Malware Analysis Report

2025-01-02 11:08

Sample ID 240314-fr5emsde65
Target 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Tags
djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery persistence ransomware stealer trojan dcrat lumma stealc zgrat infostealer rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d

Threat Level: Known bad

The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.

Malicious Activity Summary

djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery persistence ransomware stealer trojan dcrat lumma stealc zgrat infostealer rat spyware

Stealc

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect ZGRat V1

Detected Djvu ransomware

Djvu Ransomware

Vidar

DcRat

ZGRat

Lumma Stealer

Detect Vidar Stealer

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Drops startup file

Reads data files stored by FTP clients

Modifies file permissions

Reads user/profile data of web browsers

Deletes itself

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 05:07

Reported

2024-03-14 05:12

Platform

win7-20240221-en

Max time kernel

300s

Max time network

252s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6ec44e28-19f0-4b5f-99d9-1cc5857b57b7\\E4E4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E4E4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hjssaet N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hjssaet N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hjssaet N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hjssaet N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2748 N/A N/A C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 2748 N/A N/A C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 2748 N/A N/A C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 1256 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2980 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2336 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Windows\SysWOW64\icacls.exe
PID 2336 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Windows\SysWOW64\icacls.exe
PID 2336 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Windows\SysWOW64\icacls.exe
PID 2336 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Windows\SysWOW64\icacls.exe
PID 2336 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2336 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2336 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 2336 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 804 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\Temp\E4E4.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 572 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\E4E4.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1632 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe
PID 1172 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1172 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1172 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1172 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1256 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Temp\679B.exe
PID 1256 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Temp\679B.exe
PID 1256 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Temp\679B.exe
PID 1256 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Temp\679B.exe
PID 1256 wrote to memory of 1960 N/A N/A C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B0E8.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\E4E4.exe

C:\Users\Admin\AppData\Local\Temp\E4E4.exe

C:\Users\Admin\AppData\Local\Temp\E4E4.exe

C:\Users\Admin\AppData\Local\Temp\E4E4.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6ec44e28-19f0-4b5f-99d9-1cc5857b57b7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\E4E4.exe

"C:\Users\Admin\AppData\Local\Temp\E4E4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E4E4.exe

"C:\Users\Admin\AppData\Local\Temp\E4E4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe

"C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe"

C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe

"C:\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1444

C:\Users\Admin\AppData\Local\Temp\679B.exe

C:\Users\Admin\AppData\Local\Temp\679B.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\69BE.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\86C1.exe

C:\Users\Admin\AppData\Local\Temp\86C1.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {8489EDBD-0FB8-41FD-A4B3-11316F7C311C} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\hjssaet

C:\Users\Admin\AppData\Roaming\hjssaet

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 187.211.202.16:80 sdfjhuz.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 104.21.65.24:443 api.2ip.ua tcp
MX 187.211.202.16:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
MO 122.100.154.145:80 sajdfue.com tcp
MO 122.100.154.145:80 sajdfue.com tcp
MO 45.64.21.244:80 tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
MO 45.64.21.244:80 tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 safety.co.tz udp
US 67.227.213.152:443 safety.co.tz tcp
US 67.227.213.152:443 safety.co.tz tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/1612-1-0x0000000000650000-0x0000000000750000-memory.dmp

memory/1612-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1612-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1612-5-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1256-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0E8.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\E4E4.exe

MD5 607c81ba743760322e1b6d4a09f824b7
SHA1 cd29d301323484514a062b3cfc35c232678c84a5
SHA256 7cca9d86a545c0b50667713e3af1cc8ecd931d6f2d310b2e90f016c43ce7bdd4
SHA512 8e5996c99c8bb2b7ba93e0f6f2325b6c337a6f962513cead5e4fde7373be2acbb0cf7ea4cc902beba480adba51a7a12d838af9a65efd98fe2f91d67d97df6da1

memory/2980-26-0x0000000001FE0000-0x0000000002072000-memory.dmp

memory/2980-28-0x0000000002080000-0x000000000219B000-memory.dmp

memory/2980-27-0x0000000001FE0000-0x0000000002072000-memory.dmp

memory/2336-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2336-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2336-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2336-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/804-59-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2336-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/804-62-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/572-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/572-70-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2ff14fb732157b20816afe0e355cc84a
SHA1 a711e7eb1a3738b3303cab8789d4a2aca26b4243
SHA256 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92
SHA512 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9d21fc505b58dde552bbe415331e6c33
SHA1 c584be5f4c1e5e3485f77c8567ae153afcf24320
SHA256 a167946389567da1d23f798ed777f6981331faa9f948d156012db408a86b615b
SHA512 4af2f2bd66a22923f7de263fe971787dd763d3243ff80d5c29bd1df7f325fa97e0c6029465a40b459ea275ec045c822d256905995867a618ceb8532584d4781d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8c3aa6355a39ab62b59b7fe20ba12ebf
SHA1 0e854a15d03c4c25cd8bd7fc7a67f19aeafe465a
SHA256 d11ced62c3d18611d2ba33fd755431e6c23309aba4af5244731b7e817570af72
SHA512 41f5d37a2b6baffbc4b313a3f7de7b5d084927ac99099d6f1f7439b5248d866a4e18064b468b27f0d8542d38fa29a65bb038663dd7bbf7161bba5bf7940136f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ceda7a8538693c86f7815dce8a8a87a4
SHA1 8eff23ff6ef8da1193b974b806a80ec7ebc9ee0e
SHA256 b8abdf8139e0599996e163e082c4006823b607e02fdb2c25131f1fb435e09255
SHA512 69d5e146de1966c2e8494483e14f647d201018476e70761ad9edd95c7ffe17451015f5d3663c2ba1389e5241f88f8b8acc893bfe0562065ee54f03ae4e4e54a7

C:\Users\Admin\AppData\Local\Temp\Cab23E5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/572-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/572-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/572-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/572-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/572-91-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/572-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1632-107-0x0000000000280000-0x0000000000380000-memory.dmp

memory/1632-109-0x0000000000730000-0x0000000000761000-memory.dmp

memory/1172-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1172-111-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1172-114-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1172-115-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5B3B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5DB1.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe

MD5 859b0355ac2325c3d677f8d116a89f4b
SHA1 9f685cf73e5533a0ab9dd6a045a3157672a7526d
SHA256 56732ddb1ba43a542444cda37dbe9697892b2d091c3d415fbfbcb6fa413abc38
SHA512 3ba315fbb9c3cf90322ce7a60553ce0cf5b94c77ef2459f3cc2dab8c44fabcb6272976e2362989b99feb4227e3b7d00676a10e2415ef2ca0daba229744632ab2

\Users\Admin\AppData\Local\5569858b-0e86-4088-a2f3-5da5f0c3ef3e\build2.exe

MD5 79f5b140010361cceee834ba756de9fd
SHA1 76e5d6a37668ea07bc70327ac088fa4637b80bee
SHA256 b56b280619e67ee491a71262959fd8befee5f984b38cf6e9fb1a9219b2635694
SHA512 fb08405983b31d7105ae98c19b87f65b7bf5e96433246b8ff516642dc2f81aecd6263cc8246fe1dba5c342fb11509e319e26d1491f0297eb7e0e3b8e6316fcb5

C:\Users\Admin\AppData\Local\Temp\679B.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2864-185-0x0000000000DB0000-0x0000000001A95000-memory.dmp

memory/2864-190-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2864-193-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2864-194-0x0000000000DB0000-0x0000000001A95000-memory.dmp

memory/2864-196-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2864-197-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2864-199-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2864-201-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1172-202-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\Temp\86C1.exe

MD5 243b6c7980d004b32d416e7b058b98d3
SHA1 4997883f438f31491a9dc46611b2ab9a52eed317
SHA256 fdd869abb49ebf94c33e2a3177b6368a765593c9f9b402e3a111b27793eed40c
SHA512 41f3d57c954c7784fba195b933177c386656d072cea54a92b636acb0548a1fe6f698755589edb98002e1e72fb5b11d9ecd8f34dbfd6fa191e675e6c670e95e61

C:\Users\Admin\AppData\Local\Temp\86C1.exe

MD5 ee5ef45ccd15601b46c73ea5ac43e735
SHA1 161801c420f124d9d3935ef7e868a8f95bf3308d
SHA256 2f23cb7e3ddc0909607fc7251ceedfa3f3600f86de619435e46355a944341129
SHA512 3250acfa89e52724315fff95a2b2486a0ca50aa6d2ad789b580f36dba4f345e1be649d83b60f5da7ef996fac1ffbf05f12e35f56c0664a78aac37f6b90b2c538

memory/2748-207-0x000000013FB50000-0x00000001407B2000-memory.dmp

memory/572-212-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\hjssaet

MD5 762c43c78ccf4d3b35574149b834f7a7
SHA1 b024585ab11a867a05b97f4de4336c14bb4e54e5
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA512 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827

memory/2620-231-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/2620-232-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2620-238-0x0000000000400000-0x0000000000474000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 05:07

Reported

2024-03-14 05:12

Platform

win10-20240221-en

Max time kernel

230s

Max time network

286s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3ebee9b7-312e-40bc-9f3d-217292991451\\E73.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E73.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E73.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\218D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6DD9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D85D.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jgestfd N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E9A4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19943\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19943\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19999\RegAsm.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2772066395-907917261-1982757236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3ebee9b7-312e-40bc-9f3d-217292991451\\E73.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E73.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1148 set thread context of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 set thread context of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 512 set thread context of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2164 set thread context of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2392 set thread context of 4360 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe
PID 1720 set thread context of 1128 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 4688 set thread context of 2588 N/A C:\Users\Admin\AppData\Local\Temp\D85D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3292 set thread context of 816 N/A C:\Users\Admin\AppData\Local\Temp\6DD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 364 set thread context of 3592 N/A C:\Users\Admin\AppData\Local\Temp\19943\Http.pif C:\Users\Admin\AppData\Local\Temp\19943\Http.pif
PID 3592 set thread context of 2376 N/A C:\Users\Admin\AppData\Local\Temp\19943\Http.pif C:\Windows\system32\svchost.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jgestfd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jgestfd N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jgestfd N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jgestfd N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D85D.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19999\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3372 wrote to memory of 2024 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2024 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3372 wrote to memory of 1148 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3372 wrote to memory of 1148 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3372 wrote to memory of 1148 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 1148 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Windows\SysWOW64\icacls.exe
PID 3744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Windows\SysWOW64\icacls.exe
PID 3744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Windows\SysWOW64\icacls.exe
PID 3372 wrote to memory of 512 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1A2C.exe
PID 3372 wrote to memory of 512 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1A2C.exe
PID 3372 wrote to memory of 512 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1A2C.exe
PID 3744 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3744 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3744 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 3776 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\Temp\E73.exe
PID 512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 512 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\1A2C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1692 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 1692 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 1692 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 2164 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe
PID 1692 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe
PID 1692 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe
PID 1692 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\E73.exe C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F82B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\E73.exe

C:\Users\Admin\AppData\Local\Temp\E73.exe

C:\Users\Admin\AppData\Local\Temp\E73.exe

C:\Users\Admin\AppData\Local\Temp\E73.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3ebee9b7-312e-40bc-9f3d-217292991451" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1A2C.exe

C:\Users\Admin\AppData\Local\Temp\1A2C.exe

C:\Users\Admin\AppData\Local\Temp\E73.exe

"C:\Users\Admin\AppData\Local\Temp\E73.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E73.exe

"C:\Users\Admin\AppData\Local\Temp\E73.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1228

C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe

"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe"

C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe

"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe"

C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe

"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 488 -s 1440

C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe

"C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\FBB4.exe

C:\Users\Admin\AppData\Local\Temp\FBB4.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FDC8.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 988

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\218D.exe

C:\Users\Admin\AppData\Local\Temp\218D.exe

C:\Users\Admin\AppData\Local\Temp\6DD9.exe

C:\Users\Admin\AppData\Local\Temp\6DD9.exe

C:\Users\Admin\AppData\Local\Temp\AA28.exe

C:\Users\Admin\AppData\Local\Temp\AA28.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 19943

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 19943\Http.pif

C:\Users\Admin\AppData\Local\Temp\D85D.exe

C:\Users\Admin\AppData\Local\Temp\D85D.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 19943\F

C:\Users\Admin\AppData\Roaming\jgestfd

C:\Users\Admin\AppData\Roaming\jgestfd

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\E9A4.exe

C:\Users\Admin\AppData\Local\Temp\E9A4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Closing Closing.bat & Closing.bat & exit

C:\Users\Admin\AppData\Local\Temp\19943\Http.pif

19943\Http.pif 19943\F

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SYSTEM32\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 19999

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Hint + Processing + Utils + Radar + Dealtime + Penalties 19999\Deck.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Risk + Bone 19999\g

C:\Users\Admin\AppData\Local\Temp\19999\Deck.pif

19999\Deck.pif 19999\g

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url" & echo URL="C:\Users\Admin\AppData\Local\TechWise Solutions Inc\Quantifyr.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quantifyr.url" & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\19943\Http.pif

C:\Users\Admin\AppData\Local\Temp\19943\Http.pif

C:\Users\Admin\AppData\Local\Temp\19999\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\19999\RegAsm.exe

C:\Windows\system32\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
US 8.8.8.8:53 149.150.94.81.in-addr.arpa udp
KR 220.125.3.190:80 sdfjhuz.com tcp
US 8.8.8.8:53 190.3.125.220.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 104.21.80.130:443 wisemassiveharmonious.shop tcp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 130.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 sajdfue.com udp
KR 220.125.3.190:80 sdfjhuz.com tcp
JM 63.143.98.185:80 sajdfue.com tcp
US 8.8.8.8:53 185.98.143.63.in-addr.arpa udp
JM 63.143.98.185:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.221.28:80 5.75.221.28 tcp
US 8.8.8.8:53 77.154.214.23.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.221.75.5.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 81.94.150.149:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 114.16.185.192.in-addr.arpa udp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
NL 195.20.16.82:443 195.20.16.82 tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 82.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 safety.co.tz udp
US 67.227.213.152:443 safety.co.tz tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 152.213.227.67.in-addr.arpa udp
US 8.8.8.8:53 72.46.152.45.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 159.30.91.51.in-addr.arpa udp
FI 37.27.52.220:80 37.27.52.220 tcp
US 8.8.8.8:53 220.52.27.37.in-addr.arpa udp
US 8.8.8.8:53 gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce udp
US 8.8.8.8:53 LQYXtbvNMpzn.LQYXtbvNMpzn udp
TR 94.156.8.100:80 94.156.8.100 tcp
US 8.8.8.8:53 100.8.156.94.in-addr.arpa udp
US 8.8.8.8:53 torrentsports.co udp
US 3.33.130.190:7777 torrentsports.co tcp
US 8.8.8.8:53 xmr-us-west1.nanopool.org udp
US 149.28.212.250:10300 xmr-us-west1.nanopool.org tcp

Files

memory/3980-1-0x0000000000490000-0x0000000000590000-memory.dmp

memory/3980-2-0x00000000005E0000-0x00000000005EB000-memory.dmp

memory/3980-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3372-4-0x00000000014C0000-0x00000000014D6000-memory.dmp

memory/3980-5-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3980-8-0x00000000005E0000-0x00000000005EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F82B.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\E73.exe

MD5 607c81ba743760322e1b6d4a09f824b7
SHA1 cd29d301323484514a062b3cfc35c232678c84a5
SHA256 7cca9d86a545c0b50667713e3af1cc8ecd931d6f2d310b2e90f016c43ce7bdd4
SHA512 8e5996c99c8bb2b7ba93e0f6f2325b6c337a6f962513cead5e4fde7373be2acbb0cf7ea4cc902beba480adba51a7a12d838af9a65efd98fe2f91d67d97df6da1

memory/3744-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1148-25-0x0000000002460000-0x000000000257B000-memory.dmp

memory/3744-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1148-22-0x00000000023C0000-0x000000000245E000-memory.dmp

memory/3744-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3744-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1A2C.exe

MD5 c2d069064b987a905cb8684c437e392b
SHA1 fcd4abcf7b87b34c52a5628c0da3d3bda7042aba
SHA256 13c24b7f8102b24a65bb469a8fc7920e7645a65db014ddb01253fbc5d17b1685
SHA512 20ddbda93c478da4fa58b63b62bd367ba6eaf4c8ab97dcf2f4c8dad6cab79fe7e6a5a6898863521ff8b4a921d8c7e06709a69b35b1635f353a4a2ab9c31140ba

C:\Users\Admin\AppData\Local\Temp\1A2C.exe

MD5 b0500750ede1bc70901508bacc7ab0b8
SHA1 c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8
SHA256 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc
SHA512 f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5

memory/512-47-0x0000000000030000-0x00000000000BE000-memory.dmp

memory/3744-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/512-48-0x0000000071DE0000-0x00000000724CE000-memory.dmp

memory/3776-49-0x00000000008C0000-0x0000000000960000-memory.dmp

memory/1692-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/512-53-0x0000000002480000-0x0000000002490000-memory.dmp

memory/1692-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1692-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/768-60-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2a641e085111bb69969c12808d10481e
SHA1 b8862ef8c21533171243e90e6c950627a747ce32
SHA256 36b9987af8feac64e2c91698e885be08aabc9fc1f8b039012757981c1ce9ad6a
SHA512 bbf0677e026c151f41562ee375db425b702e1127c6187a91712a1d753d38304a4db8bb8094d9915b273327259ac84e686ed05b8556261ef17a9162c60ddfc543

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2ff14fb732157b20816afe0e355cc84a
SHA1 a711e7eb1a3738b3303cab8789d4a2aca26b4243
SHA256 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92
SHA512 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a1c3776f5ce42d54c91289fc6d5e5ab7
SHA1 160a1a33c93ba6c971a56ec051690e40c050aeda
SHA256 1a3ce721b5c98a87bcb4e026cc57f686f38a784c0c78c74e40beb377811d9901
SHA512 fcb2ff957113dab5ef4fb42e251bf175d042553a7b2f24fc5b7375105aa57e0e61ee2d883e3a075ccf02044c94acac4d8855c62cda7123fd878aedac7cb4580c

memory/768-65-0x0000000000400000-0x000000000044B000-memory.dmp

memory/512-67-0x0000000071DE0000-0x00000000724CE000-memory.dmp

memory/512-68-0x00000000026A0000-0x00000000046A0000-memory.dmp

memory/768-69-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/768-70-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1692-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1692-72-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1692-76-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1692-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1692-82-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/2164-88-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/2164-89-0x0000000002390000-0x00000000023C1000-memory.dmp

memory/488-90-0x0000000000400000-0x0000000000644000-memory.dmp

memory/488-93-0x0000000000400000-0x0000000000644000-memory.dmp

memory/488-94-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1692-99-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\8e838598-468e-4f00-ad98-bcb1a1791355\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1692-101-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1692-108-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2392-113-0x0000000000940000-0x0000000000944000-memory.dmp

memory/4360-115-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4360-110-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2392-111-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/4360-116-0x0000000000400000-0x0000000000406000-memory.dmp

memory/488-117-0x0000000000400000-0x0000000000644000-memory.dmp

memory/512-118-0x00000000026A0000-0x00000000046A0000-memory.dmp

memory/768-123-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBB4.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/3568-140-0x0000000000980000-0x0000000001665000-memory.dmp

memory/3568-145-0x0000000001680000-0x0000000001681000-memory.dmp

memory/3568-146-0x0000000001690000-0x0000000001691000-memory.dmp

memory/3568-148-0x0000000000980000-0x0000000001665000-memory.dmp

memory/3568-149-0x00000000017D0000-0x00000000017D1000-memory.dmp

memory/3568-150-0x00000000017E0000-0x00000000017E1000-memory.dmp

memory/3568-151-0x0000000003370000-0x0000000003371000-memory.dmp

memory/3568-147-0x00000000017C0000-0x00000000017C1000-memory.dmp

memory/3568-153-0x0000000000980000-0x0000000001665000-memory.dmp

memory/3568-155-0x0000000003380000-0x00000000033C0000-memory.dmp

memory/3568-156-0x0000000003380000-0x00000000033C0000-memory.dmp

memory/3568-154-0x0000000003380000-0x00000000033C0000-memory.dmp

memory/3568-157-0x0000000003380000-0x00000000033C0000-memory.dmp

memory/3568-158-0x0000000003380000-0x00000000033C0000-memory.dmp

memory/3568-159-0x0000000000980000-0x0000000001665000-memory.dmp

memory/1720-169-0x0000000000940000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\218D.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/1888-178-0x00007FF7696C0000-0x00007FF76A322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DD9.exe

MD5 4eda5246e489dfa5edadc1a46221b9b6
SHA1 5d11b441365ea64090f34c68b4cf47b9d2d701dc
SHA256 f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b
SHA512 783b801030b15b53633509ed36c815d928a67e9c833d2c8a2cc368fda8a5b76386c34ca767636d0fd3d0262ee059af89784324701eac46f4867f8ea9e74f4625

memory/3292-186-0x0000000070DC0000-0x00000000714AE000-memory.dmp

memory/3292-187-0x0000000000810000-0x0000000000D64000-memory.dmp

memory/3292-188-0x00000000055D0000-0x000000000566C000-memory.dmp

memory/3292-189-0x0000000005700000-0x0000000005710000-memory.dmp

memory/3292-190-0x0000000005D30000-0x000000000625C000-memory.dmp

memory/1888-191-0x00007FF7696C0000-0x00007FF76A322000-memory.dmp

memory/3292-196-0x0000000070DC0000-0x00000000714AE000-memory.dmp

memory/3292-197-0x0000000005700000-0x0000000005710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AA28.exe

MD5 7769e93085751e0b35729827dc22e8d5
SHA1 1d20bac0f5e0e8e28d466834463463cc911a5baa
SHA256 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402
SHA512 b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c

C:\Users\Admin\AppData\Local\Temp\Jeffrey

MD5 e121db542d18a526f078c32fd2583af5
SHA1 69e677442ccb6d6fe1d2a3029cf44aac473f5f55
SHA256 fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2
SHA512 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe

C:\Users\Admin\AppData\Local\Temp\Rss

MD5 decffdc214d187300d81458730076975
SHA1 0d26a032a42e2b1d6cce51c88262fb99d5d85045
SHA256 81c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927
SHA512 615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76

C:\Users\Admin\AppData\Local\Temp\Josh

MD5 dbb02def36f898899c81dbe071eaaf75
SHA1 ddd36cf26cffd70cdca8ffa36fc13097c56092c3
SHA256 431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea
SHA512 115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1

C:\Users\Admin\AppData\Local\Temp\Sublimedirectory

MD5 9ac55fb2a8700521a9fc03c830483b45
SHA1 07d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6
SHA256 964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1
SHA512 ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505

C:\Users\Admin\AppData\Local\Temp\Cow

MD5 3e929f7b28251914c43d3435f2f437dd
SHA1 9564974824f4fe1b9b6bdc5bd1e1065fc11678bc
SHA256 e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad
SHA512 41919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478

C:\Users\Admin\AppData\Local\Temp\D85D.exe

MD5 d88c9297da5b7b0a3f96d33e6eca33e6
SHA1 808e8a222cd131679b4feda2834eaaa92f866143
SHA256 92a59655997ea6a17d871d12965738dfa1649751774129b4fbeea2bb01355723
SHA512 e854cf3f4e4b119e040e00d56adcd56749099ddcb1956433a31156afc88e643972b690917ac09deadb8860e5b6982d55085a372d4f509996ded7e5e3e1f05066

C:\Users\Admin\AppData\Local\Temp\Sitemap

MD5 9aa3fa871956c05e6c502841714a3ca3
SHA1 fe9b5580fd142b32ee94342e5403ff9454517f9e
SHA256 fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32
SHA512 70046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873

C:\Users\Admin\AppData\Local\Temp\Cdt

MD5 ba823d75b6712149e7241d1c2f6695ef
SHA1 9f351074e85afc8254aaa5df0561377c8b68874c
SHA256 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377
SHA512 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167

memory/4688-270-0x0000000000BE0000-0x0000000000C4C000-memory.dmp

memory/4688-271-0x0000000070DC0000-0x00000000714AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\jgestfd

MD5 762c43c78ccf4d3b35574149b834f7a7
SHA1 b024585ab11a867a05b97f4de4336c14bb4e54e5
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA512 83d45a68b4c2a4c9b4ac55a5aa1f66e5dfd84328535f5ada2830592cc7745b6ff39aa57aefe715c9bebab552f569fce1216b8689a85cb3be3d8661e6b2a1f827

C:\Users\Admin\AppData\Local\Temp\Thumbnail

MD5 e68e0d804f78aadf2b7da5190971cc56
SHA1 b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9
SHA256 fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee
SHA512 e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda

memory/4688-277-0x0000000005680000-0x0000000005690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Powers

MD5 0c851a1587662cb3c4b3f4e79b9d40e4
SHA1 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5
SHA256 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26
SHA512 c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8

C:\Users\Admin\AppData\Local\Temp\Tamil

MD5 5b825ccfab154d5de20e806e687ecb89
SHA1 d311d7b23a70f5e1ba875e020d37e05a3a4c4552
SHA256 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436
SHA512 e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03

C:\Users\Admin\AppData\Local\Temp\Capabilities

MD5 d34ef2c6ce15a8747df5431a864f0613
SHA1 fe62b64f13b149525066fe73f227df044255cddb
SHA256 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9
SHA512 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24

C:\Users\Admin\AppData\Local\Temp\Novel

MD5 9c5c2a336e6c94e60e8ca1a981235806
SHA1 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617
SHA256 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070
SHA512 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb

C:\Users\Admin\AppData\Local\Temp\Cos

MD5 c8599aa35a19083f6c5f80151f55315c
SHA1 3e315507bc934d0ebdf68328b5d60e7fcab41a3b
SHA256 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f
SHA512 dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1

C:\Users\Admin\AppData\Local\Temp\Breach

MD5 9324e493902fe2c6ffcf04f088c34e08
SHA1 866c7b4c73f99f673dd3f2035e34d843c262f256
SHA256 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222
SHA512 c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0

C:\Users\Admin\AppData\Local\Temp\Canal

MD5 c3a1a56b238bd452b6b59169cc99ec03
SHA1 88a35ade6f7f14e2df8d731317afc72612074a51
SHA256 a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f
SHA512 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525

C:\Users\Admin\AppData\Local\Temp\Hobby

MD5 cd17d8568d3cb4f7a115c0c9657aa3c1
SHA1 389429708df886ee004b3d4c54cbb9a2e089859e
SHA256 ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d
SHA512 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33

C:\Users\Admin\AppData\Local\Temp\Debut

MD5 309a79e7ee30ead5653c0e33c937bf20
SHA1 808165ca516179e0749cd74b57ebf2ec92e77a9e
SHA256 a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233
SHA512 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8

C:\Users\Admin\AppData\Local\Temp\Patricia

MD5 d9bd01e58c378e5a43b47b93ccf11b30
SHA1 4f57381303c5cb2d6f0012d190ce11d696efde77
SHA256 df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a
SHA512 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755

C:\Users\Admin\AppData\Local\Temp\Neural

MD5 4c5c9f5368402dd77d8f8e0c31951625
SHA1 719e5a648399121cf1402d36734631f95c723d18
SHA256 d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7
SHA512 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba

C:\Users\Admin\AppData\Local\Temp\E9A4.exe

MD5 0b776f9579e340fce2e18cd3b5eef8e0
SHA1 283de96a6871061d6b1187fc43d3de5998e95035
SHA256 e03e7e55363c77f1c4be074e331c58da08adde708f4e942e5375c60f25d5217c
SHA512 6babc5097202a7b5f0ad941db3aa4290c4cb4b69282afcd57343b1bea82799a9e266929af367be0defc80e8becbb712637224fa5b469e2ce7540a5949a60483c

C:\Users\Admin\AppData\Local\Temp\Translations

MD5 a40fabfc3d4fe0e77cf03156b0541015
SHA1 7a8c301d0a3834a212af25812cb9f51afa8425d4
SHA256 fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864
SHA512 f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11

memory/3292-293-0x0000000006360000-0x000000000659C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Fist

MD5 71afb2f733859a29cfcf25e58625284c
SHA1 248df6b7026fd2771dd65ed3b542ca0185dbb6dc
SHA256 d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120
SHA512 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af

C:\Users\Admin\AppData\Local\Temp\Able

MD5 13fd06533f068d719a2b9f300096ca41
SHA1 f054659e3fb8516b759b8f819d12acb9c173ab6a
SHA256 b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9
SHA512 f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422

memory/3292-296-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

memory/4688-301-0x0000000002F00000-0x0000000004F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9A4.exe

MD5 b16867f255c015cad976d24f3051b45e
SHA1 9c178cbd142f36e8173e1e205cee265a06f9a8a7
SHA256 04dcb4e1c88684f790a211c69341525c02ad36185c03812d8d049473dd4cb803
SHA512 1b03d72cb0f1270aeee9d6b69b58a0a13d43f979db807304172cd99cc75fb5fcca1186ad00f52ac6b44f3ea5913e71f6ffc022776047e4cd6c122aa7873a572e

C:\Users\Admin\AppData\Local\Temp\Warner

MD5 f83e3a79f793337194e79e4bb5c3b073
SHA1 6d4ef4fc71fbabc6f56265388d87d997e47194dc
SHA256 e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844
SHA512 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775

C:\Users\Admin\AppData\Local\Temp\Shapes

MD5 7aaaa1a6965448912a128a631bbd06be
SHA1 d3917e8d8780c9296c6bba2066a3fccd08e04253
SHA256 f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85
SHA512 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52

memory/4688-312-0x0000000070DC0000-0x00000000714AE000-memory.dmp

memory/2588-315-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3292-319-0x00000000076E0000-0x0000000007872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ancient

MD5 a02c222cf530ee003a3893c4c78770c2
SHA1 bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3
SHA256 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5
SHA512 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368

C:\Users\Admin\AppData\Local\Temp\Plans

MD5 5e136f53a54f61eeb099c76021dba233
SHA1 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3
SHA256 ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041
SHA512 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8

memory/3292-326-0x0000000005B20000-0x0000000005B30000-memory.dmp

memory/3292-330-0x0000000005700000-0x0000000005710000-memory.dmp

memory/3292-331-0x0000000007BE0000-0x0000000007CE0000-memory.dmp

memory/3292-328-0x0000000005700000-0x0000000005710000-memory.dmp

memory/3292-327-0x0000000005700000-0x0000000005710000-memory.dmp

memory/3292-334-0x0000000005700000-0x0000000005710000-memory.dmp

memory/816-338-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3292-337-0x0000000070DC0000-0x00000000714AE000-memory.dmp

memory/3292-336-0x0000000007BE0000-0x0000000007CE0000-memory.dmp

memory/4676-371-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/4676-372-0x0000000000400000-0x0000000000474000-memory.dmp

memory/4676-396-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2588-397-0x0000000000400000-0x000000000063B000-memory.dmp

memory/816-404-0x0000000000400000-0x000000000063B000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3888-424-0x0000000076F91000-0x00000000770A4000-memory.dmp

C:\ProgramData\CGHDAKKJ

MD5 ce732f4f447aa2f766cfbdf8a4f5e19e
SHA1 318043823c8dc77670f7dfa5b672b313321898fa
SHA256 b7cb765a763c053cded7e6e8cda3bcc581bbd10ac756abf495a265be80300191
SHA512 7ce0abbbeaf17458f864d4f39326f492320fa6e85524da3ce9d7dd991db4a10080780121dc5a6a755a515022d13f2894692fdc302385da285d8abc77738bafeb

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571