Analysis Overview
SHA256
8fe6231806a75ac895c6330744b6ff0c1deeae3c1edfbcd14713104ae7c765c3
Threat Level: Known bad
The file 18697352947.zip was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detect Vidar Stealer
Stealc
RedLine
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Identifies Wine through registry keys
.NET Reactor proctector
Adds Run key to start application
Power Settings
Checks installed software on the system
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks processor information in registry
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-28 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-28 22:01
Reported
2024-08-28 22:03
Platform
win7-20240708-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2524 set thread context of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\1137f4c0351b60d4cc1cb9ec41592cce9027c03c499ca152a1d7726e47eae51a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1137f4c0351b60d4cc1cb9ec41592cce9027c03c499ca152a1d7726e47eae51a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1137f4c0351b60d4cc1cb9ec41592cce9027c03c499ca152a1d7726e47eae51a.exe
"C:\Users\Admin\AppData\Local\Temp\1137f4c0351b60d4cc1cb9ec41592cce9027c03c499ca152a1d7726e47eae51a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 195.10.205.48:80 | 195.10.205.48 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
Files
memory/2524-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp
memory/2524-1-0x0000000000AC0000-0x0000000001352000-memory.dmp
memory/2524-2-0x0000000074A00000-0x00000000750EE000-memory.dmp
memory/2524-3-0x00000000057A0000-0x0000000005AD0000-memory.dmp
memory/2524-4-0x0000000006EA0000-0x00000000071C8000-memory.dmp
memory/2524-5-0x0000000001360000-0x0000000001382000-memory.dmp
memory/2152-6-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-7-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-8-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-10-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-14-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2152-11-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-18-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-17-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2152-9-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2524-19-0x0000000074A00000-0x00000000750EE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-28 22:01
Reported
2024-08-28 22:03
Platform
win10v2004-20240802-en
Max time kernel
40s
Max time network
151s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\piratemamm\5t15qDeLxMxBUKop3WamUo02.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IJHKC.tmp\kYHIDbJzCxaxCcLTRe0BXq4h.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IJHKC.tmp\kYHIDbJzCxaxCcLTRe0BXq4h.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IJHKC.tmp\kYHIDbJzCxaxCcLTRe0BXq4h.tmp | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1137f4c0351b60d4cc1cb9ec41592cce9027c03c499ca152a1d7726e47eae51a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\VdAFLDmdunac1BQ5c1MygsDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\kYHIDbJzCxaxCcLTRe0BXq4h.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\JE_4MVMl91SDJftfmlMpQFdJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\gWCerWL048lqrEkaPqndLkKJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\R5u53wSVQznb0nukHpwE6KRc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-IJHKC.tmp\kYHIDbJzCxaxCcLTRe0BXq4h.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\ySAYASbNAeGV9r4uLc0ozWlr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\p0uWim0q_iMmHhJUv_WMrztq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\piratemamm\9W8WS19kQiWsz64u7kChQ1MM.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Convenient Video Shooting\videoshooting32_64.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\piratemamm\VdAFLDmdunac1BQ5c1MygsDB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\piratemamm\gWCerWL048lqrEkaPqndLkKJ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1137f4c0351b60d4cc1cb9ec41592cce9027c03c499ca152a1d7726e47eae51a.exe
"C:\Users\Admin\AppData\Local\Temp\1137f4c0351b60d4cc1cb9ec41592cce9027c03c499ca152a1d7726e47eae51a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe
C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe
C:\Users\Admin\Documents\piratemamm\gWCerWL048lqrEkaPqndLkKJ.exe
C:\Users\Admin\Documents\piratemamm\gWCerWL048lqrEkaPqndLkKJ.exe
C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe
C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe
C:\Users\Admin\Documents\piratemamm\ySAYASbNAeGV9r4uLc0ozWlr.exe
C:\Users\Admin\Documents\piratemamm\ySAYASbNAeGV9r4uLc0ozWlr.exe
C:\Users\Admin\Documents\piratemamm\JE_4MVMl91SDJftfmlMpQFdJ.exe
C:\Users\Admin\Documents\piratemamm\JE_4MVMl91SDJftfmlMpQFdJ.exe
C:\Users\Admin\Documents\piratemamm\5t15qDeLxMxBUKop3WamUo02.exe
C:\Users\Admin\Documents\piratemamm\5t15qDeLxMxBUKop3WamUo02.exe
C:\Users\Admin\Documents\piratemamm\R5u53wSVQznb0nukHpwE6KRc.exe
C:\Users\Admin\Documents\piratemamm\R5u53wSVQznb0nukHpwE6KRc.exe
C:\Users\Admin\Documents\piratemamm\VdAFLDmdunac1BQ5c1MygsDB.exe
C:\Users\Admin\Documents\piratemamm\VdAFLDmdunac1BQ5c1MygsDB.exe
C:\Users\Admin\Documents\piratemamm\Bz792t_xq4HSOg0iXYK7JnpH.exe
C:\Users\Admin\Documents\piratemamm\Bz792t_xq4HSOg0iXYK7JnpH.exe
C:\Users\Admin\Documents\piratemamm\kYHIDbJzCxaxCcLTRe0BXq4h.exe
C:\Users\Admin\Documents\piratemamm\kYHIDbJzCxaxCcLTRe0BXq4h.exe
C:\Users\Admin\Documents\piratemamm\p0uWim0q_iMmHhJUv_WMrztq.exe
C:\Users\Admin\Documents\piratemamm\p0uWim0q_iMmHhJUv_WMrztq.exe
C:\Users\Admin\Documents\piratemamm\9W8WS19kQiWsz64u7kChQ1MM.exe
C:\Users\Admin\Documents\piratemamm\9W8WS19kQiWsz64u7kChQ1MM.exe
C:\Users\Admin\AppData\Local\Temp\is-IJHKC.tmp\kYHIDbJzCxaxCcLTRe0BXq4h.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IJHKC.tmp\kYHIDbJzCxaxCcLTRe0BXq4h.tmp" /SL5="$80118,3856139,54272,C:\Users\Admin\Documents\piratemamm\kYHIDbJzCxaxCcLTRe0BXq4h.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe
"C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Convenient Video Shooting\videoshooting32_64.exe
"C:\Users\Admin\AppData\Local\Convenient Video Shooting\videoshooting32_64.exe" -i
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" installer.dll,imgbase
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
C:\Users\Admin\Documents\piratemamm\VdAFLDmdunac1BQ5c1MygsDB.exe
C:\Users\Admin\Documents\piratemamm\VdAFLDmdunac1BQ5c1MygsDB.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
"C:\ProgramData\xprfjygruytr\etzpikspwykg.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5612 -ip 5612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 1460
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| NL | 45.91.200.135:80 | 45.91.200.135 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 135.200.91.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | file-link-iota.vercel.app | udp |
| US | 8.8.8.8:53 | github.com | udp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 31.41.244.9:80 | 31.41.244.9 | tcp |
| RU | 80.66.75.114:80 | 80.66.75.114 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| US | 76.76.21.93:80 | file-link-iota.vercel.app | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 76.76.21.93:80 | file-link-iota.vercel.app | tcp |
| US | 8.8.8.8:53 | 104.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.75.66.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.115.113.176.in-addr.arpa | udp |
| US | 76.76.21.93:80 | file-link-iota.vercel.app | tcp |
| US | 76.76.21.93:443 | file-link-iota.vercel.app | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 95.100.245.168:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 45.91.200.135:80 | 45.91.200.135 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| DE | 77.105.164.24:50505 | tcp | |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.164.105.77.in-addr.arpa | udp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 100.113.215.185.in-addr.arpa | udp |
| DE | 147.45.47.251:2149 | tcp | |
| US | 8.8.8.8:53 | 251.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.247.162:443 | steamcommunity.com | tcp |
| DE | 94.130.188.148:443 | tcp | |
| US | 8.8.8.8:53 | 162.247.103.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.188.130.94.in-addr.arpa | udp |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:443 | pool.hashvault.pro | tcp |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| DE | 94.130.188.148:443 | tcp | |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| US | 8.8.8.8:53 | 109.231.8.46.in-addr.arpa | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
Files
memory/380-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
memory/380-1-0x0000000000730000-0x0000000000FC2000-memory.dmp
memory/380-2-0x0000000005A20000-0x0000000005ABC000-memory.dmp
memory/380-3-0x0000000074DF0000-0x00000000755A0000-memory.dmp
memory/380-4-0x0000000005C30000-0x0000000005F60000-memory.dmp
memory/380-5-0x0000000007090000-0x00000000073B8000-memory.dmp
memory/380-6-0x0000000005A00000-0x0000000005A22000-memory.dmp
memory/3812-7-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-10-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-9-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/380-13-0x0000000074DF0000-0x00000000755A0000-memory.dmp
memory/3812-12-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-19-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-26-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-25-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-24-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-23-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-22-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-21-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-20-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-16-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-15-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-14-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-18-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-17-0x0000000000400000-0x00000000005E0000-memory.dmp
C:\Users\Admin\Documents\piratemamm\R5u53wSVQznb0nukHpwE6KRc.exe
| MD5 | e4ff3bee77eea05ba54f0e0757341837 |
| SHA1 | 690e83f77e71a3d5366453ce20809e0815f97105 |
| SHA256 | 6f4c8936d3a99cb30a58c294ceeaf158587a6fc1776a6dba4213134e4225734c |
| SHA512 | 2789f481bde6012d3a80c94d38a77696a1f48ddbdc65c66c874ae47d8532ee7efc193578f482e574769ed7ae9d0eb6d0a471631614b5019dd6d150b2f6336f55 |
memory/3812-44-0x0000000000400000-0x00000000005E0000-memory.dmp
C:\Users\Admin\Documents\piratemamm\kYHIDbJzCxaxCcLTRe0BXq4h.exe
| MD5 | 58461b4bf9375706d788bbd15bdd7a92 |
| SHA1 | fe7a30c1a62171c71a31a6579455af0a68cb141b |
| SHA256 | 345dae95f61573035bf02948aa427afa35970704022d88406e370756a3b4dab9 |
| SHA512 | e139c5448c5679fcc3388594890c60c05961e009942d4ac1daef068ed187026d0b6f5c675f135374e6f5775f0022a16bc268597a5b3263e04af17be4742cde74 |
C:\Users\Admin\Documents\piratemamm\fYipNF7A_X1W2ef9z_aJqNCG.exe
| MD5 | 821e219f3bcece9cf0a01f414a86fce4 |
| SHA1 | 3af019681098626f3853f31976a1c2e763e7bf23 |
| SHA256 | 00038f1e3f781026be34dc1fe4f1beea477c62e21d789342b5afe120a2edeaad |
| SHA512 | 16aee047c471d02f17760fb65bd9c6a14d855d5e839919ded7e5f433bbcf9b2b549eaf0528599ecf0b2c4cbe29e1bdc21b2916093a37d1a5710f227c6209dc25 |
C:\Users\Admin\Documents\piratemamm\5t15qDeLxMxBUKop3WamUo02.exe
| MD5 | fa78b7a25d4642a07c43cc415cf68004 |
| SHA1 | 3f9846a227480a18621ae3871d2796121feddf89 |
| SHA256 | 813f1c9e5019549447539c5aa77e478dca6e515cbf3d059835c5f1ecb4031792 |
| SHA512 | 174d082cc4ac75726fe54d2ebae95dc80e08fa8357263635dd966ba87b2fda05341b9d78ca646429debd4feaaf9d877cc331e98bf1d1f298ce6fe847536bfd59 |
C:\Users\Admin\Documents\piratemamm\gWCerWL048lqrEkaPqndLkKJ.exe
| MD5 | c835aa61191a38f357333fff57f6c81a |
| SHA1 | 5319123a505e379a75f00ee5a51588a97b2bdad8 |
| SHA256 | ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe |
| SHA512 | 2864b0d47287dae58d2f46ae7a5edfd2b0a274e05706a7718dcff7f8c908d3b6e5b8550a2c978cdc3782535fd864092a20a2836fd25f7a7a6cc61d589f582f14 |
C:\Users\Admin\Documents\piratemamm\VdAFLDmdunac1BQ5c1MygsDB.exe
| MD5 | afed25699b68eb6b0d7fa7fa382c55b7 |
| SHA1 | 9ee32ce1d7dab57f66aec3f5443738aa49eb9c64 |
| SHA256 | fd7f353f2d972a7e3bdb396a66297c190407d117074b8f4945c0190c06e69c3c |
| SHA512 | ece2b6be0993bd6e5a91cd5bd67055141404557152e9a85b5766a63504223c516ba090a1dd89fa1e828d850c1aecafc01905a21704331ab0671da6b09c4c4ef8 |
C:\Users\Admin\Documents\piratemamm\JE_4MVMl91SDJftfmlMpQFdJ.exe
| MD5 | 62abfe8a7ad3a99ea4d57734689952ef |
| SHA1 | 4be1f30fd67930a52139df6716871a243dc68d55 |
| SHA256 | 1fd8bac5cc2b9aecafc8b0911842c86f0e5e16d58c82a93d717d2527d730ae54 |
| SHA512 | 7bcde56bfef05ea8cb9ab646e74e2fc4c1ebec2eba5d03e479f0bebb8b23b40b077f0efd1d67e30896672493a2ddc3d292642a44c093042803d8304e1323a0f2 |
C:\Users\Admin\Documents\piratemamm\ySAYASbNAeGV9r4uLc0ozWlr.exe
| MD5 | 1ef9bbed957bcd2df5a639e04a67f8bb |
| SHA1 | dea8af341746162f51e7c37486c43f484b7eaa20 |
| SHA256 | a1259a67819bb78fb8d97596daeaee6d01f8cf984dd217c7bf10e1808f3d7c01 |
| SHA512 | 1f915183d6b688324e4e3b6041ae780aeda3cdbe65156f6b151be8be3c09be9f55c56577e494bc1e8b96c146dcf76204745b7bcdc2a222854f0784a766020663 |
C:\Users\Admin\Documents\piratemamm\9W8WS19kQiWsz64u7kChQ1MM.exe
| MD5 | 6d90f5899ff47cd3519ee0f53b8900f6 |
| SHA1 | 1c28f0a93e4258f2370b14c58872ef1987109a5e |
| SHA256 | 7935b5b0a3c2fe6391fad0065809fbdd361af8a34fce890182a63a312f1703ef |
| SHA512 | 985fd3862446ddb8c6baf0ba68b31414a3a004033ff7a5bc37cbfc7e8b7ccbaf43642c16b7c67be6e7e8fcce38edede7986b786740d20da71178a42b7d296146 |
C:\Users\Admin\Documents\piratemamm\EDj12vVG1n3fQcYyxCCuirHa.exe
| MD5 | d4ac1a0d0504ab9a127defa511df833e |
| SHA1 | 9254864b6917eba6d4d4616ac2564f192626668b |
| SHA256 | a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848 |
| SHA512 | 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5 |
C:\Users\Admin\Documents\piratemamm\p0uWim0q_iMmHhJUv_WMrztq.exe
| MD5 | 8e41d2107579afb2911dccffeab97f1c |
| SHA1 | e364f0f9b85adcb64747c8eac819a1b59b458727 |
| SHA256 | c5c219a6512dc639b5ac5837abe4217e265f7d165159da131eb32048b0c15030 |
| SHA512 | 3f6193ece0cfca6cdbe2803ddbb6d38295837f7c01e92594fad0ce7be2f505880daa8e48d77fe00a18d7d18ed9413873e70f7ab0baf1438431f8b8c7e1b9de88 |
C:\Users\Admin\Documents\piratemamm\Bz792t_xq4HSOg0iXYK7JnpH.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
memory/3812-155-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-157-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-172-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/1296-189-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3804-192-0x00000000006E0000-0x0000000000D1A000-memory.dmp
memory/1876-193-0x0000000004DB0000-0x0000000004EBA000-memory.dmp
C:\ProgramData\CSocket Class Lib 8.28.45\CSocket Class Lib 8.28.45.exe
| MD5 | 8dca7ed94f80cb5fb9835cf5b3aa705b |
| SHA1 | 68515a9eaaa50da9356b20165d4953947177714b |
| SHA256 | 777d1ea907883bad960f73ae5514952ebb5bc2988876157d60029e442a3784a0 |
| SHA512 | 9314f9fc4d0480d56027e73398192bb0b33953d90655b970429be3e8222016f6e97fac8a09cb7b4e3d7e5c444051c1203cf100dbcfb81a670b0068005e3096f2 |
memory/3768-1326-0x0000000000400000-0x0000000000486000-memory.dmp
memory/3768-1474-0x00000000057A0000-0x0000000005832000-memory.dmp
memory/5272-1635-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3768-1636-0x0000000005730000-0x000000000573A000-memory.dmp
memory/2248-952-0x0000000074DB0000-0x0000000074E24000-memory.dmp
memory/5164-820-0x0000000000400000-0x00000000006E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp7CB.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4500-816-0x0000000000170000-0x00000000001C4000-memory.dmp
memory/5272-2773-0x0000000005DF0000-0x0000000005E66000-memory.dmp
memory/2248-437-0x0000000005480000-0x00000000054A2000-memory.dmp
memory/3040-358-0x0000000000EE0000-0x0000000000F18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-6GO9J.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-6GO9J.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/3304-239-0x0000000000400000-0x0000000000641000-memory.dmp
memory/3304-236-0x0000000000400000-0x0000000000641000-memory.dmp
memory/3304-235-0x0000000000400000-0x0000000000641000-memory.dmp
memory/2248-234-0x0000000005910000-0x0000000005AAE000-memory.dmp
memory/1876-227-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-225-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-224-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-219-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-217-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-213-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-209-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-204-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/5772-3320-0x00007FFC28920000-0x00007FFC28ACE000-memory.dmp
memory/5272-3870-0x00000000066D0000-0x000000000670C000-memory.dmp
memory/5272-3871-0x0000000006840000-0x000000000688C000-memory.dmp
memory/5772-3670-0x00007FFC28920000-0x00007FFC28ACE000-memory.dmp
memory/5272-3656-0x0000000006670000-0x0000000006682000-memory.dmp
memory/5272-3655-0x0000000006730000-0x000000000683A000-memory.dmp
memory/5272-3654-0x0000000006BE0000-0x00000000071F8000-memory.dmp
memory/3808-3563-0x0000000000950000-0x0000000000FCB000-memory.dmp
memory/5272-3395-0x00000000065A0000-0x00000000065BE000-memory.dmp
memory/1996-237-0x00000000006B0000-0x00000000006E4000-memory.dmp
memory/1876-230-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/2948-229-0x0000000000320000-0x00000000003A8000-memory.dmp
memory/1876-221-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-215-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-211-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-207-0x0000000004C90000-0x0000000004D93000-memory.dmp
memory/1876-205-0x0000000004C90000-0x0000000004D93000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IJHKC.tmp\kYHIDbJzCxaxCcLTRe0BXq4h.tmp
| MD5 | a664f6f1e10d2c4cc64ebdf9d6228770 |
| SHA1 | b6a02752a03df64989ea5f2cf598733364ece8d2 |
| SHA256 | cc01582b7acde056bdeae7f88c6db97117292e3655a60826028e7cc6e96b3cd2 |
| SHA512 | da23854bdececd74392079d2438116d2e9ec49e77e9a0fda4bc60853351ef972b0d2be94b3718ab8527f4cebea48e3fb3f59fcff1168959ed48e3582656f566a |
memory/2248-199-0x0000000005770000-0x0000000005910000-memory.dmp
memory/3804-198-0x0000000005500000-0x0000000005522000-memory.dmp
memory/3804-197-0x00000000056E0000-0x00000000057C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
| MD5 | 2306f2ce8b910283887fbaff04a2f43e |
| SHA1 | d53df0bfced6b56ba5580e3b027f0c8b77f5dc1a |
| SHA256 | c255c23aa44cc24db3ad5b2c9f7079bf5b24476854e91a230529a98b4f055eb4 |
| SHA512 | e0d450fae4bf46ea9da02f942871c9eae98b5ac1a6b30f3e0adcd1b96406d73bf4a51ecaca534ba1dd0bfd3f608c558261d9f145d9dec97e9b3fa3d71aa8a4fd |
memory/1876-195-0x0000000004C90000-0x0000000004D9A000-memory.dmp
memory/1876-194-0x0000000004EC0000-0x0000000005464000-memory.dmp
memory/2248-185-0x0000000000940000-0x0000000000C32000-memory.dmp
memory/3808-181-0x0000000000950000-0x0000000000FCB000-memory.dmp
memory/3812-170-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-168-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/2248-161-0x0000000074DB0000-0x0000000074E24000-memory.dmp
memory/3812-151-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-174-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-149-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-163-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-145-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/3812-143-0x0000000000400000-0x00000000005E0000-memory.dmp
memory/5164-4019-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/3768-4027-0x0000000009310000-0x0000000009376000-memory.dmp
memory/3768-4032-0x000000000A1A0000-0x000000000A362000-memory.dmp
memory/3768-4039-0x000000000A8A0000-0x000000000ADCC000-memory.dmp
memory/5272-4109-0x0000000007BF0000-0x0000000007C40000-memory.dmp
C:\ProgramData\ECGDHIDAAFHI\HDAFBA
| MD5 | c3311360e96fcf6ea559c40a78ede854 |
| SHA1 | 562ada1868020814b25b5dbbdbcb5a9feb9eb6ba |
| SHA256 | 9372c1ee21c8440368f6dd8f6c9aeda24f2067056050fab9d4e050a75437d75b |
| SHA512 | fef308d10d04d9a3de7db431a9ab4a47dc120bfe0d7ae7db7e151802c426a46b00426b861e7e57ac4d6d21dde6289f278b2dbf903d4d1d6b117e77467ab9cf65 |
C:\ProgramData\ECGDHIDAAFHI\GIJJKK
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk
| MD5 | 8198f16c2ca7edf8e4940ce66bc944b0 |
| SHA1 | 127a726a3a0e707e8686b0f038f386c9c561596a |
| SHA256 | 00c407aead1c0bccbf1757ab10d5f29dfdc1d28880bb90946def193d2ae06c9a |
| SHA512 | de7457aa50504f395d2a018329b3c90c4cf1719e597d9de8ff059698cb5e27474e6a7ecb0890a8abf2ef06384e674a74dede08af13e52da4e772a4f8d72766c6 |
C:\ProgramData\ECGDHIDAAFHI\AAKEGI
| MD5 | b4560ae8656dff8cfa1a9f696630fced |
| SHA1 | 8b658750d361c4a059cb2adaab144093d38566f0 |
| SHA256 | 4c3ab6ae368aa3e61b058bb106e9b9b2e2d14ab541ee529bff98afe31aa42bea |
| SHA512 | 597ad1c80fccf703663d27326354b75ee3970a1e5b7a798538dd8c14a2ba2db894d09ddd6d26a48bd7d4d0ac41235fbb489ef4b746299fd35a707573156c5717 |
C:\Windows\TEMP\cofhaqkdwqvn.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/5164-4260-0x0000000000400000-0x00000000006E8000-memory.dmp