Analysis Overview
SHA256
adb8cfd47704d4fb436c600570e580a9a102460b640d0b863e5015e1f879a6df
Threat Level: Known bad
The file toolspub1.exe was found to be: Known bad.
Malicious Activity Summary
Stealc
Vidar
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
Djvu Ransomware
Amadey
ZGRat
Detect ZGRat V1
DcRat
Detected Djvu ransomware
Detect Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Drops startup file
Checks BIOS information in registry
Checks computer location settings
Modifies file permissions
Reads user/profile data of web browsers
Identifies Wine through registry keys
Reads WinSCP keys stored on the system
Loads dropped DLL
Reads local data of messenger clients
Deletes itself
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Delays execution with timeout.exe
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Runs ping.exe
Enumerates processes with tasklist
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-15 03:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 03:29
Reported
2024-03-15 03:35
Platform
win7-20240215-en
Max time kernel
300s
Max time network
299s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\57a0e3b0-8c2a-4259-a58c-1bee619d3fdb\\DB04.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DB04.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9E57.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9E57.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9E57.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\9E57.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\57a0e3b0-8c2a-4259-a58c-1bee619d3fdb\\DB04.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DB04.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E57.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2296 set thread context of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\DB04.exe | C:\Users\Admin\AppData\Local\Temp\DB04.exe |
| PID 2580 set thread context of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\DB04.exe | C:\Users\Admin\AppData\Local\Temp\DB04.exe |
| PID 1792 set thread context of 2372 | N/A | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe |
| PID 1004 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe |
| PID 2380 set thread context of 2504 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
| PID 1568 set thread context of 2292 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\9E57.exe | N/A |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\AFC5.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\22FD.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E57.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFC5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\75AD.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\DB04.exe
C:\Users\Admin\AppData\Local\Temp\DB04.exe
C:\Users\Admin\AppData\Local\Temp\DB04.exe
C:\Users\Admin\AppData\Local\Temp\DB04.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\57a0e3b0-8c2a-4259-a58c-1bee619d3fdb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\DB04.exe
"C:\Users\Admin\AppData\Local\Temp\DB04.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\DB04.exe
"C:\Users\Admin\AppData\Local\Temp\DB04.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe"
C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe"
C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe
"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1436
C:\Users\Admin\AppData\Local\Temp\22FD.exe
C:\Users\Admin\AppData\Local\Temp\22FD.exe
C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe
"C:\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2A5E.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 124
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\3D91.exe
C:\Users\Admin\AppData\Local\Temp\3D91.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {37BFCC39-63DC-49A0-B0F2-A58FAFA30355} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\9E57.exe
C:\Users\Admin\AppData\Local\Temp\9E57.exe
C:\Users\Admin\AppData\Local\Temp\AFC5.exe
C:\Users\Admin\AppData\Local\Temp\AFC5.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\248906074286_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| AR | 186.13.17.220:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| AR | 186.13.17.220:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| KR | 175.120.254.9:80 | sajdfue.com | tcp |
| KR | 175.120.254.9:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.208.156:80 | 5.75.208.156 | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | lknusantararaya.com | udp |
| ID | 103.147.154.49:443 | lknusantararaya.com | tcp |
| ID | 103.147.154.49:443 | lknusantararaya.com | tcp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| RU | 185.215.113.45:80 | 185.215.113.45 | tcp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:443 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
Files
memory/2328-3-0x0000000000400000-0x000000000047E000-memory.dmp
memory/2328-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2328-1-0x0000000000650000-0x0000000000750000-memory.dmp
memory/2328-5-0x0000000000400000-0x000000000047E000-memory.dmp
memory/1204-4-0x0000000002540000-0x0000000002556000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\75AD.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\DB04.exe
| MD5 | ae597691370226cc4354b9897415b115 |
| SHA1 | 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae |
| SHA256 | 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675 |
| SHA512 | f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24 |
memory/2296-26-0x00000000002A0000-0x0000000000331000-memory.dmp
memory/2296-27-0x00000000002A0000-0x0000000000331000-memory.dmp
memory/2296-28-0x0000000000500000-0x000000000061B000-memory.dmp
memory/2756-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2756-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2756-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2756-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2756-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2580-60-0x00000000002A0000-0x0000000000331000-memory.dmp
memory/2580-62-0x00000000002A0000-0x0000000000331000-memory.dmp
memory/1488-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1488-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 1ca1869080d6da746f6c66ab9d704edc |
| SHA1 | 942b63817c494ba55e031cd2884c21913e487b85 |
| SHA256 | b6f45ad59cb275f5398a8da608d42ed6e86417f12a1ff5443a9b5169d99f905e |
| SHA512 | 41ec2de0b9c9a912cd2dd1b21cd85e3fe80ffe944fdef33c4a6a8861a0721742aefcbfebc7ee2e95f78f22635a1607dcac17331aec3ed7c641c4aff7e13c2fe2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d67fa48cf6cf5f1818b732ea24db1d6e |
| SHA1 | 44858909775b98c384307149a53b231f084427f6 |
| SHA256 | 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27 |
| SHA512 | c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | fbc9d371d46e34300aea9d8125d59885 |
| SHA1 | 627c8406f392928017212c4ace674e3c27888e83 |
| SHA256 | 0dc293421b9ce20760ee7eda3a9f84092c83d385f911169971986e3f47f694ca |
| SHA512 | 6f3b9da84296c84c9ffdc99107e31bc2bbd5d6f7d216d3f4488a8082b8fc5117715ea7934fd921b5fc82bf4684e92990b90bd6e34fe48d657e2902dd790cb0a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af15bb9efc38a021280101669de05171 |
| SHA1 | b5f593d534126e9b0397d9ca6270394dd71e35b2 |
| SHA256 | eb897e4c6a95323c4f42e1e826fa0463da550404943e59324f09f6cc1a245dd6 |
| SHA512 | 382ab1e2217a994f299781b53272dd593858558434719b9fbbd5f50f869b893245aff2c930311ba8720b0259ffe17ea5789f814a427d5b6837da44e732a453a6 |
C:\Users\Admin\AppData\Local\Temp\CabF69E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1488-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1488-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1488-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1488-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1488-89-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1488-91-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/1792-104-0x0000000000830000-0x0000000000930000-memory.dmp
memory/1792-107-0x0000000000230000-0x0000000000261000-memory.dmp
memory/2372-109-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2372-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2372-112-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2372-113-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar170B.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar18D5.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1488-177-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
| MD5 | ebbe0c32c719c0f3f72fcb217fa9cfda |
| SHA1 | e5183d4e2a58b0ae658d5f04c247eb5ccfb0f4f7 |
| SHA256 | 325eb9bf1f0143aac56883efda6521f428947be6a894889e0ed20fe73ac2a2d9 |
| SHA512 | 2a63b006329f1bb8ee6272826489921b87592a253541c75b0470e29b98fc183a59ab2f2c30e783fb19c19d1c63d4a892e5d56d727f46c3c92e85f23748c715cf |
\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
| MD5 | 65eadfe36049a1c1bb7eec5cdb6c22cd |
| SHA1 | ba23cebc9dc82c10279f520277e9982aecb674c7 |
| SHA256 | a1efdf37825a31663322bc0ccd014d560bde63b4a1d5e7ed04731f2b452340f9 |
| SHA512 | bff5bd244b44b70cec3a885f7d4c6ea661141e5ada85c77752c036b9c016328cd149ec4deb59a70d1b1ddcf278e6f2b7fd4e000ebd272da960b420017f794b92 |
\Users\Admin\AppData\Local\8687e26d-8c14-4ea8-b1d0-5b197a87add7\build2.exe
| MD5 | 16c1f28f013b2a2b92a9af1f88e19363 |
| SHA1 | 4c07f50a006f3bd7f0de5de859bc3f53cf6baaa2 |
| SHA256 | beb8ccfeef87ee2c7302ca347aad72e7c9d47215764ea091e42e5694a0bd4207 |
| SHA512 | 6ff674eea4159e52a50b487fe9b2f49b2445418e9a00bbb1092c3fdb74b234f275d549dfd1cdb22509b6dad823bcbf3770ea63476779a6037c086b81c33fdcfd |
C:\Users\Admin\AppData\Local\Temp\22FD.exe
| MD5 | 96553699d077b934404ddff84347c734 |
| SHA1 | 5502fd60a2880a4785dab733516c406fbae7462b |
| SHA256 | e1ec4771b5f00b2a07670d4c035e1f29a3902f2580e7447af8307cffae2f8743 |
| SHA512 | 0308fd00c5a86e453d43c219e7dcf194c99fe7fafc75ae7fea58582debb0b0e7908e01419ab92dfa4c5937fb43125b02be893331f9bec2bb7e71d717b18b8cfb |
memory/1868-187-0x0000000000260000-0x0000000000F45000-memory.dmp
memory/1868-192-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1868-195-0x0000000000260000-0x0000000000F45000-memory.dmp
memory/1868-194-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1868-197-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1868-198-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1868-200-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1868-203-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1004-207-0x0000000000860000-0x0000000000960000-memory.dmp
memory/1004-211-0x00000000002A0000-0x00000000002A4000-memory.dmp
memory/2608-210-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1868-227-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2608-223-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1868-224-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/1868-221-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/1868-217-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/2608-216-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1868-212-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/2608-206-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\22FD.exe
| MD5 | 2c5cb5845ec93ae56b667899f51bd435 |
| SHA1 | 08e5c765fae5173117fa254b1462f6d956f68e5b |
| SHA256 | 8e0ad3f69a365e0d2c223dd4689986104eb0555a3da52d8578ba1564713cf870 |
| SHA512 | 567304f750aacdf275b8fd1a0370935d00b3b82849a7009a70a2c9054a92330b46eb9dd839f494107bd098ded4e5a9b8a8c83d1d81937294ad9ee7ccefda5ca7 |
\Users\Admin\AppData\Local\Temp\22FD.exe
| MD5 | b3aa1f34aaa2c62f721e00a851bb2511 |
| SHA1 | c188db14d3c5796612c5f813255f6cf27754f2fa |
| SHA256 | 9b3ee17566d4270650bdfde752300f9b7aba49b56500b060ea36d9e64572bd39 |
| SHA512 | ade191eaa788f10d42c61e24b62963148b1e6f5b7bceae939dd90ddd4ce78ee9d1d6b645efdafde44f7ae1d14746c2dc1dffb39c269edaa60438e39fc8481932 |
memory/1868-247-0x00000000001A0000-0x00000000001A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\22FD.exe
| MD5 | a0950f656d83e0b9d70a3170af9b82ed |
| SHA1 | f2540e79110bb7728a2d79c96a3f698d8d7ef941 |
| SHA256 | 024808e2de8cc2cc82fb14ba88387a612c737fba4f1f0444459da4b2f89943d8 |
| SHA512 | 7e9adf6a84c1c3e700bfa1d63628ddf347079a6d3a785f59d63176979d94abc129386e63cd864aa058ef6d6f0e6dbf59440f679a786d8060bba00fc1504ed1da |
\Users\Admin\AppData\Local\Temp\3D91.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/2372-257-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2380-265-0x0000000000912000-0x0000000000922000-memory.dmp
memory/1868-269-0x0000000000260000-0x0000000000F45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9E57.exe
| MD5 | 9d0083e73b7f1785427cf958b044d493 |
| SHA1 | a9cd2490f78117f3484be517288e54c45e895e81 |
| SHA256 | f9204c9fe479089c8b9b9411f0f61363d08142da4301f70d796fcf0c633bf2ac |
| SHA512 | 67afa5eab7801dd0c3e201afab970bb7565caca9fd16aeb41b498b771147d583c20cca16840e6f193bd78e77320ee30af200bf6f34a6fc2053a09f5a13d5df87 |
memory/2028-280-0x0000000000990000-0x0000000000E48000-memory.dmp
memory/2028-281-0x0000000077790000-0x0000000077792000-memory.dmp
memory/2028-282-0x0000000000990000-0x0000000000E48000-memory.dmp
memory/2028-284-0x00000000025D0000-0x00000000025D1000-memory.dmp
memory/2028-285-0x0000000002450000-0x0000000002451000-memory.dmp
memory/2028-283-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/2028-286-0x0000000002640000-0x0000000002641000-memory.dmp
memory/2028-287-0x00000000008D0000-0x00000000008D1000-memory.dmp
memory/2028-288-0x0000000000980000-0x0000000000981000-memory.dmp
memory/2028-289-0x0000000002430000-0x0000000002431000-memory.dmp
memory/2028-290-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/2028-291-0x0000000002440000-0x0000000002441000-memory.dmp
memory/2028-292-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/2028-293-0x0000000002250000-0x0000000002251000-memory.dmp
memory/2028-294-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/2028-295-0x0000000002660000-0x0000000002661000-memory.dmp
memory/2028-297-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/2028-298-0x00000000028C0000-0x00000000028C1000-memory.dmp
memory/2028-304-0x0000000000990000-0x0000000000E48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AFC5.exe
| MD5 | 0de19cd17462ea79db1a5e5fd1d7f59f |
| SHA1 | d2b313dcfbda9a04475fc01182336b52846bbe3b |
| SHA256 | c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b |
| SHA512 | 0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c |
memory/2884-315-0x0000000000580000-0x0000000000680000-memory.dmp
memory/2884-316-0x0000000000300000-0x000000000036F000-memory.dmp
memory/2884-317-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2884-319-0x0000000000560000-0x0000000000561000-memory.dmp
memory/2884-333-0x0000000000580000-0x0000000000680000-memory.dmp
memory/2884-334-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/1600-336-0x0000000000550000-0x0000000000650000-memory.dmp
memory/1600-337-0x0000000000400000-0x00000000004AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\248906074286
| MD5 | ed22e81031edb1686adc5ea1d117fb8b |
| SHA1 | bf040bf52ad2475a3950a4d07c394a9614268c2d |
| SHA256 | 0eb8997e2bb230dfd5c61b4afe37d0742d6a8a1c9ccf6fcc39d15d195fe66ea6 |
| SHA512 | b16368b0327031fff2e55cede50054938f1483ab58c4e3d4373ebeb118863786bf39f293cb55af8e798bf76c9f56e5b26d7d037b0f59951339178120b596bdae |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | f7d8aaed58c64e5f02b9d3752203961b |
| SHA1 | 55a440d27321aaa8245d689c40aca3d0f56a7110 |
| SHA256 | 2c2f098479f0cfc277e3acc1a43e1773594f1c6e6b04f9583e94864b2af2cafa |
| SHA512 | f09d91613b50d44cefad7840d41c463cb30100b21bfc8a4866538ffeace85d44660086c4b0f7ea11786b9691870d9cae9084bd83b3088378333e9c90e4192307 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 13c083019bad31f57b7cc9c4f34dcd4a |
| SHA1 | f441ff0e65023850f2328802290e4bc5b66e3715 |
| SHA256 | 4140da939545fa1abf02d46f74d11e797a568a3d9a2f465901eba6ff6bcf9f0a |
| SHA512 | b73d82a9012fe21a522169519c449598423375ce6a5b9704f4caf938f9978645145e8a49f99d8e68fdfd99a5a9b5094edb77a36f34aea8df56b4143142077787 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | b3d28b44bb49552823dbec80e8b9e101 |
| SHA1 | cb39a100c393338768e3b1f349929af0eee36cc4 |
| SHA256 | 3a68d3c88ed041ceded28191ecbd9200ef0ab5d56510cca28d9fadb6036f3cef |
| SHA512 | 095263c81e1b5023803089b26de445300393301e719b385932074edf35360abe2e4a648ed7c11543edafbda2833e266ff8da86d7c0ad8c1921affed37efea2dc |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | f19bda82fb89691905fd5531324dda68 |
| SHA1 | ff287dbd2b0ea53cd3e6fbc2295b8317c9b94d1c |
| SHA256 | 4661aff5beaa0112bb39d559e4c16e322fcf640808b64915ee1fedee1b63b742 |
| SHA512 | 3bc14bcac2f4b2a72db984eb1420f9902ba94b3d340dd4613ec3fe87b03f073eeb14043ace5463376161e4ee15c0dd26890ab3a3622dd77dd949f4cb99ff2638 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | de29361fc954c0d8f246b07f604dfd79 |
| SHA1 | eb93fa0a17e63d17dddf30c1b02a57572f9a7842 |
| SHA256 | 7559fee7a9060bab61ce18c1379c2a834d6d07f0380cb55aaea2e5075ac1f9e0 |
| SHA512 | 388d13ee795126411b8790ee5d267d83e92b5a50cb054029ea396cc42cb139fc503f17575f82bef2017d8d7256228a625cafad0b6ee772459457eba9bd96f14b |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | d161163fe82b1af7fdf8b3a50fd56852 |
| SHA1 | 705bea905e197595051a1383449956d216ecfcad |
| SHA256 | 593c1414c55a35490f1404ac43462809006912b217bbdc5f79e40ab6da94b711 |
| SHA512 | 5bd082c6e426085df2b1845b64d954e9c2c29eaf4dec222a7c9374af265f034e204a61216fa82c7e9047162d387e5c1d3d9db06874e6fc7e15ff1c73de5dfa35 |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 684c2e52b33c5dddf791e7967fe9c404 |
| SHA1 | 4a760a1301b6e78c340d8892dfe57cda9f16a0a8 |
| SHA256 | 1983d9bce62dae7ae818c111e9ee7e1222631e5c9e6de7a682884523d1a18fd0 |
| SHA512 | 58f664639ebe4d78e6a2fcd9ea80364a985f706fb62e87bd25f867ed9b16e398353925ecc5e17a03981bb30702c375f74df00a6240859df5289c11dc7f42368d |
\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 47a529ba6ea7a9f0186482116ae11e14 |
| SHA1 | f1c69a64f317cb6dbe2cc6a245ff4a6b90b4d9b5 |
| SHA256 | f7b823afa1a8437c222d50f4c053821a155c00a1548388225fd1c19625b26ca9 |
| SHA512 | d710500ef2257aa2af66f0e35781408e0666cb26e06be6d8d26bee8895b6998612469a407d9b0422d99de0a470377e5bea8edc4a17e08f894568e57e8b75c28a |
memory/2676-377-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2676-376-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp
memory/1600-378-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2676-380-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2676-382-0x0000000000670000-0x0000000000678000-memory.dmp
memory/2676-381-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/1600-383-0x0000000000400000-0x00000000004AB000-memory.dmp
memory/2676-384-0x0000000002990000-0x0000000002A10000-memory.dmp
memory/2676-385-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
memory/1568-413-0x00000000009B0000-0x0000000000AB0000-memory.dmp
memory/1900-442-0x0000000000990000-0x0000000000A90000-memory.dmp
memory/1900-454-0x0000000000990000-0x0000000000A90000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 03:29
Reported
2024-03-15 03:35
Platform
win10v2004-20240226-en
Max time kernel
299s
Max time network
306s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6f4e52cf-af06-4d24-b054-7a5b30cea4ac\\E02F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E02F.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4600 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | C:\Windows\Explorer.EXE |
| PID 4600 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | C:\Windows\Explorer.EXE |
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E02F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8F24.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E02F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E02F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E02F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E02F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F5B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2527.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4916.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8F24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9D4E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D566.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4916.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6f4e52cf-af06-4d24-b054-7a5b30cea4ac\\E02F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E02F.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4924 set thread context of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\E02F.exe | C:\Users\Admin\AppData\Local\Temp\E02F.exe |
| PID 4784 set thread context of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\EA14.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 724 set thread context of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\E02F.exe | C:\Users\Admin\AppData\Local\Temp\E02F.exe |
| PID 1072 set thread context of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\4916.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| PID 3352 set thread context of 4804 | N/A | C:\Users\Admin\AppData\Local\Temp\9D4E.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9D4E.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21439\Http.pif | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AB72.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\E02F.exe
C:\Users\Admin\AppData\Local\Temp\E02F.exe
C:\Users\Admin\AppData\Local\Temp\E02F.exe
C:\Users\Admin\AppData\Local\Temp\E02F.exe
C:\Users\Admin\AppData\Local\Temp\EA14.exe
C:\Users\Admin\AppData\Local\Temp\EA14.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6f4e52cf-af06-4d24-b054-7a5b30cea4ac" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\E02F.exe
"C:\Users\Admin\AppData\Local\Temp\E02F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\E02F.exe
"C:\Users\Admin\AppData\Local\Temp\E02F.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1320 -ip 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1108
C:\Users\Admin\AppData\Local\Temp\F5B.exe
C:\Users\Admin\AppData\Local\Temp\F5B.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16FD.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1516 -ip 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1172
C:\Users\Admin\AppData\Local\Temp\2527.exe
C:\Users\Admin\AppData\Local\Temp\2527.exe
C:\Users\Admin\AppData\Local\Temp\4916.exe
C:\Users\Admin\AppData\Local\Temp\4916.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1072 -ip 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 704
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\8F24.exe
C:\Users\Admin\AppData\Local\Temp\8F24.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Users\Admin\AppData\Local\Temp\9D4E.exe
C:\Users\Admin\AppData\Local\Temp\9D4E.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c md 21439
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 21439\Http.pif
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 21439\F
C:\Users\Admin\AppData\Local\Temp\21439\Http.pif
21439\Http.pif 21439\F
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SYSTEM32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Users\Admin\AppData\Local\Temp\D566.exe
C:\Users\Admin\AppData\Local\Temp\D566.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Closing Closing.bat & Closing.bat & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 197.159.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| CO | 190.249.149.134:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 134.149.249.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 166.138.96.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| US | 172.67.218.191:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | 191.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 104.21.19.68:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | 68.19.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.51.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | 114.16.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | 59.39.141.209.in-addr.arpa | udp |
| TR | 94.156.8.100:80 | 94.156.8.100 | tcp |
| US | 8.8.8.8:53 | 100.8.156.94.in-addr.arpa | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | 195.20.16.82 | tcp |
| US | 8.8.8.8:53 | 78.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lknusantararaya.com | udp |
| ID | 103.147.154.49:443 | lknusantararaya.com | tcp |
| US | 8.8.8.8:53 | 49.154.147.103.in-addr.arpa | udp |
| FI | 37.27.52.220:80 | 37.27.52.220 | tcp |
| US | 8.8.8.8:53 | 220.52.27.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | streamingplay.site | udp |
| BR | 45.152.46.72:443 | streamingplay.site | tcp |
| US | 8.8.8.8:53 | gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce | udp |
| US | 8.8.8.8:53 | 72.46.152.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | 159.30.91.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| RU | 185.215.113.45:80 | tcp |
Files
memory/2448-1-0x00000000004B0000-0x00000000005B0000-memory.dmp
memory/2448-2-0x00000000005C0000-0x00000000005CB000-memory.dmp
memory/2448-3-0x0000000000400000-0x000000000047E000-memory.dmp
memory/3392-4-0x0000000002B30000-0x0000000002B46000-memory.dmp
memory/2448-5-0x0000000000400000-0x000000000047E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB72.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\E02F.exe
| MD5 | ae597691370226cc4354b9897415b115 |
| SHA1 | 3e89b4b1d81cdae205ac96f151bf3dc0fe3337ae |
| SHA256 | 10f5ba78f4d86b82127e167fee1ea0e6b26dd087ecfe933bda24e5d2685ad675 |
| SHA512 | f2db423695272ea3519d6329965baf4f0eee6dda62820406ecafcc13385380cb6279c097a8a610163835a181f845ccac7982c7f867b90abc5b553968b3ac7f24 |
memory/4924-20-0x0000000002140000-0x00000000021E1000-memory.dmp
memory/4924-21-0x0000000002240000-0x000000000235B000-memory.dmp
memory/4420-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4420-26-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA14.exe
| MD5 | e79d42e6b51653c6a459adc6e6cd0e7d |
| SHA1 | 19590e4efcea7b916825669075fb59de0aae0600 |
| SHA256 | 3e1451fbd94c852f561fdb5332a5a8576d940d95b1a8cff4dfc0285bc9fc0b14 |
| SHA512 | 17f70d269b7be8fe4d8fa2b5bca88188c318991ac168d54f37237bbacaf9804e8aa7e6b81a2320bcd61d2a109728461d8082cd69e6b0ed8f1f90600b1ecaed9f |
memory/4784-32-0x0000000000B60000-0x0000000000BB6000-memory.dmp
memory/4784-33-0x0000000073DC0000-0x0000000074570000-memory.dmp
memory/1320-42-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1320-45-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4784-47-0x0000000002FE0000-0x0000000004FE0000-memory.dmp
memory/1320-49-0x00000000013C0000-0x00000000013C1000-memory.dmp
memory/1320-50-0x00000000013C0000-0x00000000013C1000-memory.dmp
memory/4784-48-0x0000000073DC0000-0x0000000074570000-memory.dmp
memory/1320-51-0x00000000013C0000-0x00000000013C1000-memory.dmp
memory/1320-52-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4420-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/724-59-0x0000000002100000-0x000000000219D000-memory.dmp
memory/8-62-0x0000000000400000-0x0000000000537000-memory.dmp
memory/8-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/8-65-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1320-68-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F5B.exe
| MD5 | 0be0a17590d577f254d3032b3e55ed77 |
| SHA1 | 5f97217b7f571a5fcf27f86224181ec5674405d1 |
| SHA256 | 379b89d18e0b54acb7b3c7d4358b0e55833e108972ff80cfbbc44711c0766d05 |
| SHA512 | aa3a19875e7729b07040f03f6f1a1b6848e415be0c51ee264a5c9c94b332eff63088b1bd6f131beea894c61cd795e1334037e429f636b4397ad1ef2e46dd3b18 |
C:\Users\Admin\AppData\Local\Temp\F5B.exe
| MD5 | 59971e0cbf1cb93aa5ce3fe948836f7a |
| SHA1 | 835eba9008d9bc7145e195938f1edb78977b94db |
| SHA256 | 023b4aab7bf5c91594e90b53c1bceba31e13d292bf21a76586805a12f86e5f5e |
| SHA512 | 34a2d1ff453f694e9085edaf0eea9ac43ee32939ac5b7c3770389db33ae6a33be57de92bf826e3cc05e7d37687bb34829a6ddae955bc3e38dec5211c5fe575f1 |
memory/1516-73-0x0000000000CC0000-0x00000000019A5000-memory.dmp
memory/1516-83-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/1516-82-0x0000000000C90000-0x0000000000C91000-memory.dmp
memory/1516-81-0x0000000000C80000-0x0000000000C81000-memory.dmp
memory/1516-80-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/1516-85-0x0000000000CC0000-0x00000000019A5000-memory.dmp
memory/1516-79-0x0000000000930000-0x0000000000931000-memory.dmp
memory/1516-78-0x0000000000910000-0x0000000000911000-memory.dmp
memory/1516-86-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/1516-87-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/1516-89-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/1516-88-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2527.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/1516-98-0x0000000000CC0000-0x00000000019A5000-memory.dmp
memory/3060-99-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/3060-100-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/3060-101-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/3060-102-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/3060-103-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/3060-104-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/3060-105-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4916.exe
| MD5 | ebd110f7c51bec7dc138185fb0e9876d |
| SHA1 | e82c094acce5ffdf1eeb98932b08fcf0fef2490a |
| SHA256 | 0e9f713a96c015e027b70da5274d4162b6ca4b2e9bf2107825ce18c1493f8b96 |
| SHA512 | b653a8a9eec8d99f7ae11d4b6207c6d13e41e878de6744957822614097500ed22cbbf57bf94a063924ac90ba6c65e540b485970c0f38f33564f090ffab8248c9 |
C:\Users\Admin\AppData\Local\Temp\4916.exe
| MD5 | e8c918d901a15316bffed4bec9c77baf |
| SHA1 | 5052a34026024d2e47a0b2a773d4ba81be6560e8 |
| SHA256 | 055e6a1b17e4ec26eeb00f264314492ad7ec08870054d31396a5c27ecfb74aa5 |
| SHA512 | f990fecf637f20323c8355d7dfb24b5731ece29011e3e6d514c58715f351dff2825c90eecacf8efad2c8390a4de80ae8da3a17ea362487ce0dc3548ffcd1a214 |
memory/1072-110-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/1072-111-0x0000000000FE0000-0x0000000001534000-memory.dmp
memory/1072-112-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/1072-113-0x0000000005DF0000-0x0000000005E8C000-memory.dmp
memory/1072-114-0x0000000006500000-0x0000000006A2C000-memory.dmp
memory/3060-115-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/3060-116-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/1072-117-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/1072-118-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/3060-119-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/1072-120-0x0000000006A30000-0x0000000006C6C000-memory.dmp
memory/1072-121-0x00000000061F0000-0x0000000006202000-memory.dmp
memory/1072-122-0x0000000007DB0000-0x0000000007F42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1072-130-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/1072-129-0x0000000006260000-0x0000000006270000-memory.dmp
memory/1072-131-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/1072-128-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/1072-132-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/1072-133-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/1072-136-0x00000000082E0000-0x00000000083E0000-memory.dmp
memory/1072-134-0x0000000005D20000-0x0000000005D30000-memory.dmp
memory/2456-135-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1072-137-0x00000000082E0000-0x00000000083E0000-memory.dmp
memory/2456-139-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2456-141-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1072-142-0x0000000075120000-0x00000000758D0000-memory.dmp
memory/3060-143-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
memory/2456-144-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/2456-210-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3060-211-0x00007FF61EDF0000-0x00007FF61FA52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8F24.exe
| MD5 | 7769e93085751e0b35729827dc22e8d5 |
| SHA1 | 1d20bac0f5e0e8e28d466834463463cc911a5baa |
| SHA256 | 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402 |
| SHA512 | b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c |
C:\Users\Admin\AppData\Local\Temp\Jeffrey
| MD5 | e121db542d18a526f078c32fd2583af5 |
| SHA1 | 69e677442ccb6d6fe1d2a3029cf44aac473f5f55 |
| SHA256 | fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2 |
| SHA512 | 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe |
C:\Users\Admin\AppData\Local\Temp\9D4E.exe
| MD5 | d88c9297da5b7b0a3f96d33e6eca33e6 |
| SHA1 | 808e8a222cd131679b4feda2834eaaa92f866143 |
| SHA256 | 92a59655997ea6a17d871d12965738dfa1649751774129b4fbeea2bb01355723 |
| SHA512 | e854cf3f4e4b119e040e00d56adcd56749099ddcb1956433a31156afc88e643972b690917ac09deadb8860e5b6982d55085a372d4f509996ded7e5e3e1f05066 |
memory/3352-273-0x00000000009B0000-0x0000000000A1C000-memory.dmp
memory/3352-275-0x0000000073980000-0x0000000074130000-memory.dmp
memory/3352-276-0x0000000005310000-0x0000000005320000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sitemap
| MD5 | 9aa3fa871956c05e6c502841714a3ca3 |
| SHA1 | fe9b5580fd142b32ee94342e5403ff9454517f9e |
| SHA256 | fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32 |
| SHA512 | 70046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873 |
C:\Users\Admin\AppData\Local\Temp\Sublimedirectory
| MD5 | 9ac55fb2a8700521a9fc03c830483b45 |
| SHA1 | 07d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6 |
| SHA256 | 964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1 |
| SHA512 | ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505 |
C:\Users\Admin\AppData\Local\Temp\Josh
| MD5 | dbb02def36f898899c81dbe071eaaf75 |
| SHA1 | ddd36cf26cffd70cdca8ffa36fc13097c56092c3 |
| SHA256 | 431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea |
| SHA512 | 115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1 |
C:\Users\Admin\AppData\Local\Temp\Rss
| MD5 | decffdc214d187300d81458730076975 |
| SHA1 | 0d26a032a42e2b1d6cce51c88262fb99d5d85045 |
| SHA256 | 81c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927 |
| SHA512 | 615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76 |
C:\Users\Admin\AppData\Local\Temp\Cow
| MD5 | 3e929f7b28251914c43d3435f2f437dd |
| SHA1 | 9564974824f4fe1b9b6bdc5bd1e1065fc11678bc |
| SHA256 | e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad |
| SHA512 | 41919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478 |
memory/3352-288-0x0000000002D60000-0x0000000004D60000-memory.dmp
memory/4804-291-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cdt
| MD5 | ba823d75b6712149e7241d1c2f6695ef |
| SHA1 | 9f351074e85afc8254aaa5df0561377c8b68874c |
| SHA256 | 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377 |
| SHA512 | 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167 |
C:\Users\Admin\AppData\Local\Temp\Thumbnail
| MD5 | e68e0d804f78aadf2b7da5190971cc56 |
| SHA1 | b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9 |
| SHA256 | fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee |
| SHA512 | e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda |
C:\Users\Admin\AppData\Local\Temp\Tamil
| MD5 | 5b825ccfab154d5de20e806e687ecb89 |
| SHA1 | d311d7b23a70f5e1ba875e020d37e05a3a4c4552 |
| SHA256 | 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436 |
| SHA512 | e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03 |
C:\Users\Admin\AppData\Local\Temp\Powers
| MD5 | 0c851a1587662cb3c4b3f4e79b9d40e4 |
| SHA1 | 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5 |
| SHA256 | 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26 |
| SHA512 | c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8 |
C:\Users\Admin\AppData\Local\Temp\Capabilities
| MD5 | d34ef2c6ce15a8747df5431a864f0613 |
| SHA1 | fe62b64f13b149525066fe73f227df044255cddb |
| SHA256 | 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9 |
| SHA512 | 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24 |
C:\Users\Admin\AppData\Local\Temp\Novel
| MD5 | 9c5c2a336e6c94e60e8ca1a981235806 |
| SHA1 | 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617 |
| SHA256 | 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070 |
| SHA512 | 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb |
C:\Users\Admin\AppData\Local\Temp\Cos
| MD5 | c8599aa35a19083f6c5f80151f55315c |
| SHA1 | 3e315507bc934d0ebdf68328b5d60e7fcab41a3b |
| SHA256 | 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f |
| SHA512 | dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1 |
C:\Users\Admin\AppData\Local\Temp\Hobby
| MD5 | cd17d8568d3cb4f7a115c0c9657aa3c1 |
| SHA1 | 389429708df886ee004b3d4c54cbb9a2e089859e |
| SHA256 | ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d |
| SHA512 | 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33 |
C:\Users\Admin\AppData\Local\Temp\Debut
| MD5 | 309a79e7ee30ead5653c0e33c937bf20 |
| SHA1 | 808165ca516179e0749cd74b57ebf2ec92e77a9e |
| SHA256 | a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233 |
| SHA512 | 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8 |
C:\Users\Admin\AppData\Local\Temp\Canal
| MD5 | c3a1a56b238bd452b6b59169cc99ec03 |
| SHA1 | 88a35ade6f7f14e2df8d731317afc72612074a51 |
| SHA256 | a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f |
| SHA512 | 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525 |
C:\Users\Admin\AppData\Local\Temp\Breach
| MD5 | 9324e493902fe2c6ffcf04f088c34e08 |
| SHA1 | 866c7b4c73f99f673dd3f2035e34d843c262f256 |
| SHA256 | 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222 |
| SHA512 | c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0 |
C:\Users\Admin\AppData\Local\Temp\Patricia
| MD5 | d9bd01e58c378e5a43b47b93ccf11b30 |
| SHA1 | 4f57381303c5cb2d6f0012d190ce11d696efde77 |
| SHA256 | df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a |
| SHA512 | 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755 |
C:\Users\Admin\AppData\Local\Temp\Fist
| MD5 | 71afb2f733859a29cfcf25e58625284c |
| SHA1 | 248df6b7026fd2771dd65ed3b542ca0185dbb6dc |
| SHA256 | d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120 |
| SHA512 | 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af |
C:\Users\Admin\AppData\Local\Temp\Go
| MD5 | b153dbfec41fa6a8b005978bc571befe |
| SHA1 | 9752d98549edff58b4c0ede5a654832c22f97d38 |
| SHA256 | f59cbe377d6d4df992d6caaa0ccbbe7a5506741c9e63a716a0284cb2ae720814 |
| SHA512 | eef43707eb9b7e047a8c8307ffac9ce4b1eb0383186280b9112eb278e4fb97c339e14cbbb334eaf9e13719280978a12c7d8d3615e8ab25e176530836799c002a |
C:\Users\Admin\AppData\Local\Temp\Generations
| MD5 | bf36de53f9099fb8780cc1f08121ec9d |
| SHA1 | 0a3289cd4e8526291b1d78231801c71f62201134 |
| SHA256 | d83f481d8af694bddf44486601adc6960190380ba091f8ae468e0282d86aca96 |
| SHA512 | b66e6ee71e534156eab1fe0e8aa8311a3b41bef397b2bbd89d41a891e2f249a8b7af8c594951058a30751436da61272befd5f3797b3b5e7c8ee63c7901a7c6f8 |
C:\Users\Admin\AppData\Local\Temp\Brunswick
| MD5 | d9d300fcd0f6c260b49dc70799cb3ed5 |
| SHA1 | 9f1c1ed5aba8635a35abf2705c9fa7e64c297f19 |
| SHA256 | e559f9fdef25eb57dc27c4ea285afd85aef5b3f4dc91f8ca94d195a347e02b9d |
| SHA512 | d86cf2df5ce022b6724ebf45a720e26155da5415e1715f1ecc9bc135b66226aa851e09584220f3ceaf6b74267d99c2d5991299f5994c859f59a4847b94e8e9bf |
C:\Users\Admin\AppData\Local\Temp\Eat
| MD5 | f3955d3be816c87209db5f1a76de0c84 |
| SHA1 | 0381898c2fc21e02b8f913cc1083727a23936bcf |
| SHA256 | c51346378e3a0cf5fafa09c0953b4559c140111d086d939c6b0f9adf497fa108 |
| SHA512 | 935294f0c695fbec87509c48d48eb78325ddf5d7a98881b8bccc1469b73ca1a6e044cb9faabbb9c8f151a66bd72a9e10bc7cae821e019e24ae94601b65a6179a |
C:\Users\Admin\AppData\Local\Temp\Kills
| MD5 | 13dc546d0daadc9b174fa60d4e58bf4c |
| SHA1 | 5a62bb74dbf964a10b98890508389ffa01f4b423 |
| SHA256 | 7b006fbcb0e8b1d4559be81f7e8e66d3e7025e0d8063b5c9b956f3712886bd21 |
| SHA512 | 142d6afe9475b179f1bd75414c487f88695a741b92e0895725231510e2c0fab6121ea463ca3429e4c2e5af0725fd196e8f11137d490722c913105b7a611bb507 |
C:\Users\Admin\AppData\Local\Temp\Maiden
| MD5 | 66362a1847593eb45b46b84215c52779 |
| SHA1 | 61519bccdb7c3cbe547bcdadcb8ac81d638593fd |
| SHA256 | 83dba2694db89c8c473f401de7ac74391297428a5162283b4ce7581967bb3ea0 |
| SHA512 | 9c568437f2870f258c77be39e724c9790d5f70ee35529aa79956bd70211267eeaf3d41b7b6eaedc1cc1c85d01ceeca7cd4991a13848a6489ff31acfe15dac23b |
C:\Users\Admin\AppData\Local\Temp\Companion
| MD5 | 529e8f5a689da689d3651e1c039bb324 |
| SHA1 | f9557b98debebc842274feb085712187a1d9cf37 |
| SHA256 | 5a0e9f3158ba1c1ee5fa3423292993ab9fa1edbe1afa5aa4597a272534f1ef22 |
| SHA512 | 610583262b7df4e3611f425813a57c10a5c6814b5a33864296bef83574b268858451b55d059f60660e89d2b683d489255f6dafe8b711f410e4935ff0c9a02d36 |
C:\Users\Admin\AppData\Local\Temp\Around
| MD5 | 1de412303c8d8449cad0f64aec5dad0c |
| SHA1 | 3fc923a66906aea4c8e30358277f1ed3b723e15c |
| SHA256 | 37ea73ebc91feab33bea461c97c7495d260069041b9ee2e4526444cfb4035da3 |
| SHA512 | d56a13cd0648849e9a5f965f3b8eb9e00222408d8a5ee42a095e11c0be10f49782036c00e468d2ef26080bf6855e8794c8ee45bd7ec1b08166233691f619e9b1 |
C:\Users\Admin\AppData\Local\Temp\Trim
| MD5 | 9806a4ee54225558e00a86e6f15ff6c7 |
| SHA1 | 308c952352eda64d06c982ca826fba193c8dcf27 |
| SHA256 | 5c9d5114e0f13978f10f4d726f2e585f049bf4dc2b735be00389476d2737dc9b |
| SHA512 | 657de9473896f623c6975a50618051e4b6a5098af4b69f9d20d5b736c70029548a4ac108d830b332ac9837f9a9902bdbf75f6560d61c7328706ccd09dbf76af4 |
C:\Users\Admin\AppData\Local\Temp\Islam
| MD5 | 5e0c4a84587a2ba5295805c9623704a4 |
| SHA1 | 1108e298b95830a0c0a265f89082a5412c11d865 |
| SHA256 | aafa12d671f2eba209cda92d296b29f1abdf359faa3e0f064b7626bf25d89acd |
| SHA512 | 2dab73ed3fae2c1f1ecb38aa1ebbbbe55326fa6bcd562cac2c4adc004e9ab1ccf392aa5c7741419452433b25ea4474508fa5ed65ff02ba01f0ec07b5589dfa08 |
C:\Users\Admin\AppData\Local\Temp\Robertson
| MD5 | 547c335ac69f9da2f963745762672f44 |
| SHA1 | f9d6f6c943b91988020176a827f592f8f46f2670 |
| SHA256 | 8a7e8e502a6041ccac7c06b222cabc9e7aa39523a1c5edc33097e5506b6ad3cc |
| SHA512 | 1a1561b11224c74dbe791ee12c67e74ecbb8f8d63720a392ea1f6c9f0b448ff226ae920253e6a00023db74963c83605c82822722b1cc3c2ed8bf6862b22f497c |
C:\Users\Admin\AppData\Local\Temp\Necessary
| MD5 | d2635aadbd169174c362c0052a33e396 |
| SHA1 | 601bf240df1f218670acda168020ba7736cf821c |
| SHA256 | de7612db6d35cfd9670d56dfd6497802bbcda88c787e6b83b1438df598bd9e96 |
| SHA512 | 0cdfb4d1560a01a6c5c1406ee7f2ac27229756a7bc35865a3437e05443b9e6eb9ed18c04131268d190c33d03a05c7190381be828c1208ecd0819bade943d2a58 |
C:\Users\Admin\AppData\Local\Temp\Mpeg
| MD5 | af66ed102029338945a5ae7af6e68867 |
| SHA1 | 2a590d37a9e25203f41fe28be7b3702bdac34e28 |
| SHA256 | 4f5603c2539d330e9576ab577fe08cd58e6a191620e962c570af439ec4808c6b |
| SHA512 | 83d5afa258752706ce85f5e57a59e04e0c8e2e856eb12d4e419237eaf2669bf1ffbd1ab87eabc34e0e7c3e4584a4288aa39285cfbfd398d04f8bd2248cf27609 |
C:\Users\Admin\AppData\Local\Temp\Drain
| MD5 | 99667047563ffb1f92319045c1fa496f |
| SHA1 | 9eba1534190dac88d7231e00cf2372477479a262 |
| SHA256 | 3f6dfc93ffd2c876839d824993a4234df1d16a3f0b5d284c66e32bc2264867ea |
| SHA512 | e8d39f341df2decde92d2bf7066de6ccf3b3b2d6c4e57d353a60ee409fb7d54444d55e8c02a266da4ec94e719e149685120c72c6db7c35e863cef7f1f844c9d9 |
C:\Users\Admin\AppData\Local\Temp\Greg
| MD5 | 265344b2c8ca35ae60227ff6639481f5 |
| SHA1 | 49bf4e7aab05a697409a4cc8f04c5b2ed1e78e79 |
| SHA256 | 349c58fc4a15001ff0875d2a9f797d536045804c99350e0f43203ade07c41b59 |
| SHA512 | 2248bd383433d3dd541eb74f3e2404f83e1f379b11d9e7de9bf6903460cfba9b1955d089439883126ce6c08a67a3e12beb63126a74a1a86dc461ca8f232f442d |
C:\Users\Admin\AppData\Local\Temp\Plans
| MD5 | 5e136f53a54f61eeb099c76021dba233 |
| SHA1 | 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3 |
| SHA256 | ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041 |
| SHA512 | 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8 |
C:\Users\Admin\AppData\Local\Temp\Ancient
| MD5 | a02c222cf530ee003a3893c4c78770c2 |
| SHA1 | bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3 |
| SHA256 | 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5 |
| SHA512 | 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368 |
C:\Users\Admin\AppData\Local\Temp\Shapes
| MD5 | 7aaaa1a6965448912a128a631bbd06be |
| SHA1 | d3917e8d8780c9296c6bba2066a3fccd08e04253 |
| SHA256 | f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85 |
| SHA512 | 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52 |
C:\Users\Admin\AppData\Local\Temp\Warner
| MD5 | f83e3a79f793337194e79e4bb5c3b073 |
| SHA1 | 6d4ef4fc71fbabc6f56265388d87d997e47194dc |
| SHA256 | e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844 |
| SHA512 | 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775 |
C:\Users\Admin\AppData\Local\Temp\Able
| MD5 | 13fd06533f068d719a2b9f300096ca41 |
| SHA1 | f054659e3fb8516b759b8f819d12acb9c173ab6a |
| SHA256 | b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9 |
| SHA512 | f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422 |
C:\Users\Admin\AppData\Local\Temp\Translations
| MD5 | a40fabfc3d4fe0e77cf03156b0541015 |
| SHA1 | 7a8c301d0a3834a212af25812cb9f51afa8425d4 |
| SHA256 | fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864 |
| SHA512 | f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11 |
C:\Users\Admin\AppData\Local\Temp\Neural
| MD5 | 4c5c9f5368402dd77d8f8e0c31951625 |
| SHA1 | 719e5a648399121cf1402d36734631f95c723d18 |
| SHA256 | d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7 |
| SHA512 | 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba |
C:\ProgramData\EHCGIJDH
| MD5 | d8258cfea30050e289acf9aa882159f2 |
| SHA1 | 26acf382025e2880308c3cb82ee11b935f52d6fa |
| SHA256 | 97f3a97af8aad5da47509b3b5639b85c82f5b67fb34193ef409c9bb84c2e334b |
| SHA512 | caa184c63653b9b8be5b76833be8caf40d8a6804cc26b329d955e5b59e5cf75c0e9e654f5e4fef9fdb76536f43fe3d9a4017a3446f0610d6df61f3737f44a74a |
C:\ProgramData\FCBAECGI
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |