194add4688c24524b6c0f7d66a9073b51b17f79f4f70f62183ab5c85d7292b5d4c5e628da3c42bc6fe314e839286e70cb

memory/560-116-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/308-121-0x0000000000400000-0x0000000000644000-memory.dmp

memory/560-117-0x00000000002F0000-0x0000000000321000-memory.dmp

memory/308-119-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/308-124-0x0000000000400000-0x0000000000644000-memory.dmp

memory/308-125-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarAD.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar507.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2700-168-0x0000000000400000-0x0000000000537000-memory.dmp

memory/308-175-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1595.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2484-195-0x00000000009C0000-0x00000000016A5000-memory.dmp

memory/2484-212-0x00000000009C0000-0x00000000016A5000-memory.dmp

memory/2484-211-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2484-217-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2484-215-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2484-214-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2484-208-0x0000000000100000-0x0000000000101000-memory.dmp

\Users\Admin\AppData\Local\Temp\1595.exe

MD5 9c37be9f36c42a84fa152514750892dc
SHA1 1bc1ef1e1c6385e5d2c06692b1044e76d1b425d3
SHA256 615274824986c29a64d8a3e25f163c491a81adad58a8f815260336fd5e0281fa
SHA512 82f51b96650c5ac4c2ce8f223b930a40f0567d055d0ac3378fe51acd468c8370d38ba5bf1ae475020c6c045770f0a2663f5a393d359e8940a6c4d59fe170f432

\Users\Admin\AppData\Local\Temp\1595.exe

MD5 abf4b9118979fbe566517ca6f47e25da
SHA1 9968d168c7c2803b86f4008429325304f5454bb8
SHA256 a3b74f449254e8ec55dd5978aaa0274f4863fb59f76d5e3fcff4044d21e874b7
SHA512 3292bbfd1594727fcb4bd83414b67fbf575725c261e996a2b5dace2a97b4241654c16a25f7c407a3202739f7b945e3b5adc5f2f4d007c7f838e9c68adcbdcf30

\Users\Admin\AppData\Local\Temp\1595.exe

MD5 2a3a037a7cc9766bb924506b379d9b6e
SHA1 6b2cbb0bfd69c2c59daaf81f91c339f2139c486e
SHA256 8780dfb3267a9b57794ce0be8c76eadd79094263a3e0c1f90ec2736aad50de59
SHA512 03d537d3b27a2a1744f9875d51fb48f470b3b97ea9ea85cbd447ad480f331c755ab56dabafb249a951b8a765f613acf8c246b8e107fa66808c312e5eeb267357

memory/2484-245-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\29F2.exe

MD5 5be6826ddf9c112257f74aa7b772bd15
SHA1 d59e099401a95bdad302f0b838f0a4bc80f5a4ac
SHA256 ed481b3c2b9eda3e4e7e49f3d6ed21d81900f6166feb098dcae9c29ebb221a17
SHA512 8334034f02c8abf5d5e2c30c265df55f1b62d7acdcb18e32b622e80bdc7e2be55fa9f331c99dfd274dd96eba1ef3b5f5c17147e2b35576df8ca156242d9817c0

C:\Users\Admin\AppData\Local\Temp\29F2.exe

MD5 e05eb7cea791a87c33f6c71e65469756
SHA1 c20affd9a4324958e328c94dd1a56fb865054f35
SHA256 13e8dfb9e60e7759a925a48b8b891293e45061dea23f5a195f2c09be4e408ede
SHA512 092438fc57ce114e915467de8187af4a41047d91247f6b7777558a91b8cf035bbaa9adff82f2eed780992bc805a8cee4ed9844424bb95aafcd7c3e8166ed081f

memory/2484-255-0x00000000009C0000-0x00000000016A5000-memory.dmp