Analysis Overview
SHA256
b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466
Threat Level: Known bad
The file b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466 was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
RedLine
Djvu Ransomware
SmokeLoader
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Deletes itself
Modifies file permissions
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-13 17:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-13 17:14
Reported
2023-08-13 17:17
Platform
win10-20230703-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20A2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28F2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20A2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20A2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20A2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5f5e559e-51e4-40f5-a979-c720bd65ddd4\\20A2.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\20A2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 824 set thread context of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\20A2.exe | C:\Users\Admin\AppData\Local\Temp\20A2.exe |
| PID 4088 set thread context of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\20A2.exe | C:\Users\Admin\AppData\Local\Temp\20A2.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\28F2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe
"C:\Users\Admin\AppData\Local\Temp\b93b965e7ff6dd4f04767aaec38de1076a24ad671eb72902440f3489dbec1466.exe"
C:\Users\Admin\AppData\Local\Temp\20A2.exe
C:\Users\Admin\AppData\Local\Temp\20A2.exe
C:\Users\Admin\AppData\Local\Temp\22A7.exe
C:\Users\Admin\AppData\Local\Temp\22A7.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\25E4.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\25E4.dll
C:\Users\Admin\AppData\Local\Temp\28F2.exe
C:\Users\Admin\AppData\Local\Temp\28F2.exe
C:\Users\Admin\AppData\Local\Temp\20A2.exe
C:\Users\Admin\AppData\Local\Temp\20A2.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5f5e559e-51e4-40f5-a979-c720bd65ddd4" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\20A2.exe
"C:\Users\Admin\AppData\Local\Temp\20A2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\20A2.exe
"C:\Users\Admin\AppData\Local\Temp\20A2.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe
"C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MK | 95.86.21.52:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 52.21.86.95.in-addr.arpa | udp |
| NL | 194.169.175.233:3003 | 194.169.175.233 | tcp |
| US | 8.8.8.8:53 | 233.175.169.194.in-addr.arpa | udp |
| MK | 95.86.21.52:80 | colisumy.com | tcp |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| PL | 51.83.170.21:19447 | tcp | |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.170.83.51.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| MK | 95.86.21.52:80 | colisumy.com | tcp |
| MX | 187.211.35.122:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 122.35.211.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| MX | 187.211.35.122:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
memory/4460-120-0x00000000019C0000-0x00000000019D5000-memory.dmp
memory/4460-121-0x0000000001B30000-0x0000000001B39000-memory.dmp
memory/4460-122-0x0000000000400000-0x00000000018C2000-memory.dmp
memory/3244-123-0x0000000000610000-0x0000000000626000-memory.dmp
memory/4460-124-0x0000000000400000-0x00000000018C2000-memory.dmp
memory/4460-127-0x00000000019C0000-0x00000000019D5000-memory.dmp
memory/4460-128-0x0000000001B30000-0x0000000001B39000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\20A2.exe
| MD5 | 266896e7e2d506f89329bb619bab4308 |
| SHA1 | 0784edc05448c5d9b539e4691ea1a9a9353c59d9 |
| SHA256 | c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65 |
| SHA512 | acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144 |
C:\Users\Admin\AppData\Local\Temp\20A2.exe
| MD5 | 266896e7e2d506f89329bb619bab4308 |
| SHA1 | 0784edc05448c5d9b539e4691ea1a9a9353c59d9 |
| SHA256 | c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65 |
| SHA512 | acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144 |
C:\Users\Admin\AppData\Local\Temp\22A7.exe
| MD5 | 7e00f4836c516917a5861eda86a3d75c |
| SHA1 | e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3 |
| SHA256 | 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94 |
| SHA512 | 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad |
C:\Users\Admin\AppData\Local\Temp\22A7.exe
| MD5 | 7e00f4836c516917a5861eda86a3d75c |
| SHA1 | e1c3fbb897f8bf71ab9dd061aff0b6fef96cd9f3 |
| SHA256 | 0b3a3447266821c3576804ab0e6dfad149cd31475f94c4aed70dd1591410ee94 |
| SHA512 | 6b9d9918b7c9cc743d4d68707524a466ede53d51206556c94de7cfe59e1538781f009c0ba01e99170aedd9444832224567e843dcad56d94a807e60f10275caad |
memory/224-142-0x00000000006B0000-0x00000000006E0000-memory.dmp
memory/224-141-0x0000000000400000-0x0000000000440000-memory.dmp
memory/224-146-0x0000000073200000-0x00000000738EE000-memory.dmp
memory/224-148-0x0000000004A40000-0x0000000004A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\25E4.dll
| MD5 | 26e1245dd1956f78db2f5df66797be05 |
| SHA1 | f348aa001f8e07d0827381f2fa25a70989290960 |
| SHA256 | 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf |
| SHA512 | cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee |
memory/4604-152-0x0000000004500000-0x0000000004774000-memory.dmp
\Users\Admin\AppData\Local\Temp\25E4.dll
| MD5 | 26e1245dd1956f78db2f5df66797be05 |
| SHA1 | f348aa001f8e07d0827381f2fa25a70989290960 |
| SHA256 | 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf |
| SHA512 | cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee |
\Users\Admin\AppData\Local\Temp\25E4.dll
| MD5 | 26e1245dd1956f78db2f5df66797be05 |
| SHA1 | f348aa001f8e07d0827381f2fa25a70989290960 |
| SHA256 | 9a2ea82915649317faa2505844939408e36d42d3a8f1e5297183f27996bd2cbf |
| SHA512 | cece910e924c6954169b32e323f917f34728ede52874ff28f09c4dc4c4f170bdd208aa2fd9d0b3183cad0beeb59e186249da9e415e720c964099df43f1378cee |
memory/4604-154-0x0000000004500000-0x0000000004774000-memory.dmp
memory/4604-153-0x00000000009B0000-0x00000000009B6000-memory.dmp
memory/224-155-0x0000000004AC0000-0x00000000050C6000-memory.dmp
memory/224-161-0x00000000050D0000-0x00000000051DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\28F2.exe
| MD5 | 76b6104b8a6a69cf736fb896affecdd3 |
| SHA1 | 317bf0b92075c47c9d609b92de6bb9020f30e453 |
| SHA256 | 003b8ae60ba3c352ccc319aeded1c85b145a27e75a84bdc5646feea7cdb606a9 |
| SHA512 | 9915d45c39a8d5219430f6fa51a5837ff84f55fde4050cc9932a1cdc26bf4b1590f06229504dca82ebda4568987a2186e9703baa7edbdf153c84c70e8491c210 |
C:\Users\Admin\AppData\Local\Temp\28F2.exe
| MD5 | 76b6104b8a6a69cf736fb896affecdd3 |
| SHA1 | 317bf0b92075c47c9d609b92de6bb9020f30e453 |
| SHA256 | 003b8ae60ba3c352ccc319aeded1c85b145a27e75a84bdc5646feea7cdb606a9 |
| SHA512 | 9915d45c39a8d5219430f6fa51a5837ff84f55fde4050cc9932a1cdc26bf4b1590f06229504dca82ebda4568987a2186e9703baa7edbdf153c84c70e8491c210 |
memory/224-163-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/224-162-0x0000000004A70000-0x0000000004A82000-memory.dmp
memory/224-164-0x00000000051E0000-0x000000000521E000-memory.dmp
memory/224-165-0x0000000005270000-0x00000000052BB000-memory.dmp
memory/824-167-0x0000000003630000-0x000000000374B000-memory.dmp
memory/824-166-0x0000000001BC0000-0x0000000001C52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\20A2.exe
| MD5 | 266896e7e2d506f89329bb619bab4308 |
| SHA1 | 0784edc05448c5d9b539e4691ea1a9a9353c59d9 |
| SHA256 | c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65 |
| SHA512 | acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144 |
memory/4816-170-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4816-168-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4816-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/224-172-0x0000000073200000-0x00000000738EE000-memory.dmp
memory/4816-173-0x0000000000400000-0x0000000000537000-memory.dmp
memory/224-174-0x00000000053B0000-0x0000000005426000-memory.dmp
memory/224-175-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/224-176-0x00000000054D0000-0x0000000005536000-memory.dmp
memory/224-177-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/1312-179-0x0000000003550000-0x000000000358F000-memory.dmp
memory/1312-178-0x0000000001900000-0x0000000001929000-memory.dmp
memory/1312-180-0x00000000038B0000-0x00000000038E8000-memory.dmp
memory/1312-183-0x0000000005F70000-0x000000000646E000-memory.dmp
memory/1312-184-0x0000000000400000-0x00000000018D6000-memory.dmp
memory/1312-186-0x0000000003A70000-0x0000000003AA4000-memory.dmp
memory/1312-185-0x0000000003900000-0x0000000003910000-memory.dmp
memory/1312-187-0x0000000073200000-0x00000000738EE000-memory.dmp
memory/1312-189-0x0000000003900000-0x0000000003910000-memory.dmp
memory/1312-190-0x0000000003850000-0x0000000003856000-memory.dmp
memory/1312-188-0x0000000003900000-0x0000000003910000-memory.dmp
memory/1312-191-0x0000000003900000-0x0000000003910000-memory.dmp
C:\Users\Admin\AppData\Local\5f5e559e-51e4-40f5-a979-c720bd65ddd4\20A2.exe
| MD5 | 266896e7e2d506f89329bb619bab4308 |
| SHA1 | 0784edc05448c5d9b539e4691ea1a9a9353c59d9 |
| SHA256 | c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65 |
| SHA512 | acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144 |
C:\Users\Admin\AppData\Local\Temp\20A2.exe
| MD5 | 266896e7e2d506f89329bb619bab4308 |
| SHA1 | 0784edc05448c5d9b539e4691ea1a9a9353c59d9 |
| SHA256 | c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65 |
| SHA512 | acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144 |
memory/4816-203-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1312-205-0x0000000003900000-0x0000000003910000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\20A2.exe
| MD5 | 266896e7e2d506f89329bb619bab4308 |
| SHA1 | 0784edc05448c5d9b539e4691ea1a9a9353c59d9 |
| SHA256 | c9964e538d02daf8e0b3ec0e218072333b23be6fbb2fce50570fef44bca24b65 |
| SHA512 | acaf22d619c64b16dffcc4a0cac350fb4f42bf87930fd5296fdb7a5ba9a1293aec50d13bad573f6e4dd364009e418794fa2c230894b484571253ea67123ed144 |
memory/5012-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5012-209-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1312-211-0x0000000003900000-0x0000000003910000-memory.dmp
memory/1312-210-0x0000000073200000-0x00000000738EE000-memory.dmp
memory/224-212-0x00000000062C0000-0x0000000006310000-memory.dmp
memory/1312-213-0x0000000003900000-0x0000000003910000-memory.dmp
memory/5012-214-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 38fe20464f4566665a3e93bc25958d45 |
| SHA1 | f1da804263c20548ab1520bb7f728cba31aa1af9 |
| SHA256 | aa075f76b582d3c8d6aecc2a2b643a6434a818e44b20933625a2c30d21d78d7a |
| SHA512 | c1ed7d73f7864e274259580c432f6efcd5b08251fa7e131d731b8421cfcb440d6436a57bac81fa74db9f12eb3aef8853bdf5454773dc33d89354ba1e9ba2679e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 16d82032164bbdfc89fefbb31988cbb1 |
| SHA1 | 78436de0a3b09260bd10f8c4d03c70ec58bb7f90 |
| SHA256 | c6c73df2fb8f57ad1ccad37087e57e2ea55d22f36d613c97ba4b38de0556a414 |
| SHA512 | 98df3504e786c9e8b81877264bd185cbb8e46b55ea6e94bffacfbabd23cb2c7ef11098195e06f1d6919403ec9ecc8de2a6736fd5e015d1c8358dd75c62099f0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 91d59ea2f3257a955e2255f336da59bb |
| SHA1 | f138077c1e604bb60062004fa2a4fb0ebbc6be34 |
| SHA256 | d1a14d2fb21738523a59e22ded7d5d14eb4157be7de0791c53398c1c9e3b050a |
| SHA512 | 21ddc22a1831e84bf097de9a637a3e60a82e5f9270200856c26f5d40fe0a7e372a81877746a09ef33bbe7cd4e821fdd1689e5d42c16f824ff3e05dfc4cc22e73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 8f7bb44c968ffa609c65b5b9117cc9ed |
| SHA1 | 0fd4862a55d0088a7cfdbff65a338e0507fa7d66 |
| SHA256 | 6f94417de1b1f6d932dc46e660e17bff263e2f0620c0ecb282cac579553eb84d |
| SHA512 | e9d6c64c540317446caf86ffe4af066b6b35c5bca973cf6a8ff6a909ada4e8d69d85a74a10453da95a48e17ecde6a6532e477502b6ec1b6e46a120dea809cff3 |
memory/224-219-0x0000000006450000-0x0000000006612000-memory.dmp
memory/224-220-0x0000000006620000-0x0000000006B4C000-memory.dmp
memory/4604-222-0x00000000049B0000-0x0000000004AA5000-memory.dmp
memory/5012-223-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5012-221-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1312-224-0x0000000003900000-0x0000000003910000-memory.dmp
memory/4604-225-0x0000000001000000-0x00000000010DE000-memory.dmp
memory/4604-228-0x0000000001000000-0x00000000010DE000-memory.dmp
memory/224-231-0x0000000073200000-0x00000000738EE000-memory.dmp
memory/5012-237-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5012-235-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5012-238-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4604-239-0x0000000001000000-0x00000000010DE000-memory.dmp
memory/5012-241-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1312-243-0x0000000000400000-0x00000000018D6000-memory.dmp
memory/1312-244-0x0000000073200000-0x00000000738EE000-memory.dmp
memory/5012-255-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\befedad8-b762-4855-a241-5ad56fb9c1e0\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |