Analysis Overview
SHA256
89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e
Threat Level: Known bad
The file 89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
Amadey
SmokeLoader
Djvu Ransomware
RedLine
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-13 12:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-13 12:30
Reported
2023-09-13 12:33
Platform
win10v2004-20230831-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F5CF.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E8D9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1B7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11AA.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec8e77ee-58e6-4a9f-a27b-56fc0189ff95\\E8D9.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E8D9.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{645A6AFD-E765-4055-8900-0A0760E9DE54}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\E8D9.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1B7.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\11AA.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\B8D.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\B8D.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\B8D.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8D.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EA9F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F05F.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe
"C:\Users\Admin\AppData\Local\Temp\89c7375eafa6fc37ab8d65a54670dcc7bab9c4661b3aaeb07c30389f1366fb7e.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
C:\Users\Admin\AppData\Local\Temp\EA9F.exe
C:\Users\Admin\AppData\Local\Temp\EA9F.exe
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
C:\Users\Admin\AppData\Local\Temp\ED6F.exe
C:\Users\Admin\AppData\Local\Temp\ED6F.exe
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
C:\Users\Admin\AppData\Local\Temp\F05F.exe
C:\Users\Admin\AppData\Local\Temp\F05F.exe
C:\Users\Admin\AppData\Local\Temp\F5CF.exe
C:\Users\Admin\AppData\Local\Temp\F5CF.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ec8e77ee-58e6-4a9f-a27b-56fc0189ff95" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1B7.exe
C:\Users\Admin\AppData\Local\Temp\1B7.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\419.exe
C:\Users\Admin\AppData\Local\Temp\419.exe
C:\Users\Admin\AppData\Local\Temp\1B7.exe
C:\Users\Admin\AppData\Local\Temp\1B7.exe
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
"C:\Users\Admin\AppData\Local\Temp\E8D9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6D9.exe
C:\Users\Admin\AppData\Local\Temp\6D9.exe
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
"C:\Users\Admin\AppData\Local\Temp\E8D9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\B8D.exe
C:\Users\Admin\AppData\Local\Temp\B8D.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3172 -ip 3172
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1022.dll
C:\Users\Admin\AppData\Local\Temp\1B7.exe
"C:\Users\Admin\AppData\Local\Temp\1B7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\11AA.exe
C:\Users\Admin\AppData\Local\Temp\11AA.exe
C:\Users\Admin\AppData\Local\Temp\1B7.exe
"C:\Users\Admin\AppData\Local\Temp\1B7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\11AA.exe
C:\Users\Admin\AppData\Local\Temp\11AA.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 568
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1022.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3828 -ip 3828
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 568
C:\Users\Admin\AppData\Local\Temp\11AA.exe
"C:\Users\Admin\AppData\Local\Temp\11AA.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\11AA.exe
"C:\Users\Admin\AppData\Local\Temp\11AA.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 568
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| MX | 189.186.80.218:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.80.186.189.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| US | 8.8.8.8:53 | 232.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| MX | 189.186.80.218:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 38.181.25.43:3325 | tcp | |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| NL | 194.169.175.232:45450 | tcp | |
| US | 8.8.8.8:53 | 43.25.181.38.in-addr.arpa | udp |
| GB | 51.38.95.107:42494 | tcp | |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| US | 8.8.8.8:53 | 107.95.38.51.in-addr.arpa | udp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| US | 8.8.8.8:53 | 101.32.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login-sofi.4dq.com | udp |
| DE | 45.79.249.147:443 | login-sofi.4dq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.249.79.45.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 194.169.175.232:45450 | tcp | |
| US | 8.8.8.8:53 | 126.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gudintas.at | udp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 3.30.86.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| MK | 95.86.30.3:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/3340-1-0x0000000002460000-0x0000000002560000-memory.dmp
memory/3340-2-0x0000000000400000-0x00000000022F3000-memory.dmp
memory/3340-3-0x0000000004040000-0x0000000004049000-memory.dmp
memory/3136-4-0x0000000002A40000-0x0000000002A56000-memory.dmp
memory/3340-5-0x0000000000400000-0x00000000022F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\EA9F.exe
| MD5 | aa57bc271352cd6da84865709da432ac |
| SHA1 | 7aa710914991c996b1fc4df8c8b633f5bb3d3a16 |
| SHA256 | 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13 |
| SHA512 | b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf |
memory/228-20-0x0000000004050000-0x00000000040EE000-memory.dmp
memory/228-21-0x00000000040F0000-0x000000000420B000-memory.dmp
memory/5072-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5072-25-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\EA9F.exe
| MD5 | aa57bc271352cd6da84865709da432ac |
| SHA1 | 7aa710914991c996b1fc4df8c8b633f5bb3d3a16 |
| SHA256 | 1d7efef95b514586c08757bb66c611018ff59a71ff17f7ac529fbbf2a0fdde13 |
| SHA512 | b38e645066bf61ee1cb4f1b68e9bf749afdee1aa15934a2397ad078e0f8c1620196e485c5fde8a9e5df7f8119d2abb5a63b2af16f6e91c939bea95d5813b44cf |
memory/5072-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5072-31-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ED6F.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
C:\Users\Admin\AppData\Local\Temp\ED6F.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
memory/928-34-0x00000000005E0000-0x0000000000610000-memory.dmp
memory/928-33-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
| MD5 | 7980cd6aa2f009db138977c965cd2c1e |
| SHA1 | dbd57e3756c356abd5723ed000503a38518722d8 |
| SHA256 | b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4 |
| SHA512 | 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5 |
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
| MD5 | 7980cd6aa2f009db138977c965cd2c1e |
| SHA1 | dbd57e3756c356abd5723ed000503a38518722d8 |
| SHA256 | b547730be7b7d3f9d6e2500930f144e58db1ea4caffeb266ddb60dd30562e8c4 |
| SHA512 | 799298da85498c8d7868bacaee7a3a262fa339688e25ddf5b6017888c99c6fca2643f93ba0f1cddd2916b908ce4b94416d623ffef7c41a6fe5c0681f17946ee5 |
memory/928-44-0x0000000073AB0000-0x0000000074260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F05F.exe
| MD5 | 8e80f352faa21ac6bd996e86cd71640a |
| SHA1 | 347e8c111508d0095a05328175c0be5b86677730 |
| SHA256 | eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3 |
| SHA512 | 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038 |
C:\Users\Admin\AppData\Local\Temp\F05F.exe
| MD5 | 8e80f352faa21ac6bd996e86cd71640a |
| SHA1 | 347e8c111508d0095a05328175c0be5b86677730 |
| SHA256 | eb0c08d12d022aea720fe5fd6a85a4f98a5c8bfd75ac93c0ba7b0abf370e5df3 |
| SHA512 | 17c83f65d57c713f96d65e56467da77d5bf48c1e5e89ea654b50fd74767621a81a4fa0ed5d44331289c4ce8ca8162ad921cedf2c0fab40a402168313a761a038 |
memory/1220-48-0x00000000005E0000-0x0000000000610000-memory.dmp
memory/1220-49-0x0000000000400000-0x0000000000443000-memory.dmp
memory/928-47-0x0000000004CE0000-0x00000000052F8000-memory.dmp
memory/928-51-0x0000000005300000-0x000000000540A000-memory.dmp
memory/928-58-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F5CF.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/928-65-0x0000000004C60000-0x0000000004C9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F5CF.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1220-66-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/928-56-0x0000000004C40000-0x0000000004C52000-memory.dmp
memory/1220-67-0x0000000004B50000-0x0000000004B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/452-79-0x0000000000400000-0x0000000000430000-memory.dmp
memory/452-80-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/3228-81-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3228-82-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/452-83-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/5072-84-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\ec8e77ee-58e6-4a9f-a27b-56fc0189ff95\E8D9.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\1B7.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\1B7.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\1B7.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\419.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
memory/4544-96-0x0000000000400000-0x0000000000537000-memory.dmp
memory/928-97-0x0000000073AB0000-0x0000000074260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
memory/5072-100-0x0000000000400000-0x0000000000537000-memory.dmp
memory/928-104-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/4544-99-0x0000000000400000-0x0000000000537000-memory.dmp
memory/548-98-0x000000000250E000-0x000000000259F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B7.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
C:\Users\Admin\AppData\Local\Temp\6D9.exe
| MD5 | b7a9dd705bcc0dbfc9cabc69b2953b33 |
| SHA1 | bb0c29b2169c908b8d25637651eeaa32135e0b80 |
| SHA256 | aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d |
| SHA512 | 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf |
C:\Users\Admin\AppData\Local\Temp\6D9.exe
| MD5 | b7a9dd705bcc0dbfc9cabc69b2953b33 |
| SHA1 | bb0c29b2169c908b8d25637651eeaa32135e0b80 |
| SHA256 | aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d |
| SHA512 | 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf |
memory/4544-111-0x0000000000400000-0x0000000000537000-memory.dmp
memory/912-112-0x000001D664600000-0x000001D6646C0000-memory.dmp
memory/1220-107-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/912-114-0x00007FF935EF0000-0x00007FF9369B1000-memory.dmp
memory/912-113-0x000001D666250000-0x000001D66626A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\419.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
memory/4720-118-0x0000000003ED0000-0x0000000003F65000-memory.dmp
memory/912-119-0x000001D666210000-0x000001D666220000-memory.dmp
memory/1220-121-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/3172-120-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3172-117-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E8D9.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
memory/3172-129-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 8cb8f90ec602fd3a3e719cb78d8c7cce |
| SHA1 | cdf764f8683ff175fb19bb0ed9e8765e28033e3b |
| SHA256 | da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651 |
| SHA512 | 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395 |
C:\Users\Admin\AppData\Local\Temp\B8D.exe
| MD5 | 92655ee9fd597b85b09a085a2c21fbe1 |
| SHA1 | f60f980e9a5c315722b3953638f9f5da85ed4a7e |
| SHA256 | fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c |
| SHA512 | b01ccaf9c11c7ed1d3e2765c2f5590e53ba3ddac41a651298bf92028dccc0120431b91fc430b1cb587b3014f17e386605eba27559aa425e6f8beb7da23dc165c |
C:\Users\Admin\AppData\Local\Temp\B8D.exe
| MD5 | 92655ee9fd597b85b09a085a2c21fbe1 |
| SHA1 | f60f980e9a5c315722b3953638f9f5da85ed4a7e |
| SHA256 | fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c |
| SHA512 | b01ccaf9c11c7ed1d3e2765c2f5590e53ba3ddac41a651298bf92028dccc0120431b91fc430b1cb587b3014f17e386605eba27559aa425e6f8beb7da23dc165c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 0b9bb0661221935b96a948767725a07e |
| SHA1 | 5d56324975d9ce798d51f773427c3a92476937e5 |
| SHA256 | 5b000f7127c7ea309d7198916840c34952ac174b4d2b7f448f4ac1de0241c648 |
| SHA512 | a32532a080f299562fdbd2c2bb6540bb25d2540f9dcf8c68a03d1aec960ec5af0b5c54b2355bd11d9dbb99a01d434674a9473fff0009e0e9d2ab2c3f86231747 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 9622537e51915638708894cb1125d8df |
| SHA1 | 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd |
| SHA256 | 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c |
| SHA512 | 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 27d4e034d0cee67b9b277787bec0b256 |
| SHA1 | 522c48eb051d44aa6b7af3ae6d9eee7eeea47edb |
| SHA256 | 80063a4f4b96ca1e7c6413a2ef5b2ad46df74e04cbd276f910603405f68e412f |
| SHA512 | daeff2cb142bb0dc7c3fd02230986c8f76acc4b5b8b525acde3bdfab385b03a16a5523d9e1d459807bcc3bcfed2911c36b1b09abf3184dcdc64dc10d5eb1f72a |
memory/452-134-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/3228-135-0x0000000073AB0000-0x0000000074260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B7.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
memory/3556-146-0x0000000002560000-0x0000000002569000-memory.dmp
memory/928-149-0x0000000005E10000-0x00000000063B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11AA.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
C:\Users\Admin\AppData\Local\Temp\11AA.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
C:\Users\Admin\AppData\Local\Temp\1022.dll
| MD5 | 29a6feecd31507dcbf3355f6af904f10 |
| SHA1 | 255c9a34e25e24c426efe0cb2a7000761de4b95d |
| SHA256 | 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082 |
| SHA512 | e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6 |
memory/2072-155-0x0000000010000000-0x00000000102FA000-memory.dmp
memory/436-156-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3828-159-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B7.exe
| MD5 | f2438a95fee80045604af453bc9d0fd5 |
| SHA1 | 37710cc10f12a60f7f27f788eb6eefd85c228593 |
| SHA256 | d3a988e97c5a72769f2a1b8962eb92c9c381e36f620b111e39fdcf187a6219c8 |
| SHA512 | 7e53d081b740b2dbae8318764268f67a842f0d50aa8f3a9c5478259353816099f43d8b8e84ea56e7bbde18600f647128280fbdec8fb7e938b96f6ce5d8cd3ff5 |
memory/4392-163-0x00000000040E0000-0x00000000041FB000-memory.dmp
memory/4392-157-0x0000000004030000-0x00000000040CD000-memory.dmp
memory/3556-153-0x0000000000400000-0x00000000022F3000-memory.dmp
memory/1220-145-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/928-144-0x0000000005600000-0x0000000005692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1022.dll
| MD5 | 29a6feecd31507dcbf3355f6af904f10 |
| SHA1 | 255c9a34e25e24c426efe0cb2a7000761de4b95d |
| SHA256 | 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082 |
| SHA512 | e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6 |
memory/3556-139-0x00000000025E0000-0x00000000026E0000-memory.dmp
memory/4544-136-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1220-138-0x0000000005440000-0x00000000054B6000-memory.dmp
memory/1964-164-0x0000000003FF8000-0x0000000004089000-memory.dmp
memory/436-162-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11AA.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
memory/3828-166-0x0000000000400000-0x0000000000537000-memory.dmp
memory/436-167-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2072-165-0x00000000008F0000-0x00000000008F6000-memory.dmp
memory/452-170-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
memory/436-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3828-169-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3228-173-0x0000000005680000-0x0000000005690000-memory.dmp
memory/3228-175-0x0000000006BC0000-0x0000000006C10000-memory.dmp
memory/3136-174-0x00000000085B0000-0x00000000085C6000-memory.dmp
memory/4776-176-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/4776-182-0x0000000005110000-0x0000000005120000-memory.dmp
memory/3556-179-0x0000000000400000-0x00000000022F3000-memory.dmp
memory/436-184-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11AA.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
memory/912-189-0x00007FF935EF0000-0x00007FF9369B1000-memory.dmp
memory/4332-191-0x00000000040C0000-0x0000000004153000-memory.dmp
memory/1760-194-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1760-195-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11AA.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
memory/1760-197-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1220-198-0x0000000006400000-0x00000000065C2000-memory.dmp
memory/1220-199-0x00000000065D0000-0x0000000006AFC000-memory.dmp
memory/912-200-0x000001D666210000-0x000001D666220000-memory.dmp
memory/1220-206-0x0000000073AB0000-0x0000000074260000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 0eab9cbc81b630365ed87e70a3bcf348 |
| SHA1 | d6ce2097af6c58fe41f98e1b0f9c264aa552d253 |
| SHA256 | e8f1178d92ce896b5f45c707050c3e84527db102bc3687e1e7208dbd34cd7685 |
| SHA512 | 1417409eee83f2c8d4a15f843374c826cc2250e23dc4d46648643d02bfbf8c463d6aa8b43274bf68be1e780f81d506948bf84903a7a1044b46b12813d67c9498 |
memory/3228-208-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/4776-209-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/452-210-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/2072-211-0x0000000002910000-0x0000000002A33000-memory.dmp
memory/2072-212-0x0000000010000000-0x00000000102FA000-memory.dmp
memory/2072-213-0x0000000002A40000-0x0000000002B47000-memory.dmp
memory/4776-218-0x0000000073AB0000-0x0000000074260000-memory.dmp
memory/928-220-0x0000000073AB0000-0x0000000074260000-memory.dmp
C:\Users\Admin\AppData\Roaming\dbsbfrj
| MD5 | 92655ee9fd597b85b09a085a2c21fbe1 |
| SHA1 | f60f980e9a5c315722b3953638f9f5da85ed4a7e |
| SHA256 | fefa50ffd7c9e19b4c4d84e664b894c6377196942024b71ee371c466d194ee9c |
| SHA512 | b01ccaf9c11c7ed1d3e2765c2f5590e53ba3ddac41a651298bf92028dccc0120431b91fc430b1cb587b3014f17e386605eba27559aa425e6f8beb7da23dc165c |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\wsu945B.tmp
| MD5 | c01eaa0bdcd7c30a42bbb35a9acbf574 |
| SHA1 | 0aee3e1b873e41d040f1991819d0027b6cc68f54 |
| SHA256 | 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40 |
| SHA512 | d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 84a20e44b7704c9d37758fb4724705dd |
| SHA1 | 5cbcc563345837ac53e62bc89242a32221219eb8 |
| SHA256 | 1595ee90f2118d6303991623a42cc25babfc5df41d3d3f952ab279641f9fb2f5 |
| SHA512 | ca4192c269147652f8eeddd1212d1ca3fdef34b7e5a324dac7bf5121882473418a189e92ab0fe1298e5d2ca7b474a08c640d325a0e7324934ec7d5457a335e43 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 201a9d3d72b0038f11c3d0b1f371f414 |
| SHA1 | f8bdc3f4928e0d201eb8ac45035120e0da6bbc7d |
| SHA256 | ef6b98f55cfbc73ae34a8659a2a51535cf072557e6c20d91224632ec16791855 |
| SHA512 | 20754df2c3688b9ecdd1872db4d5d832462cd8e7c6b76afdadf8932c0a67f50c8630424015471b3a77b6c2f31240e08307cb776b14b5e36d2a18377b2d74af49 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 379668b59761bcead479dcbfd9fac95a |
| SHA1 | a9962e65a37802fff34fbbb527ac9dcb2e1e4bf0 |
| SHA256 | 9ca7922782699eda0edcfe9e9294ced0f1309a7f2fed5c2d3347d986dcc507db |
| SHA512 | 0bda6d0dca190b92f057e551d752402aac5a55afb7f2ce0291db581b026b0557ac2046a7e9994eb19de0b9d0ac2fdab6dfbbd1e5423a4991cb3989bdb4b42f4a |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 1dd4fe0920cad6312a3379918a2e501b |
| SHA1 | 134069d2db2c6030eca9f117bc10b8946e0137c7 |
| SHA256 | 8c41ebb690c7295932f824033f59b613af4daa6d9c70d8a5e7938b99902a3c9a |
| SHA512 | 8192ede6e8c9eb14b79a36556bf09a0ee0119edf3affae79029d0b8c289e56343bbaf8090dc7743794a1fc5634de4df9a949e3ae908771ae528c204630e6526f |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 496c229b999f3e92e1037f8d53db1174 |
| SHA1 | 5ee18e03550549b7c0faf7546d8013fb6ee8b299 |
| SHA256 | 895c8b29dd0fded8cf1c97d4fc234b58868277360a0af309f95c231da76e23fa |
| SHA512 | b8e88ad622a0248f134126c5466512a3988a0119080806f9ffd2b282e5f54bd886feeeb7072b46bf0de141d39cb192bcd1fa44814728f6b9e153d460059e57f6 |