Analysis Overview
SHA256
8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Threat Level: Known bad
The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.
Malicious Activity Summary
Stealc
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect ZGRat V1
Detected Djvu ransomware
Djvu Ransomware
Vidar
DcRat
ZGRat
Lumma Stealer
Detect Vidar Stealer
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads data files stored by FTP clients
Modifies file permissions
Reads user/profile data of web browsers
Deletes itself
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 05:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 05:07
Reported
2024-03-14 05:12
Platform
win7-20240221-en
Max time kernel
300s
Max time network
252s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\679B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86C1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hjssaet | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6ec44e28-19f0-4b5f-99d9-1cc5857b57b7\\E4E4.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2980 set thread context of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | C:\Users\Admin\AppData\Local\Temp\E4E4.exe |
| PID 804 set thread context of 572 | N/A | C:\Users\Admin\AppData\Local\Temp\E4E4.exe | C:\Users\Admin\AppData\Local\Temp\E4E4.exe |
| PID 1632 set thread context of 1172 | N/A | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hjssaet | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hjssaet | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hjssaet | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hjssaet | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B0E8.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\E4E4.exe
C:\Users\Admin\AppData\Local\Temp\E4E4.exe
C:\Users\Admin\AppData\Local\Temp\E4E4.exe
C:\Users\Admin\AppData\Local\Temp\E4E4.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6ec44e28-19f0-4b5f-99d9-1cc5857b57b7" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\E4E4.exe
"C:\Users\Admin\AppData\Local\Temp\E4E4.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\E4E4.exe
"C:\Users\Admin\AppData\Local\Temp\E4E4.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
"C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe"
C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
"C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1444
C:\Users\Admin\AppData\Local\Temp\679B.exe
C:\Users\Admin\AppData\Local\Temp\679B.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\69BE.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\86C1.exe
C:\Users\Admin\AppData\Local\Temp\86C1.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {8489EDBD-0FB8-41FD-A4B3-11316F7C311C} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\hjssaet
C:\Users\Admin\AppData\Roaming\hjssaet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| MX | 187.211.202.16:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| MX | 187.211.202.16:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| MO | 122.100.154.145:80 | sajdfue.com | tcp |
| MO | 122.100.154.145:80 | sajdfue.com | tcp |
| MO | 45.64.21.244:80 | tcp | |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| MO | 45.64.21.244:80 | tcp | |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | safety.co.tz | udp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
Files
memory/1612-1-0x0000000000650000-0x0000000000750000-memory.dmp
memory/1612-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1612-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1612-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1256-4-0x00000000029A0000-0x00000000029B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B0E8.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\E4E4.exe
| MD5 | 607c81ba743760322e1b6d4a09f824b7 |
| SHA1 | cd29d301323484514a062b3cfc35c232678c84a5 |
| SHA256 | 7cca9d86a545c0b50667713e3af1cc8ecd931d6f2d310b2e90f016c43ce7bdd4 |
| SHA512 | 8e5996c99c8bb2b7ba93e0f6f2325b6c337a6f962513cead5e4fde7373be2acbb0cf7ea4cc902beba480adba51a7a12d838af9a65efd98fe2f91d67d97df6da1 |
memory/2980-26-0x0000000001FE0000-0x0000000002072000-memory.dmp
memory/2980-28-0x0000000002080000-0x000000000219B000-memory.dmp
memory/2980-27-0x0000000001FE0000-0x0000000002072000-memory.dmp
memory/2336-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2336-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2336-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2336-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/804-59-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2336-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/804-62-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/572-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/572-70-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2ff14fb732157b20816afe0e355cc84a |
| SHA1 | a711e7eb1a3738b3303cab8789d4a2aca26b4243 |
| SHA256 | 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92 |
| SHA512 | 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9d21fc505b58dde552bbe415331e6c33 |
| SHA1 | c584be5f4c1e5e3485f77c8567ae153afcf24320 |
| SHA256 | a167946389567da1d23f798ed777f6981331faa9f948d156012db408a86b615b |
| SHA512 | 4af2f2bd66a22923f7de263fe971787dd763d3243ff80d5c29bd1df7f325fa97e0c6029465a40b459ea275ec045c822d256905995867a618ceb8532584d4781d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8c3aa6355a39ab62b59b7fe20ba12ebf |
| SHA1 | 0e854a15d03c4c25cd8bd7fc7a67f19aeafe465a |
| SHA256 | d11ced62c3d18611d2ba33fd755431e6c23309aba4af5244731b7e817570af72 |
| SHA512 | 41f5d37a2b6baffbc4b313a3f7de7b5d084927ac99099d6f1f7439b5248d866a4e18064b468b27f0d8542d38fa29a65bb038663dd7bbf7161bba5bf7940136f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ceda7a8538693c86f7815dce8a8a87a4 |
| SHA1 | 8eff23ff6ef8da1193b974b806a80ec7ebc9ee0e |
| SHA256 | b8abdf8139e0599996e163e082c4006823b607e02fdb2c25131f1fb435e09255 |
| SHA512 | 69d5e146de1966c2e8494483e14f647d201018476e70761ad9edd95c7ffe17451015f5d3663c2ba1389e5241f88f8b8acc893bfe0562065ee54f03ae4e4e54a7 |
C:\Users\Admin\AppData\Local\Temp\Cab23E5.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/572-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/572-84-0x0000000000400000-0x0000000000537000-memory.dmp
memory/572-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/572-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/572-91-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/572-103-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1632-107-0x0000000000280000-0x0000000000380000-memory.dmp
memory/1632-109-0x0000000000730000-0x0000000000761000-memory.dmp
memory/1172-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1172-111-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1172-114-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1172-115-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar5B3B.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar5DB1.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
| MD5 | 859b0355ac2325c3d677f8d116a89f4b |
| SHA1 | 9f685cf73e5533a0ab9dd6a045a3157672a7526d |
| SHA256 | 56732ddb1ba43a542444cda37dbe9697892b2d091c3d415fbfbcb6fa413abc38 |
| SHA512 | 3ba315fbb9c3cf90322ce7a60553ce0cf5b94c77ef2459f3cc2dab8c44fabcb6272976e2362989b99feb4227e3b7d00676a10e2415ef2ca0daba229744632ab2 |
\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
| MD5 | 79f5b140010361cceee834ba756de9fd |
| SHA1 | 76e5d6a37668ea07bc70327ac088fa4637b80bee |
| SHA256 | b56b280619e67ee491a71262959fd8befee5f984b38cf6e9fb1a9219b2635694 |
| SHA512 | fb08405983b31d7105ae98c19b87f65b7bf5e96433246b8ff516642dc2f81aecd6263cc8246fe1dba5c342fb11509e319e26d1491f0297eb7e0e3b8e6316fcb5 |
C:\Users\Admin\AppData\Local\Temp\679B.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2864-185-0x0000000000DB0000-0x0000000001A95000-memory.dmp
memory/2864-190-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2864-193-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2864-194-0x0000000000DB0000-0x0000000001A95000-memory.dmp
memory/2864-196-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2864-197-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2864-199-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2864-201-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1172-202-0x0000000000400000-0x0000000000644000-memory.dmp
\Users\Admin\AppData\Local\Temp\86C1.exe
| MD5 | 243b6c7980d004b32d416e7b058b98d3 |
| SHA1 | 4997883f438f31491a9dc46611b2ab9a52eed317 |
| SHA256 | fdd869abb49ebf94c33e2a3177b6368a765593c9f9b402e3a111b27793eed40c |
| SHA512 | 41f3d57c954c7784fba195b933177c386656d072cea54a92b636acb0548a1fe6f698755589edb98002e1e72fb5b11d9ecd8f34dbfd6fa191e675e6c670e95e61 |
C:\Users\Admin\AppData\Local\Temp\86C1.exe
| MD5 | ee5ef45ccd15601b46c73ea5ac43e735 |
| SHA1 | 161801c420f124d9d3935ef7e868a8f95bf3308d |
| SHA256 | 2f23cb7e3ddc0909607fc7251ceedfa3f3600f86de619435e46355a944341129 |
| SHA512 | 3250acfa89e52724315fff95a2b2486a0ca50aa6d2ad789b580f36dba4f345e1be649d83b60f5da7ef996fac1ffbf05f12e35f56c0664a78aac37f6b90b2c538 |
memory/2748-207-0x000000013FB50000-0x00000001407B2000-memory.dmp
memory/572-212-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\hjssaet
| MD5 | 762c43c78ccf4d3b35574149b834f7a7 |
| SHA1 | b024585ab11a867a05b97f4de4336c14bb4e54e5 |
| SHA256 | 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d |
| SHA512 | 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827 |
memory/2620-231-0x00000000005B0000-0x00000000006B0000-memory.dmp
memory/2620-232-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2620-238-0x0000000000400000-0x0000000000474000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 05:07
Reported
2024-03-14 05:12
Platform
win10-20240221-en
Max time kernel
230s
Max time network
286s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3ebee9b7-312e-40bc-9f3d-217292991451\\E73.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E73.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 364 created 3372 | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | C:\Windows\Explorer.EXE |
| PID 364 created 3372 | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | C:\Windows\Explorer.EXE |
| PID 3888 created 3372 | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | C:\Windows\Explorer.EXE |
| PID 364 created 3372 | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | C:\Windows\Explorer.EXE |
| PID 3888 created 3372 | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | C:\Windows\Explorer.EXE |
Vidar
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6DD9.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3ebee9b7-312e-40bc-9f3d-217292991451\\E73.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E73.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jgestfd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jgestfd | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jgestfd | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jgestfd | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1A2C.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D85D.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19943\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19999\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F82B.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\E73.exe
C:\Users\Admin\AppData\Local\Temp\E73.exe
C:\Users\Admin\AppData\Local\Temp\E73.exe
C:\Users\Admin\AppData\Local\Temp\E73.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3ebee9b7-312e-40bc-9f3d-217292991451" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1A2C.exe
C:\Users\Admin\AppData\Local\Temp\1A2C.exe
C:\Users\Admin\AppData\Local\Temp\E73.exe
"C:\Users\Admin\AppData\Local\Temp\E73.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\E73.exe
"C:\Users\Admin\AppData\Local\Temp\E73.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1228
C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe"
C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe"
C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe
"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 1440
C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe
"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\FBB4.exe
C:\Users\Admin\AppData\Local\Temp\FBB4.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FDC8.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 988
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\218D.exe
C:\Users\Admin\AppData\Local\Temp\218D.exe
C:\Users\Admin\AppData\Local\Temp\6DD9.exe
C:\Users\Admin\AppData\Local\Temp\6DD9.exe
C:\Users\Admin\AppData\Local\Temp\AA28.exe
C:\Users\Admin\AppData\Local\Temp\AA28.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 19943
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 19943\Http.pif
C:\Users\Admin\AppData\Local\Temp\D85D.exe
C:\Users\Admin\AppData\Local\Temp\D85D.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 19943\F
C:\Users\Admin\AppData\Roaming\jgestfd
C:\Users\Admin\AppData\Roaming\jgestfd
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.exe
C:\Users\Admin\AppData\Local\Temp\E9A4.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Closing Closing.bat & Closing.bat & exit
C:\Users\Admin\AppData\Local\Temp\19943\Http.pif
19943\Http.pif 19943\F
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SYSTEM32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 19999
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Hint + Processing + Utils + Radar + Dealtime + Penalties 19999\Deck.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Risk + Bone 19999\g
C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif
19999\Deck.pif 19999\g
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url" & echo URL="C:\Users\Admin\AppData\Local\TechWise Solutions Inc\Quantifyr.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url" & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\19943\Http.pif
C:\Users\Admin\AppData\Local\Temp\19943\Http.pif
C:\Users\Admin\AppData\Local\Temp\19999\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\19999\RegAsm.exe
C:\Windows\system32\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| US | 8.8.8.8:53 | 149.150.94.81.in-addr.arpa | udp |
| KR | 220.125.3.190:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 190.3.125.220.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.138.96.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| US | 172.67.218.191:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 104.21.80.130:443 | wisemassiveharmonious.shop | tcp |
| US | 8.8.8.8:53 | 191.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| KR | 220.125.3.190:80 | sdfjhuz.com | tcp |
| JM | 63.143.98.185:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | 185.98.143.63.in-addr.arpa | udp |
| JM | 63.143.98.185:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| US | 8.8.8.8:53 | 77.154.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.221.75.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 243.51.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | 114.16.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | 59.39.141.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| NL | 142.250.179.142:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | 195.20.16.82 | tcp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | safety.co.tz | udp |
| US | 67.227.213.152:443 | safety.co.tz | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | 152.213.227.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.46.152.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.30.91.51.in-addr.arpa | udp |
| FI | 37.27.52.220:80 | 37.27.52.220 | tcp |
| US | 8.8.8.8:53 | 220.52.27.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce | udp |
| US | 8.8.8.8:53 | LQYXtbvNMpzn.LQYXtbvNMpzn | udp |
| TR | 94.156.8.100:80 | 94.156.8.100 | tcp |
| US | 8.8.8.8:53 | 100.8.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | torrentsports.co | udp |
| US | 3.33.130.190:7777 | torrentsports.co | tcp |
| US | 8.8.8.8:53 | xmr-us-west1.nanopool.org | udp |
| US | 149.28.212.250:10300 | xmr-us-west1.nanopool.org | tcp |
Files
memory/3980-1-0x0000000000490000-0x0000000000590000-memory.dmp
memory/3980-2-0x00000000005E0000-0x00000000005EB000-memory.dmp
memory/3980-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3372-4-0x00000000014C0000-0x00000000014D6000-memory.dmp
memory/3980-5-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3980-8-0x00000000005E0000-0x00000000005EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F82B.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\E73.exe
| MD5 | 607c81ba743760322e1b6d4a09f824b7 |
| SHA1 | cd29d301323484514a062b3cfc35c232678c84a5 |
| SHA256 | 7cca9d86a545c0b50667713e3af1cc8ecd931d6f2d310b2e90f016c43ce7bdd4 |
| SHA512 | 8e5996c99c8bb2b7ba93e0f6f2325b6c337a6f962513cead5e4fde7373be2acbb0cf7ea4cc902beba480adba51a7a12d838af9a65efd98fe2f91d67d97df6da1 |
memory/3744-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1148-25-0x0000000002460000-0x000000000257B000-memory.dmp
memory/3744-21-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1148-22-0x00000000023C0000-0x000000000245E000-memory.dmp
memory/3744-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3744-27-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1A2C.exe
| MD5 | c2d069064b987a905cb8684c437e392b |
| SHA1 | fcd4abcf7b87b34c52a5628c0da3d3bda7042aba |
| SHA256 | 13c24b7f8102b24a65bb469a8fc7920e7645a65db014ddb01253fbc5d17b1685 |
| SHA512 | 20ddbda93c478da4fa58b63b62bd367ba6eaf4c8ab97dcf2f4c8dad6cab79fe7e6a5a6898863521ff8b4a921d8c7e06709a69b35b1635f353a4a2ab9c31140ba |
C:\Users\Admin\AppData\Local\Temp\1A2C.exe
| MD5 | b0500750ede1bc70901508bacc7ab0b8 |
| SHA1 | c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8 |
| SHA256 | 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc |
| SHA512 | f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5 |
memory/512-47-0x0000000000030000-0x00000000000BE000-memory.dmp
memory/3744-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/512-48-0x0000000071DE0000-0x00000000724CE000-memory.dmp
memory/3776-49-0x00000000008C0000-0x0000000000960000-memory.dmp
memory/1692-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/512-53-0x0000000002480000-0x0000000002490000-memory.dmp
memory/1692-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1692-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/768-60-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 2a641e085111bb69969c12808d10481e |
| SHA1 | b8862ef8c21533171243e90e6c950627a747ce32 |
| SHA256 | 36b9987af8feac64e2c91698e885be08aabc9fc1f8b039012757981c1ce9ad6a |
| SHA512 | bbf0677e026c151f41562ee375db425b702e1127c6187a91712a1d753d38304a4db8bb8094d9915b273327259ac84e686ed05b8556261ef17a9162c60ddfc543 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2ff14fb732157b20816afe0e355cc84a |
| SHA1 | a711e7eb1a3738b3303cab8789d4a2aca26b4243 |
| SHA256 | 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92 |
| SHA512 | 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | a1c3776f5ce42d54c91289fc6d5e5ab7 |
| SHA1 | 160a1a33c93ba6c971a56ec051690e40c050aeda |
| SHA256 | 1a3ce721b5c98a87bcb4e026cc57f686f38a784c0c78c74e40beb377811d9901 |
| SHA512 | fcb2ff957113dab5ef4fb42e251bf175d042553a7b2f24fc5b7375105aa57e0e61ee2d883e3a075ccf02044c94acac4d8855c62cda7123fd878aedac7cb4580c |
memory/768-65-0x0000000000400000-0x000000000044B000-memory.dmp
memory/512-67-0x0000000071DE0000-0x00000000724CE000-memory.dmp
memory/512-68-0x00000000026A0000-0x00000000046A0000-memory.dmp
memory/768-69-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
memory/768-70-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1692-71-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1692-72-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1692-76-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1692-81-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1692-82-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/2164-88-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/2164-89-0x0000000002390000-0x00000000023C1000-memory.dmp
memory/488-90-0x0000000000400000-0x0000000000644000-memory.dmp
memory/488-93-0x0000000000400000-0x0000000000644000-memory.dmp
memory/488-94-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1692-99-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1692-101-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1692-108-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2392-113-0x0000000000940000-0x0000000000944000-memory.dmp
memory/4360-115-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4360-110-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2392-111-0x0000000000970000-0x0000000000A70000-memory.dmp
memory/4360-116-0x0000000000400000-0x0000000000406000-memory.dmp
memory/488-117-0x0000000000400000-0x0000000000644000-memory.dmp
memory/512-118-0x00000000026A0000-0x00000000046A0000-memory.dmp
memory/768-123-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FBB4.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/3568-140-0x0000000000980000-0x0000000001665000-memory.dmp
memory/3568-145-0x0000000001680000-0x0000000001681000-memory.dmp
memory/3568-146-0x0000000001690000-0x0000000001691000-memory.dmp
memory/3568-148-0x0000000000980000-0x0000000001665000-memory.dmp
memory/3568-149-0x00000000017D0000-0x00000000017D1000-memory.dmp
memory/3568-150-0x00000000017E0000-0x00000000017E1000-memory.dmp
memory/3568-151-0x0000000003370000-0x0000000003371000-memory.dmp
memory/3568-147-0x00000000017C0000-0x00000000017C1000-memory.dmp
memory/3568-153-0x0000000000980000-0x0000000001665000-memory.dmp
memory/3568-155-0x0000000003380000-0x00000000033C0000-memory.dmp
memory/3568-156-0x0000000003380000-0x00000000033C0000-memory.dmp
memory/3568-154-0x0000000003380000-0x00000000033C0000-memory.dmp
memory/3568-157-0x0000000003380000-0x00000000033C0000-memory.dmp
memory/3568-158-0x0000000003380000-0x00000000033C0000-memory.dmp
memory/3568-159-0x0000000000980000-0x0000000001665000-memory.dmp
memory/1720-169-0x0000000000940000-0x0000000000A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\218D.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/1888-178-0x00007FF7696C0000-0x00007FF76A322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6DD9.exe
| MD5 | 4eda5246e489dfa5edadc1a46221b9b6 |
| SHA1 | 5d11b441365ea64090f34c68b4cf47b9d2d701dc |
| SHA256 | f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b |
| SHA512 | 783b801030b15b53633509ed36c815d928a67e9c833d2c8a2cc368fda8a5b76386c34ca767636d0fd3d0262ee059af89784324701eac46f4867f8ea9e74f4625 |
memory/3292-186-0x0000000070DC0000-0x00000000714AE000-memory.dmp
memory/3292-187-0x0000000000810000-0x0000000000D64000-memory.dmp
memory/3292-188-0x00000000055D0000-0x000000000566C000-memory.dmp
memory/3292-189-0x0000000005700000-0x0000000005710000-memory.dmp
memory/3292-190-0x0000000005D30000-0x000000000625C000-memory.dmp
memory/1888-191-0x00007FF7696C0000-0x00007FF76A322000-memory.dmp
memory/3292-196-0x0000000070DC0000-0x00000000714AE000-memory.dmp
memory/3292-197-0x0000000005700000-0x0000000005710000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AA28.exe
| MD5 | 7769e93085751e0b35729827dc22e8d5 |
| SHA1 | 1d20bac0f5e0e8e28d466834463463cc911a5baa |
| SHA256 | 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402 |
| SHA512 | b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c |
C:\Users\Admin\AppData\Local\Temp\Jeffrey
| MD5 | e121db542d18a526f078c32fd2583af5 |
| SHA1 | 69e677442ccb6d6fe1d2a3029cf44aac473f5f55 |
| SHA256 | fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2 |
| SHA512 | 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe |
C:\Users\Admin\AppData\Local\Temp\Rss
| MD5 | decffdc214d187300d81458730076975 |
| SHA1 | 0d26a032a42e2b1d6cce51c88262fb99d5d85045 |
| SHA256 | 81c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927 |
| SHA512 | 615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76 |
C:\Users\Admin\AppData\Local\Temp\Josh
| MD5 | dbb02def36f898899c81dbe071eaaf75 |
| SHA1 | ddd36cf26cffd70cdca8ffa36fc13097c56092c3 |
| SHA256 | 431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea |
| SHA512 | 115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1 |
C:\Users\Admin\AppData\Local\Temp\Sublimedirectory
| MD5 | 9ac55fb2a8700521a9fc03c830483b45 |
| SHA1 | 07d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6 |
| SHA256 | 964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1 |
| SHA512 | ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505 |
C:\Users\Admin\AppData\Local\Temp\Cow
| MD5 | 3e929f7b28251914c43d3435f2f437dd |
| SHA1 | 9564974824f4fe1b9b6bdc5bd1e1065fc11678bc |
| SHA256 | e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad |
| SHA512 | 41919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478 |
C:\Users\Admin\AppData\Local\Temp\D85D.exe
| MD5 | d88c9297da5b7b0a3f96d33e6eca33e6 |
| SHA1 | 808e8a222cd131679b4feda2834eaaa92f866143 |
| SHA256 | 92a59655997ea6a17d871d12965738dfa1649751774129b4fbeea2bb01355723 |
| SHA512 | e854cf3f4e4b119e040e00d56adcd56749099ddcb1956433a31156afc88e643972b690917ac09deadb8860e5b6982d55085a372d4f509996ded7e5e3e1f05066 |
C:\Users\Admin\AppData\Local\Temp\Sitemap
| MD5 | 9aa3fa871956c05e6c502841714a3ca3 |
| SHA1 | fe9b5580fd142b32ee94342e5403ff9454517f9e |
| SHA256 | fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32 |
| SHA512 | 70046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873 |
C:\Users\Admin\AppData\Local\Temp\Cdt
| MD5 | ba823d75b6712149e7241d1c2f6695ef |
| SHA1 | 9f351074e85afc8254aaa5df0561377c8b68874c |
| SHA256 | 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377 |
| SHA512 | 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167 |
memory/4688-270-0x0000000000BE0000-0x0000000000C4C000-memory.dmp
memory/4688-271-0x0000000070DC0000-0x00000000714AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\jgestfd
| MD5 | 762c43c78ccf4d3b35574149b834f7a7 |
| SHA1 | b024585ab11a867a05b97f4de4336c14bb4e54e5 |
| SHA256 | 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d |
| SHA512 | 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827 |
C:\Users\Admin\AppData\Local\Temp\Thumbnail
| MD5 | e68e0d804f78aadf2b7da5190971cc56 |
| SHA1 | b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9 |
| SHA256 | fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee |
| SHA512 | e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda |
memory/4688-277-0x0000000005680000-0x0000000005690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Powers
| MD5 | 0c851a1587662cb3c4b3f4e79b9d40e4 |
| SHA1 | 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5 |
| SHA256 | 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26 |
| SHA512 | c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8 |
C:\Users\Admin\AppData\Local\Temp\Tamil
| MD5 | 5b825ccfab154d5de20e806e687ecb89 |
| SHA1 | d311d7b23a70f5e1ba875e020d37e05a3a4c4552 |
| SHA256 | 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436 |
| SHA512 | e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03 |
C:\Users\Admin\AppData\Local\Temp\Capabilities
| MD5 | d34ef2c6ce15a8747df5431a864f0613 |
| SHA1 | fe62b64f13b149525066fe73f227df044255cddb |
| SHA256 | 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9 |
| SHA512 | 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24 |
C:\Users\Admin\AppData\Local\Temp\Novel
| MD5 | 9c5c2a336e6c94e60e8ca1a981235806 |
| SHA1 | 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617 |
| SHA256 | 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070 |
| SHA512 | 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb |
C:\Users\Admin\AppData\Local\Temp\Cos
| MD5 | c8599aa35a19083f6c5f80151f55315c |
| SHA1 | 3e315507bc934d0ebdf68328b5d60e7fcab41a3b |
| SHA256 | 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f |
| SHA512 | dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1 |
C:\Users\Admin\AppData\Local\Temp\Breach
| MD5 | 9324e493902fe2c6ffcf04f088c34e08 |
| SHA1 | 866c7b4c73f99f673dd3f2035e34d843c262f256 |
| SHA256 | 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222 |
| SHA512 | c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0 |
C:\Users\Admin\AppData\Local\Temp\Canal
| MD5 | c3a1a56b238bd452b6b59169cc99ec03 |
| SHA1 | 88a35ade6f7f14e2df8d731317afc72612074a51 |
| SHA256 | a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f |
| SHA512 | 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525 |
C:\Users\Admin\AppData\Local\Temp\Hobby
| MD5 | cd17d8568d3cb4f7a115c0c9657aa3c1 |
| SHA1 | 389429708df886ee004b3d4c54cbb9a2e089859e |
| SHA256 | ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d |
| SHA512 | 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33 |
C:\Users\Admin\AppData\Local\Temp\Debut
| MD5 | 309a79e7ee30ead5653c0e33c937bf20 |
| SHA1 | 808165ca516179e0749cd74b57ebf2ec92e77a9e |
| SHA256 | a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233 |
| SHA512 | 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8 |
C:\Users\Admin\AppData\Local\Temp\Patricia
| MD5 | d9bd01e58c378e5a43b47b93ccf11b30 |
| SHA1 | 4f57381303c5cb2d6f0012d190ce11d696efde77 |
| SHA256 | df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a |
| SHA512 | 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755 |
C:\Users\Admin\AppData\Local\Temp\Neural
| MD5 | 4c5c9f5368402dd77d8f8e0c31951625 |
| SHA1 | 719e5a648399121cf1402d36734631f95c723d18 |
| SHA256 | d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7 |
| SHA512 | 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba |
C:\Users\Admin\AppData\Local\Temp\E9A4.exe
| MD5 | 0b776f9579e340fce2e18cd3b5eef8e0 |
| SHA1 | 283de96a6871061d6b1187fc43d3de5998e95035 |
| SHA256 | e03e7e55363c77f1c4be074e331c58da08adde708f4e942e5375c60f25d5217c |
| SHA512 | 6babc5097202a7b5f0ad941db3aa4290c4cb4b69282afcd57343b1bea82799a9e266929af367be0defc80e8becbb712637224fa5b469e2ce7540a5949a60483c |
C:\Users\Admin\AppData\Local\Temp\Translations
| MD5 | a40fabfc3d4fe0e77cf03156b0541015 |
| SHA1 | 7a8c301d0a3834a212af25812cb9f51afa8425d4 |
| SHA256 | fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864 |
| SHA512 | f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11 |
memory/3292-293-0x0000000006360000-0x000000000659C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Fist
| MD5 | 71afb2f733859a29cfcf25e58625284c |
| SHA1 | 248df6b7026fd2771dd65ed3b542ca0185dbb6dc |
| SHA256 | d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120 |
| SHA512 | 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af |
C:\Users\Admin\AppData\Local\Temp\Able
| MD5 | 13fd06533f068d719a2b9f300096ca41 |
| SHA1 | f054659e3fb8516b759b8f819d12acb9c173ab6a |
| SHA256 | b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9 |
| SHA512 | f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422 |
memory/3292-296-0x0000000005AC0000-0x0000000005AD2000-memory.dmp
memory/4688-301-0x0000000002F00000-0x0000000004F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A4.exe
| MD5 | b16867f255c015cad976d24f3051b45e |
| SHA1 | 9c178cbd142f36e8173e1e205cee265a06f9a8a7 |
| SHA256 | 04dcb4e1c88684f790a211c69341525c02ad36185c03812d8d049473dd4cb803 |
| SHA512 | 1b03d72cb0f1270aeee9d6b69b58a0a13d43f979db807304172cd99cc75fb5fcca1186ad00f52ac6b44f3ea5913e71f6ffc022776047e4cd6c122aa7873a572e |
C:\Users\Admin\AppData\Local\Temp\Warner
| MD5 | f83e3a79f793337194e79e4bb5c3b073 |
| SHA1 | 6d4ef4fc71fbabc6f56265388d87d997e47194dc |
| SHA256 | e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844 |
| SHA512 | 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775 |
C:\Users\Admin\AppData\Local\Temp\Shapes
| MD5 | 7aaaa1a6965448912a128a631bbd06be |
| SHA1 | d3917e8d8780c9296c6bba2066a3fccd08e04253 |
| SHA256 | f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85 |
| SHA512 | 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52 |
memory/4688-312-0x0000000070DC0000-0x00000000714AE000-memory.dmp
memory/2588-315-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3292-319-0x00000000076E0000-0x0000000007872000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ancient
| MD5 | a02c222cf530ee003a3893c4c78770c2 |
| SHA1 | bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3 |
| SHA256 | 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5 |
| SHA512 | 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368 |
C:\Users\Admin\AppData\Local\Temp\Plans
| MD5 | 5e136f53a54f61eeb099c76021dba233 |
| SHA1 | 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3 |
| SHA256 | ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041 |
| SHA512 | 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8 |
memory/3292-326-0x0000000005B20000-0x0000000005B30000-memory.dmp
memory/3292-330-0x0000000005700000-0x0000000005710000-memory.dmp
memory/3292-331-0x0000000007BE0000-0x0000000007CE0000-memory.dmp
memory/3292-328-0x0000000005700000-0x0000000005710000-memory.dmp
memory/3292-327-0x0000000005700000-0x0000000005710000-memory.dmp
memory/3292-334-0x0000000005700000-0x0000000005710000-memory.dmp
memory/816-338-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3292-337-0x0000000070DC0000-0x00000000714AE000-memory.dmp
memory/3292-336-0x0000000007BE0000-0x0000000007CE0000-memory.dmp
memory/4676-371-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/4676-372-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4676-396-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2588-397-0x0000000000400000-0x000000000063B000-memory.dmp
memory/816-404-0x0000000000400000-0x000000000063B000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3888-424-0x0000000076F91000-0x00000000770A4000-memory.dmp
C:\ProgramData\CGHDAKKJ
| MD5 | ce732f4f447aa2f766cfbdf8a4f5e19e |
| SHA1 | 318043823c8dc77670f7dfa5b672b313321898fa |
| SHA256 | b7cb765a763c053cded7e6e8cda3bcc581bbd10ac756abf495a265be80300191 |
| SHA512 | 7ce0abbbeaf17458f864d4f39326f492320fa6e85524da3ce9d7dd991db4a10080780121dc5a6a755a515022d13f2894692fdc302385da285d8abc77738bafeb |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |