Malware Analysis Report

2025-01-02 11:07

Sample ID 240315-d2c22afc7s
Target toolspub1.exe
SHA256 adb8cfd47704d4fb436c600570e580a9a102460b640d0b863e5015e1f879a6df
Tags
amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan lumma stealc zgrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adb8cfd47704d4fb436c600570e580a9a102460b640d0b863e5015e1f879a6df

Threat Level: Known bad

The file toolspub1.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan lumma stealc zgrat

Stealc

Vidar

Lumma Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Djvu Ransomware

Amadey

ZGRat

Detect ZGRat V1

DcRat

Detected Djvu ransomware

Detect Vidar Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Checks BIOS information in registry

Checks computer location settings

Modifies file permissions

Reads user/profile data of web browsers

Identifies Wine through registry keys

Reads WinSCP keys stored on the system

Loads dropped DLL

Reads local data of messenger clients

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Runs ping.exe

Enumerates processes with tasklist

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 03:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 03:29

Reported

2024-03-15 03:35

Platform

win7-20240215-en

Max time kernel

300s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\57a0e3b0-8c2a-4259-a58c-1bee619d3fdb\\DB04.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DB04.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9E57.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9E57.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9E57.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9E57.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\57a0e3b0-8c2a-4259-a58c-1bee619d3fdb\\DB04.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DB04.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9E57.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\9E57.exe N/A
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\AFC5.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9E57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AFC5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2700 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2700 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2700 N/A N/A C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1204 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 1204 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 1204 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 1204 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2296 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2756 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2756 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2756 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2756 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 2580 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\Temp\DB04.exe
PID 1488 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1488 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1488 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1488 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1792 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
PID 1488 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe
PID 1488 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe
PID 1488 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe
PID 1488 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\DB04.exe C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe
PID 2372 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2372 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1204 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\Temp\22FD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\75AD.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\DB04.exe

C:\Users\Admin\AppData\Local\Temp\DB04.exe

C:\Users\Admin\AppData\Local\Temp\DB04.exe

C:\Users\Admin\AppData\Local\Temp\DB04.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\57a0e3b0-8c2a-4259-a58c-1bee619d3fdb" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\DB04.exe

"C:\Users\Admin\AppData\Local\Temp\DB04.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DB04.exe

"C:\Users\Admin\AppData\Local\Temp\DB04.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe

"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe"

C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe

"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe"

C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe

"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1436

C:\Users\Admin\AppData\Local\Temp\22FD.exe

C:\Users\Admin\AppData\Local\Temp\22FD.exe

C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe

"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2A5E.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 124

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\3D91.exe

C:\Users\Admin\AppData\Local\Temp\3D91.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {37BFCC39-63DC-49A0-B0F2-A58FAFA30355} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\9E57.exe

C:\Users\Admin\AppData\Local\Temp\9E57.exe

C:\Users\Admin\AppData\Local\Temp\AFC5.exe

C:\Users\Admin\AppData\Local\Temp\AFC5.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\248906074286_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
AR 186.13.17.220:80 sdfjhuz.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 172.67.139.220:443 api.2ip.ua tcp
AR 186.13.17.220:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
KR 175.120.254.9:80 sajdfue.com tcp
KR 175.120.254.9:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.208.156:80 5.75.208.156 tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 lknusantararaya.com udp
ID 103.147.154.49:443 lknusantararaya.com tcp
ID 103.147.154.49:443 lknusantararaya.com tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
RU 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:443 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/2328-3-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2328-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2328-1-0x0000000000650000-0x0000000000750000-memory.dmp

memory/2328-5-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1204-4-0x0000000002540000-0x0000000002556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75AD.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\DB04.exe

MD5 ae597691370226cc4354b9897415b115
SHA1 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae
SHA256 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675
SHA512 f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24

memory/2296-26-0x00000000002A0000-0x0000000000331000-memory.dmp

memory/2296-27-0x00000000002A0000-0x0000000000331000-memory.dmp

memory/2296-28-0x0000000000500000-0x000000000061B000-memory.dmp

memory/2756-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2756-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2756-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2756-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2756-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-60-0x00000000002A0000-0x0000000000331000-memory.dmp

memory/2580-62-0x00000000002A0000-0x0000000000331000-memory.dmp

memory/1488-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 1ca1869080d6da746f6c66ab9d704edc
SHA1 942b63817c494ba55e031cd2884c21913e487b85
SHA256 b6f45ad59cb275f5398a8da608d42ed6e86417f12a1ff5443a9b5169d99f905e
SHA512 41ec2de0b9c9a912cd2dd1b21cd85e3fe80ffe944fdef33c4a6a8861a0721742aefcbfebc7ee2e95f78f22635a1607dcac17331aec3ed7c641c4aff7e13c2fe2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d67fa48cf6cf5f1818b732ea24db1d6e
SHA1 44858909775b98c384307149a53b231f084427f6
SHA256 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512 c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fbc9d371d46e34300aea9d8125d59885
SHA1 627c8406f392928017212c4ace674e3c27888e83
SHA256 0dc293421b9ce20760ee7eda3a9f84092c83d385f911169971986e3f47f694ca
SHA512 6f3b9da84296c84c9ffdc99107e31bc2bbd5d6f7d216d3f4488a8082b8fc5117715ea7934fd921b5fc82bf4684e92990b90bd6e34fe48d657e2902dd790cb0a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af15bb9efc38a021280101669de05171
SHA1 b5f593d534126e9b0397d9ca6270394dd71e35b2
SHA256 eb897e4c6a95323c4f42e1e826fa0463da550404943e59324f09f6cc1a245dd6
SHA512 382ab1e2217a994f299781b53272dd593858558434719b9fbbd5f50f869b893245aff2c930311ba8720b0259ffe17ea5789f814a427d5b6837da44e732a453a6

C:\Users\Admin\AppData\Local\Temp\CabF69E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1488-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1488-91-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/1792-104-0x0000000000830000-0x0000000000930000-memory.dmp

memory/1792-107-0x0000000000230000-0x0000000000261000-memory.dmp

memory/2372-109-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2372-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2372-112-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2372-113-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar170B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar18D5.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1488-177-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe

MD5 ebbe0c32c719c0f3f72fcb217fa9cfda
SHA1 e5183d4e2a58b0ae658d5f04c247eb5ccfb0f4f7
SHA256 325eb9bf1f0143aac56883efda6521f428947be6a894889e0ed20fe73ac2a2d9
SHA512 2a63b006329f1bb8ee6272826489921b87592a253541c75b0470e29b98fc183a59ab2f2c30e783fb19c19d1c63d4a892e5d56d727f46c3c92e85f23748c715cf

\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe

MD5 65eadfe36049a1c1bb7eec5cdb6c22cd
SHA1 ba23cebc9dc82c10279f520277e9982aecb674c7
SHA256 a1efdf37825a31663322bc0ccd014d560bde63b4a1d5e7ed04731f2b452340f9
SHA512 bff5bd244b44b70cec3a885f7d4c6ea661141e5ada85c77752c036b9c016328cd149ec4deb59a70d1b1ddcf278e6f2b7fd4e000ebd272da960b420017f794b92

\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe

MD5 16c1f28f013b2a2b92a9af1f88e19363
SHA1 4c07f50a006f3bd7f0de5de859bc3f53cf6baaa2
SHA256 beb8ccfeef87ee2c7302ca347aad72e7c9d47215764ea091e42e5694a0bd4207
SHA512 6ff674eea4159e52a50b487fe9b2f49b2445418e9a00bbb1092c3fdb74b234f275d549dfd1cdb22509b6dad823bcbf3770ea63476779a6037c086b81c33fdcfd

C:\Users\Admin\AppData\Local\Temp\22FD.exe

MD5 96553699d077b934404ddff84347c734
SHA1 5502fd60a2880a4785dab733516c406fbae7462b
SHA256 e1ec4771b5f00b2a07670d4c035e1f29a3902f2580e7447af8307cffae2f8743
SHA512 0308fd00c5a86e453d43c219e7dcf194c99fe7fafc75ae7fea58582debb0b0e7908e01419ab92dfa4c5937fb43125b02be893331f9bec2bb7e71d717b18b8cfb

memory/1868-187-0x0000000000260000-0x0000000000F45000-memory.dmp

memory/1868-192-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1868-195-0x0000000000260000-0x0000000000F45000-memory.dmp

memory/1868-194-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1868-197-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1868-198-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1868-200-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1868-203-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1004-207-0x0000000000860000-0x0000000000960000-memory.dmp

memory/1004-211-0x00000000002A0000-0x00000000002A4000-memory.dmp

memory/2608-210-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1868-227-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2608-223-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1868-224-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1868-221-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1868-217-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2608-216-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1868-212-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2608-206-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\22FD.exe

MD5 2c5cb5845ec93ae56b667899f51bd435
SHA1 08e5c765fae5173117fa254b1462f6d956f68e5b
SHA256 8e0ad3f69a365e0d2c223dd4689986104eb0555a3da52d8578ba1564713cf870
SHA512 567304f750aacdf275b8fd1a0370935d00b3b82849a7009a70a2c9054a92330b46eb9dd839f494107bd098ded4e5a9b8a8c83d1d81937294ad9ee7ccefda5ca7

\Users\Admin\AppData\Local\Temp\22FD.exe

MD5 b3aa1f34aaa2c62f721e00a851bb2511
SHA1 c188db14d3c5796612c5f813255f6cf27754f2fa
SHA256 9b3ee17566d4270650bdfde752300f9b7aba49b56500b060ea36d9e64572bd39
SHA512 ade191eaa788f10d42c61e24b62963148b1e6f5b7bceae939dd90ddd4ce78ee9d1d6b645efdafde44f7ae1d14746c2dc1dffb39c269edaa60438e39fc8481932

memory/1868-247-0x00000000001A0000-0x00000000001A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\22FD.exe

MD5 a0950f656d83e0b9d70a3170af9b82ed
SHA1 f2540e79110bb7728a2d79c96a3f698d8d7ef941
SHA256 024808e2de8cc2cc82fb14ba88387a612c737fba4f1f0444459da4b2f89943d8
SHA512 7e9adf6a84c1c3e700bfa1d63628ddf347079a6d3a785f59d63176979d94abc129386e63cd864aa058ef6d6f0e6dbf59440f679a786d8060bba00fc1504ed1da

\Users\Admin\AppData\Local\Temp\3D91.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/2372-257-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2380-265-0x0000000000912000-0x0000000000922000-memory.dmp

memory/1868-269-0x0000000000260000-0x0000000000F45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9E57.exe

MD5 9d0083e73b7f1785427cf958b044d493
SHA1 a9cd2490f78117f3484be517288e54c45e895e81
SHA256 f9204c9fe479089c8b9b9411f0f61363d08142da4301f70d796fcf0c633bf2ac
SHA512 67afa5eab7801dd0c3e201afab970bb7565caca9fd16aeb41b498b771147d583c20cca16840e6f193bd78e77320ee30af200bf6f34a6fc2053a09f5a13d5df87

memory/2028-280-0x0000000000990000-0x0000000000E48000-memory.dmp

memory/2028-281-0x0000000077790000-0x0000000077792000-memory.dmp

memory/2028-282-0x0000000000990000-0x0000000000E48000-memory.dmp

memory/2028-284-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/2028-285-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2028-283-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2028-286-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2028-287-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/2028-288-0x0000000000980000-0x0000000000981000-memory.dmp

memory/2028-289-0x0000000002430000-0x0000000002431000-memory.dmp

memory/2028-290-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/2028-291-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2028-292-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2028-293-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2028-294-0x00000000022A0000-0x00000000022A1000-memory.dmp

memory/2028-295-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2028-297-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/2028-298-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/2028-304-0x0000000000990000-0x0000000000E48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFC5.exe

MD5 0de19cd17462ea79db1a5e5fd1d7f59f
SHA1 d2b313dcfbda9a04475fc01182336b52846bbe3b
SHA256 c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b
SHA512 0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c

memory/2884-315-0x0000000000580000-0x0000000000680000-memory.dmp

memory/2884-316-0x0000000000300000-0x000000000036F000-memory.dmp

memory/2884-317-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2884-319-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2884-333-0x0000000000580000-0x0000000000680000-memory.dmp

memory/2884-334-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1600-336-0x0000000000550000-0x0000000000650000-memory.dmp

memory/1600-337-0x0000000000400000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\248906074286

MD5 ed22e81031edb1686adc5ea1d117fb8b
SHA1 bf040bf52ad2475a3950a4d07c394a9614268c2d
SHA256 0eb8997e2bb230dfd5c61b4afe37d0742d6a8a1c9ccf6fcc39d15d195fe66ea6
SHA512 b16368b0327031fff2e55cede50054938f1483ab58c4e3d4373ebeb118863786bf39f293cb55af8e798bf76c9f56e5b26d7d037b0f59951339178120b596bdae

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 f7d8aaed58c64e5f02b9d3752203961b
SHA1 55a440d27321aaa8245d689c40aca3d0f56a7110
SHA256 2c2f098479f0cfc277e3acc1a43e1773594f1c6e6b04f9583e94864b2af2cafa
SHA512 f09d91613b50d44cefad7840d41c463cb30100b21bfc8a4866538ffeace85d44660086c4b0f7ea11786b9691870d9cae9084bd83b3088378333e9c90e4192307

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 13c083019bad31f57b7cc9c4f34dcd4a
SHA1 f441ff0e65023850f2328802290e4bc5b66e3715
SHA256 4140da939545fa1abf02d46f74d11e797a568a3d9a2f465901eba6ff6bcf9f0a
SHA512 b73d82a9012fe21a522169519c449598423375ce6a5b9704f4caf938f9978645145e8a49f99d8e68fdfd99a5a9b5094edb77a36f34aea8df56b4143142077787

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 b3d28b44bb49552823dbec80e8b9e101
SHA1 cb39a100c393338768e3b1f349929af0eee36cc4
SHA256 3a68d3c88ed041ceded28191ecbd9200ef0ab5d56510cca28d9fadb6036f3cef
SHA512 095263c81e1b5023803089b26de445300393301e719b385932074edf35360abe2e4a648ed7c11543edafbda2833e266ff8da86d7c0ad8c1921affed37efea2dc

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 f19bda82fb89691905fd5531324dda68
SHA1 ff287dbd2b0ea53cd3e6fbc2295b8317c9b94d1c
SHA256 4661aff5beaa0112bb39d559e4c16e322fcf640808b64915ee1fedee1b63b742
SHA512 3bc14bcac2f4b2a72db984eb1420f9902ba94b3d340dd4613ec3fe87b03f073eeb14043ace5463376161e4ee15c0dd26890ab3a3622dd77dd949f4cb99ff2638

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 de29361fc954c0d8f246b07f604dfd79
SHA1 eb93fa0a17e63d17dddf30c1b02a57572f9a7842
SHA256 7559fee7a9060bab61ce18c1379c2a834d6d07f0380cb55aaea2e5075ac1f9e0
SHA512 388d13ee795126411b8790ee5d267d83e92b5a50cb054029ea396cc42cb139fc503f17575f82bef2017d8d7256228a625cafad0b6ee772459457eba9bd96f14b

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 d161163fe82b1af7fdf8b3a50fd56852
SHA1 705bea905e197595051a1383449956d216ecfcad
SHA256 593c1414c55a35490f1404ac43462809006912b217bbdc5f79e40ab6da94b711
SHA512 5bd082c6e426085df2b1845b64d954e9c2c29eaf4dec222a7c9374af265f034e204a61216fa82c7e9047162d387e5c1d3d9db06874e6fc7e15ff1c73de5dfa35

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 684c2e52b33c5dddf791e7967fe9c404
SHA1 4a760a1301b6e78c340d8892dfe57cda9f16a0a8
SHA256 1983d9bce62dae7ae818c111e9ee7e1222631e5c9e6de7a682884523d1a18fd0
SHA512 58f664639ebe4d78e6a2fcd9ea80364a985f706fb62e87bd25f867ed9b16e398353925ecc5e17a03981bb30702c375f74df00a6240859df5289c11dc7f42368d

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 47a529ba6ea7a9f0186482116ae11e14
SHA1 f1c69a64f317cb6dbe2cc6a245ff4a6b90b4d9b5
SHA256 f7b823afa1a8437c222d50f4c053821a155c00a1548388225fd1c19625b26ca9
SHA512 d710500ef2257aa2af66f0e35781408e0666cb26e06be6d8d26bee8895b6998612469a407d9b0422d99de0a470377e5bea8edc4a17e08f894568e57e8b75c28a

memory/2676-377-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/2676-376-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/1600-378-0x0000000000550000-0x0000000000650000-memory.dmp

memory/2676-380-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/2676-382-0x0000000000670000-0x0000000000678000-memory.dmp

memory/2676-381-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/1600-383-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2676-384-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/2676-385-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

MD5 ca684dc5ebed4381701a39f1cc3a0fb2
SHA1 8c4a375aa583bd1c705597a7f45fd18934276770
SHA256 b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA512 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

memory/1568-413-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/1900-442-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/1900-454-0x0000000000990000-0x0000000000A90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 03:29

Reported

2024-03-15 03:35

Platform

win10v2004-20240226-en

Max time kernel

299s

Max time network

306s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6f4e52cf-af06-4d24-b054-7a5b30cea4ac\\E02F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E02F.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4600 created 3392 N/A C:\Users\Admin\AppData\Local\Temp\21439\Http.pif C:\Windows\Explorer.EXE
PID 4600 created 3392 N/A C:\Users\Admin\AppData\Local\Temp\21439\Http.pif C:\Windows\Explorer.EXE

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E02F.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8F24.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6f4e52cf-af06-4d24-b054-7a5b30cea4ac\\E02F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E02F.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9D4E.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\21439\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21439\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21439\Http.pif N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3544 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3544 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3392 wrote to memory of 4924 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 3392 wrote to memory of 4924 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 3392 wrote to memory of 4924 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4924 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 3392 wrote to memory of 4784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA14.exe
PID 3392 wrote to memory of 4784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA14.exe
PID 3392 wrote to memory of 4784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA14.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4784 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\EA14.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4420 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Windows\SysWOW64\icacls.exe
PID 4420 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Windows\SysWOW64\icacls.exe
PID 4420 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Windows\SysWOW64\icacls.exe
PID 4420 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4420 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 4420 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 724 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E02F.exe C:\Users\Admin\AppData\Local\Temp\E02F.exe
PID 3392 wrote to memory of 1516 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F5B.exe
PID 3392 wrote to memory of 1516 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F5B.exe
PID 3392 wrote to memory of 1516 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F5B.exe
PID 3392 wrote to memory of 3132 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 3132 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3132 wrote to memory of 4552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3392 wrote to memory of 3060 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2527.exe
PID 3392 wrote to memory of 3060 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2527.exe
PID 3392 wrote to memory of 1072 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4916.exe
PID 3392 wrote to memory of 1072 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4916.exe
PID 3392 wrote to memory of 1072 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4916.exe
PID 1072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4916.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 1072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4916.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 1072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4916.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 1072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4916.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 1072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4916.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 1072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4916.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 1072 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4916.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB72.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\E02F.exe

C:\Users\Admin\AppData\Local\Temp\E02F.exe

C:\Users\Admin\AppData\Local\Temp\E02F.exe

C:\Users\Admin\AppData\Local\Temp\E02F.exe

C:\Users\Admin\AppData\Local\Temp\EA14.exe

C:\Users\Admin\AppData\Local\Temp\EA14.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6f4e52cf-af06-4d24-b054-7a5b30cea4ac" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\E02F.exe

"C:\Users\Admin\AppData\Local\Temp\E02F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E02F.exe

"C:\Users\Admin\AppData\Local\Temp\E02F.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 8 -ip 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1320 -ip 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1108

C:\Users\Admin\AppData\Local\Temp\F5B.exe

C:\Users\Admin\AppData\Local\Temp\F5B.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16FD.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1516 -ip 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1172

C:\Users\Admin\AppData\Local\Temp\2527.exe

C:\Users\Admin\AppData\Local\Temp\2527.exe

C:\Users\Admin\AppData\Local\Temp\4916.exe

C:\Users\Admin\AppData\Local\Temp\4916.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1072 -ip 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 704

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\8F24.exe

C:\Users\Admin\AppData\Local\Temp\8F24.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Users\Admin\AppData\Local\Temp\9D4E.exe

C:\Users\Admin\AppData\Local\Temp\9D4E.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c md 21439

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 21439\Http.pif

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 21439\F

C:\Users\Admin\AppData\Local\Temp\21439\Http.pif

21439\Http.pif 21439\F

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SYSTEM32\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Users\Admin\AppData\Local\Temp\D566.exe

C:\Users\Admin\AppData\Local\Temp\D566.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Closing Closing.bat & Closing.bat & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 197.159.94.81.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
CO 190.249.149.134:80 sdfjhuz.com tcp
US 8.8.8.8:53 134.149.249.190.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 166.138.96.79.in-addr.arpa udp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 68.19.21.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 valowaves.com udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 114.16.185.192.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
TR 94.156.8.100:80 94.156.8.100 tcp
US 8.8.8.8:53 100.8.156.94.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
NL 195.20.16.82:443 195.20.16.82 tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 82.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 lknusantararaya.com udp
ID 103.147.154.49:443 lknusantararaya.com tcp
US 8.8.8.8:53 49.154.147.103.in-addr.arpa udp
FI 37.27.52.220:80 37.27.52.220 tcp
US 8.8.8.8:53 220.52.27.37.in-addr.arpa udp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce udp
US 8.8.8.8:53 72.46.152.45.in-addr.arpa udp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 159.30.91.51.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
RU 185.215.113.45:80 tcp

Files

memory/2448-1-0x00000000004B0000-0x00000000005B0000-memory.dmp

memory/2448-2-0x00000000005C0000-0x00000000005CB000-memory.dmp

memory/2448-3-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3392-4-0x0000000002B30000-0x0000000002B46000-memory.dmp

memory/2448-5-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB72.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\E02F.exe

MD5 ae597691370226cc4354b9897415b115
SHA1 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae
SHA256 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675
SHA512 f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24

memory/4924-20-0x0000000002140000-0x00000000021E1000-memory.dmp

memory/4924-21-0x0000000002240000-0x000000000235B000-memory.dmp

memory/4420-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4420-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4420-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4420-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA14.exe

MD5 e79d42e6b51653c6a459adc6e6cd0e7d
SHA1 19590e4efcea7b916825669075fb59de0aae0600
SHA256 3e1451fbd94c852f561fdb5332a5a8576d940d95b1a8cff4dfc0285bc9fc0b14
SHA512 17f70d269b7be8fe4d8fa2b5bca88188c318991ac168d54f37237bbacaf9804e8aa7e6b81a2320bcd61d2a109728461d8082cd69e6b0ed8f1f90600b1ecaed9f

memory/4784-32-0x0000000000B60000-0x0000000000BB6000-memory.dmp

memory/4784-33-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/1320-42-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1320-45-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4784-47-0x0000000002FE0000-0x0000000004FE0000-memory.dmp

memory/1320-49-0x00000000013C0000-0x00000000013C1000-memory.dmp

memory/1320-50-0x00000000013C0000-0x00000000013C1000-memory.dmp

memory/4784-48-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/1320-51-0x00000000013C0000-0x00000000013C1000-memory.dmp

memory/1320-52-0x0000000000400000-0x000000000044B000-memory.dmp

memory/4420-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/724-59-0x0000000002100000-0x000000000219D000-memory.dmp

memory/8-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-65-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1320-68-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5B.exe

MD5 0be0a17590d577f254d3032b3e55ed77
SHA1 5f97217b7f571a5fcf27f86224181ec5674405d1
SHA256 379b89d18e0b54acb7b3c7d4358b0e55833e108972ff80cfbbc44711c0766d05
SHA512 aa3a19875e7729b07040f03f6f1a1b6848e415be0c51ee264a5c9c94b332eff63088b1bd6f131beea894c61cd795e1334037e429f636b4397ad1ef2e46dd3b18

C:\Users\Admin\AppData\Local\Temp\F5B.exe

MD5 59971e0cbf1cb93aa5ce3fe948836f7a
SHA1 835eba9008d9bc7145e195938f1edb78977b94db
SHA256 023b4aab7bf5c91594e90b53c1bceba31e13d292bf21a76586805a12f86e5f5e
SHA512 34a2d1ff453f694e9085edaf0eea9ac43ee32939ac5b7c3770389db33ae6a33be57de92bf826e3cc05e7d37687bb34829a6ddae955bc3e38dec5211c5fe575f1

memory/1516-73-0x0000000000CC0000-0x00000000019A5000-memory.dmp

memory/1516-83-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/1516-82-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/1516-81-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1516-80-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1516-85-0x0000000000CC0000-0x00000000019A5000-memory.dmp

memory/1516-79-0x0000000000930000-0x0000000000931000-memory.dmp

memory/1516-78-0x0000000000910000-0x0000000000911000-memory.dmp

memory/1516-86-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/1516-87-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/1516-89-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/1516-88-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2527.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/1516-98-0x0000000000CC0000-0x00000000019A5000-memory.dmp

memory/3060-99-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/3060-100-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/3060-101-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/3060-102-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/3060-103-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/3060-104-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/3060-105-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4916.exe

MD5 ebd110f7c51bec7dc138185fb0e9876d
SHA1 e82c094acce5ffdf1eeb98932b08fcf0fef2490a
SHA256 0e9f713a96c015e027b70da5274d4162b6ca4b2e9bf2107825ce18c1493f8b96
SHA512 b653a8a9eec8d99f7ae11d4b6207c6d13e41e878de6744957822614097500ed22cbbf57bf94a063924ac90ba6c65e540b485970c0f38f33564f090ffab8248c9

C:\Users\Admin\AppData\Local\Temp\4916.exe

MD5 e8c918d901a15316bffed4bec9c77baf
SHA1 5052a34026024d2e47a0b2a773d4ba81be6560e8
SHA256 055e6a1b17e4ec26eeb00f264314492ad7ec08870054d31396a5c27ecfb74aa5
SHA512 f990fecf637f20323c8355d7dfb24b5731ece29011e3e6d514c58715f351dff2825c90eecacf8efad2c8390a4de80ae8da3a17ea362487ce0dc3548ffcd1a214

memory/1072-110-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/1072-111-0x0000000000FE0000-0x0000000001534000-memory.dmp

memory/1072-112-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/1072-113-0x0000000005DF0000-0x0000000005E8C000-memory.dmp

memory/1072-114-0x0000000006500000-0x0000000006A2C000-memory.dmp

memory/3060-115-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/3060-116-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/1072-117-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/1072-118-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/3060-119-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/1072-120-0x0000000006A30000-0x0000000006C6C000-memory.dmp

memory/1072-121-0x00000000061F0000-0x0000000006202000-memory.dmp

memory/1072-122-0x0000000007DB0000-0x0000000007F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1072-130-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/1072-129-0x0000000006260000-0x0000000006270000-memory.dmp

memory/1072-131-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/1072-128-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/1072-132-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/1072-133-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/1072-136-0x00000000082E0000-0x00000000083E0000-memory.dmp

memory/1072-134-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/2456-135-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1072-137-0x00000000082E0000-0x00000000083E0000-memory.dmp

memory/2456-139-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2456-141-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1072-142-0x0000000075120000-0x00000000758D0000-memory.dmp

memory/3060-143-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

memory/2456-144-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/2456-210-0x0000000000400000-0x000000000063B000-memory.dmp

memory/3060-211-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F24.exe

MD5 7769e93085751e0b35729827dc22e8d5
SHA1 1d20bac0f5e0e8e28d466834463463cc911a5baa
SHA256 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402
SHA512 b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c

C:\Users\Admin\AppData\Local\Temp\Jeffrey

MD5 e121db542d18a526f078c32fd2583af5
SHA1 69e677442ccb6d6fe1d2a3029cf44aac473f5f55
SHA256 fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2
SHA512 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe

C:\Users\Admin\AppData\Local\Temp\9D4E.exe

MD5 d88c9297da5b7b0a3f96d33e6eca33e6
SHA1 808e8a222cd131679b4feda2834eaaa92f866143
SHA256 92a59655997ea6a17d871d12965738dfa1649751774129b4fbeea2bb01355723
SHA512 e854cf3f4e4b119e040e00d56adcd56749099ddcb1956433a31156afc88e643972b690917ac09deadb8860e5b6982d55085a372d4f509996ded7e5e3e1f05066

memory/3352-273-0x00000000009B0000-0x0000000000A1C000-memory.dmp

memory/3352-275-0x0000000073980000-0x0000000074130000-memory.dmp

memory/3352-276-0x0000000005310000-0x0000000005320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sitemap

MD5 9aa3fa871956c05e6c502841714a3ca3
SHA1 fe9b5580fd142b32ee94342e5403ff9454517f9e
SHA256 fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32
SHA512 70046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873

C:\Users\Admin\AppData\Local\Temp\Sublimedirectory

MD5 9ac55fb2a8700521a9fc03c830483b45
SHA1 07d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6
SHA256 964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1
SHA512 ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505

C:\Users\Admin\AppData\Local\Temp\Josh

MD5 dbb02def36f898899c81dbe071eaaf75
SHA1 ddd36cf26cffd70cdca8ffa36fc13097c56092c3
SHA256 431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea
SHA512 115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1

C:\Users\Admin\AppData\Local\Temp\Rss

MD5 decffdc214d187300d81458730076975
SHA1 0d26a032a42e2b1d6cce51c88262fb99d5d85045
SHA256 81c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927
SHA512 615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76

C:\Users\Admin\AppData\Local\Temp\Cow

MD5 3e929f7b28251914c43d3435f2f437dd
SHA1 9564974824f4fe1b9b6bdc5bd1e1065fc11678bc
SHA256 e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad
SHA512 41919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478

memory/3352-288-0x0000000002D60000-0x0000000004D60000-memory.dmp

memory/4804-291-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cdt

MD5 ba823d75b6712149e7241d1c2f6695ef
SHA1 9f351074e85afc8254aaa5df0561377c8b68874c
SHA256 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377
SHA512 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167

C:\Users\Admin\AppData\Local\Temp\Thumbnail

MD5 e68e0d804f78aadf2b7da5190971cc56
SHA1 b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9
SHA256 fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee
SHA512 e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda

C:\Users\Admin\AppData\Local\Temp\Tamil

MD5 5b825ccfab154d5de20e806e687ecb89
SHA1 d311d7b23a70f5e1ba875e020d37e05a3a4c4552
SHA256 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436
SHA512 e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03

C:\Users\Admin\AppData\Local\Temp\Powers

MD5 0c851a1587662cb3c4b3f4e79b9d40e4
SHA1 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5
SHA256 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26
SHA512 c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8

C:\Users\Admin\AppData\Local\Temp\Capabilities

MD5 d34ef2c6ce15a8747df5431a864f0613
SHA1 fe62b64f13b149525066fe73f227df044255cddb
SHA256 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9
SHA512 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24

C:\Users\Admin\AppData\Local\Temp\Novel

MD5 9c5c2a336e6c94e60e8ca1a981235806
SHA1 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617
SHA256 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070
SHA512 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb

C:\Users\Admin\AppData\Local\Temp\Cos

MD5 c8599aa35a19083f6c5f80151f55315c
SHA1 3e315507bc934d0ebdf68328b5d60e7fcab41a3b
SHA256 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f
SHA512 dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1

C:\Users\Admin\AppData\Local\Temp\Hobby

MD5 cd17d8568d3cb4f7a115c0c9657aa3c1
SHA1 389429708df886ee004b3d4c54cbb9a2e089859e
SHA256 ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d
SHA512 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33

C:\Users\Admin\AppData\Local\Temp\Debut

MD5 309a79e7ee30ead5653c0e33c937bf20
SHA1 808165ca516179e0749cd74b57ebf2ec92e77a9e
SHA256 a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233
SHA512 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8

C:\Users\Admin\AppData\Local\Temp\Canal

MD5 c3a1a56b238bd452b6b59169cc99ec03
SHA1 88a35ade6f7f14e2df8d731317afc72612074a51
SHA256 a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f
SHA512 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525

C:\Users\Admin\AppData\Local\Temp\Breach

MD5 9324e493902fe2c6ffcf04f088c34e08
SHA1 866c7b4c73f99f673dd3f2035e34d843c262f256
SHA256 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222
SHA512 c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0

C:\Users\Admin\AppData\Local\Temp\Patricia

MD5 d9bd01e58c378e5a43b47b93ccf11b30
SHA1 4f57381303c5cb2d6f0012d190ce11d696efde77
SHA256 df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a
SHA512 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755

C:\Users\Admin\AppData\Local\Temp\Fist

MD5 71afb2f733859a29cfcf25e58625284c
SHA1 248df6b7026fd2771dd65ed3b542ca0185dbb6dc
SHA256 d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120
SHA512 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af

C:\Users\Admin\AppData\Local\Temp\Go

MD5 b153dbfec41fa6a8b005978bc571befe
SHA1 9752d98549edff58b4c0ede5a654832c22f97d38
SHA256 f59cbe377d6d4df992d6caaa0ccbbe7a5506741c9e63a716a0284cb2ae720814
SHA512 eef43707eb9b7e047a8c8307ffac9ce4b1eb0383186280b9112eb278e4fb97c339e14cbbb334eaf9e13719280978a12c7d8d3615e8ab25e176530836799c002a

C:\Users\Admin\AppData\Local\Temp\Generations

MD5 bf36de53f9099fb8780cc1f08121ec9d
SHA1 0a3289cd4e8526291b1d78231801c71f62201134
SHA256 d83f481d8af694bddf44486601adc6960190380ba091f8ae468e0282d86aca96
SHA512 b66e6ee71e534156eab1fe0e8aa8311a3b41bef397b2bbd89d41a891e2f249a8b7af8c594951058a30751436da61272befd5f3797b3b5e7c8ee63c7901a7c6f8

C:\Users\Admin\AppData\Local\Temp\Brunswick

MD5 d9d300fcd0f6c260b49dc70799cb3ed5
SHA1 9f1c1ed5aba8635a35abf2705c9fa7e64c297f19
SHA256 e559f9fdef25eb57dc27c4ea285afd85aef5b3f4dc91f8ca94d195a347e02b9d
SHA512 d86cf2df5ce022b6724ebf45a720e26155da5415e1715f1ecc9bc135b66226aa851e09584220f3ceaf6b74267d99c2d5991299f5994c859f59a4847b94e8e9bf

C:\Users\Admin\AppData\Local\Temp\Eat

MD5 f3955d3be816c87209db5f1a76de0c84
SHA1 0381898c2fc21e02b8f913cc1083727a23936bcf
SHA256 c51346378e3a0cf5fafa09c0953b4559c140111d086d939c6b0f9adf497fa108
SHA512 935294f0c695fbec87509c48d48eb78325ddf5d7a98881b8bccc1469b73ca1a6e044cb9faabbb9c8f151a66bd72a9e10bc7cae821e019e24ae94601b65a6179a

C:\Users\Admin\AppData\Local\Temp\Kills

MD5 13dc546d0daadc9b174fa60d4e58bf4c
SHA1 5a62bb74dbf964a10b98890508389ffa01f4b423
SHA256 7b006fbcb0e8b1d4559be81f7e8e66d3e7025e0d8063b5c9b956f3712886bd21
SHA512 142d6afe9475b179f1bd75414c487f88695a741b92e0895725231510e2c0fab6121ea463ca3429e4c2e5af0725fd196e8f11137d490722c913105b7a611bb507

C:\Users\Admin\AppData\Local\Temp\Maiden

MD5 66362a1847593eb45b46b84215c52779
SHA1 61519bccdb7c3cbe547bcdadcb8ac81d638593fd
SHA256 83dba2694db89c8c473f401de7ac74391297428a5162283b4ce7581967bb3ea0
SHA512 9c568437f2870f258c77be39e724c9790d5f70ee35529aa79956bd70211267eeaf3d41b7b6eaedc1cc1c85d01ceeca7cd4991a13848a6489ff31acfe15dac23b

C:\Users\Admin\AppData\Local\Temp\Companion

MD5 529e8f5a689da689d3651e1c039bb324
SHA1 f9557b98debebc842274feb085712187a1d9cf37
SHA256 5a0e9f3158ba1c1ee5fa3423292993ab9fa1edbe1afa5aa4597a272534f1ef22
SHA512 610583262b7df4e3611f425813a57c10a5c6814b5a33864296bef83574b268858451b55d059f60660e89d2b683d489255f6dafe8b711f410e4935ff0c9a02d36

C:\Users\Admin\AppData\Local\Temp\Around

MD5 1de412303c8d8449cad0f64aec5dad0c
SHA1 3fc923a66906aea4c8e30358277f1ed3b723e15c
SHA256 37ea73ebc91feab33bea461c97c7495d260069041b9ee2e4526444cfb4035da3
SHA512 d56a13cd0648849e9a5f965f3b8eb9e00222408d8a5ee42a095e11c0be10f49782036c00e468d2ef26080bf6855e8794c8ee45bd7ec1b08166233691f619e9b1

C:\Users\Admin\AppData\Local\Temp\Trim

MD5 9806a4ee54225558e00a86e6f15ff6c7
SHA1 308c952352eda64d06c982ca826fba193c8dcf27
SHA256 5c9d5114e0f13978f10f4d726f2e585f049bf4dc2b735be00389476d2737dc9b
SHA512 657de9473896f623c6975a50618051e4b6a5098af4b69f9d20d5b736c70029548a4ac108d830b332ac9837f9a9902bdbf75f6560d61c7328706ccd09dbf76af4

C:\Users\Admin\AppData\Local\Temp\Islam

MD5 5e0c4a84587a2ba5295805c9623704a4
SHA1 1108e298b95830a0c0a265f89082a5412c11d865
SHA256 aafa12d671f2eba209cda92d296b29f1abdf359faa3e0f064b7626bf25d89acd
SHA512 2dab73ed3fae2c1f1ecb38aa1ebbbbe55326fa6bcd562cac2c4adc004e9ab1ccf392aa5c7741419452433b25ea4474508fa5ed65ff02ba01f0ec07b5589dfa08

C:\Users\Admin\AppData\Local\Temp\Robertson

MD5 547c335ac69f9da2f963745762672f44
SHA1 f9d6f6c943b91988020176a827f592f8f46f2670
SHA256 8a7e8e502a6041ccac7c06b222cabc9e7aa39523a1c5edc33097e5506b6ad3cc
SHA512 1a1561b11224c74dbe791ee12c67e74ecbb8f8d63720a392ea1f6c9f0b448ff226ae920253e6a00023db74963c83605c82822722b1cc3c2ed8bf6862b22f497c

C:\Users\Admin\AppData\Local\Temp\Necessary

MD5 d2635aadbd169174c362c0052a33e396
SHA1 601bf240df1f218670acda168020ba7736cf821c
SHA256 de7612db6d35cfd9670d56dfd6497802bbcda88c787e6b83b1438df598bd9e96
SHA512 0cdfb4d1560a01a6c5c1406ee7f2ac27229756a7bc35865a3437e05443b9e6eb9ed18c04131268d190c33d03a05c7190381be828c1208ecd0819bade943d2a58

C:\Users\Admin\AppData\Local\Temp\Mpeg

MD5 af66ed102029338945a5ae7af6e68867
SHA1 2a590d37a9e25203f41fe28be7b3702bdac34e28
SHA256 4f5603c2539d330e9576ab577fe08cd58e6a191620e962c570af439ec4808c6b
SHA512 83d5afa258752706ce85f5e57a59e04e0c8e2e856eb12d4e419237eaf2669bf1ffbd1ab87eabc34e0e7c3e4584a4288aa39285cfbfd398d04f8bd2248cf27609

C:\Users\Admin\AppData\Local\Temp\Drain

MD5 99667047563ffb1f92319045c1fa496f
SHA1 9eba1534190dac88d7231e00cf2372477479a262
SHA256 3f6dfc93ffd2c876839d824993a4234df1d16a3f0b5d284c66e32bc2264867ea
SHA512 e8d39f341df2decde92d2bf7066de6ccf3b3b2d6c4e57d353a60ee409fb7d54444d55e8c02a266da4ec94e719e149685120c72c6db7c35e863cef7f1f844c9d9

C:\Users\Admin\AppData\Local\Temp\Greg

MD5 265344b2c8ca35ae60227ff6639481f5
SHA1 49bf4e7aab05a697409a4cc8f04c5b2ed1e78e79
SHA256 349c58fc4a15001ff0875d2a9f797d536045804c99350e0f43203ade07c41b59
SHA512 2248bd383433d3dd541eb74f3e2404f83e1f379b11d9e7de9bf6903460cfba9b1955d089439883126ce6c08a67a3e12beb63126a74a1a86dc461ca8f232f442d

C:\Users\Admin\AppData\Local\Temp\Plans

MD5 5e136f53a54f61eeb099c76021dba233
SHA1 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3
SHA256 ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041
SHA512 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8

C:\Users\Admin\AppData\Local\Temp\Ancient

MD5 a02c222cf530ee003a3893c4c78770c2
SHA1 bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3
SHA256 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5
SHA512 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368

C:\Users\Admin\AppData\Local\Temp\Shapes

MD5 7aaaa1a6965448912a128a631bbd06be
SHA1 d3917e8d8780c9296c6bba2066a3fccd08e04253
SHA256 f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85
SHA512 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52

C:\Users\Admin\AppData\Local\Temp\Warner

MD5 f83e3a79f793337194e79e4bb5c3b073
SHA1 6d4ef4fc71fbabc6f56265388d87d997e47194dc
SHA256 e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844
SHA512 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775

C:\Users\Admin\AppData\Local\Temp\Able

MD5 13fd06533f068d719a2b9f300096ca41
SHA1 f054659e3fb8516b759b8f819d12acb9c173ab6a
SHA256 b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9
SHA512 f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422

C:\Users\Admin\AppData\Local\Temp\Translations

MD5 a40fabfc3d4fe0e77cf03156b0541015
SHA1 7a8c301d0a3834a212af25812cb9f51afa8425d4
SHA256 fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864
SHA512 f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11

C:\Users\Admin\AppData\Local\Temp\Neural

MD5 4c5c9f5368402dd77d8f8e0c31951625
SHA1 719e5a648399121cf1402d36734631f95c723d18
SHA256 d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7
SHA512 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba

C:\ProgramData\EHCGIJDH

MD5 d8258cfea30050e289acf9aa882159f2
SHA1 26acf382025e2880308c3cb82ee11b935f52d6fa
SHA256 97f3a97af8aad5da47509b3b5639b85c82f5b67fb34193ef409c9bb84c2e334b
SHA512 caa184c63653b9b8be5b76833be8caf40d8a6804cc26b329d955e5b59e5cf75c0e9e654f5e4fef9fdb76536f43fe3d9a4017a3446f0610d6df61f3737f44a74a

C:\ProgramData\FCBAECGI

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84