Analysis Overview
SHA256
3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b
Threat Level: Known bad
The file 3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b was found to be: Known bad.
Malicious Activity Summary
Amadey
Detected Djvu ransomware
RedLine
Djvu Ransomware
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Themida packer
Reads user/profile data of web browsers
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Checks BIOS information in registry
Checks computer location settings
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks whether UAC is enabled
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: LoadsDriver
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-14 01:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-14 01:08
Reported
2023-09-14 01:11
Platform
win10v2004-20230831-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\F50F.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\F50F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\F50F.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2DE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EEB5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1260.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\21D6.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7ded9d1d-64fb-4467-ba2b-e62e40be173a\\EEB5.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\EEB5.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\F50F.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F50F.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\EEB5.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1260.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\21D6.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1B8B.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1B8B.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1B8B.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B8B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F50F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F995.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe
"C:\Users\Admin\AppData\Local\Temp\3db5e0ada7aa377d38bb7a50353d6d6b251d8caef9a91903cd5d3debca317f0b.exe"
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
C:\Users\Admin\AppData\Local\Temp\F50F.exe
C:\Users\Admin\AppData\Local\Temp\F50F.exe
C:\Users\Admin\AppData\Local\Temp\F6E5.exe
C:\Users\Admin\AppData\Local\Temp\F6E5.exe
C:\Users\Admin\AppData\Local\Temp\F995.exe
C:\Users\Admin\AppData\Local\Temp\F995.exe
C:\Users\Admin\AppData\Local\Temp\FB3C.exe
C:\Users\Admin\AppData\Local\Temp\FB3C.exe
C:\Users\Admin\AppData\Local\Temp\2DE.exe
C:\Users\Admin\AppData\Local\Temp\2DE.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7ded9d1d-64fb-4467-ba2b-e62e40be173a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
"C:\Users\Admin\AppData\Local\Temp\EEB5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1260.exe
C:\Users\Admin\AppData\Local\Temp\1260.exe
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
"C:\Users\Admin\AppData\Local\Temp\EEB5.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1260.exe
C:\Users\Admin\AppData\Local\Temp\1260.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2296 -ip 2296
C:\Users\Admin\AppData\Local\Temp\17D1.exe
C:\Users\Admin\AppData\Local\Temp\17D1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 568
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2533.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2533.dll
C:\Users\Admin\AppData\Local\Temp\1260.exe
"C:\Users\Admin\AppData\Local\Temp\1260.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\21D6.exe
C:\Users\Admin\AppData\Local\Temp\21D6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3468 -ip 3468
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 568
C:\Users\Admin\AppData\Local\Temp\21D6.exe
"C:\Users\Admin\AppData\Local\Temp\21D6.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1260.exe
"C:\Users\Admin\AppData\Local\Temp\1260.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\21D6.exe
C:\Users\Admin\AppData\Local\Temp\21D6.exe
C:\Users\Admin\AppData\Local\Temp\1B8B.exe
C:\Users\Admin\AppData\Local\Temp\1B8B.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\1511.exe
C:\Users\Admin\AppData\Local\Temp\1511.exe
C:\Users\Admin\AppData\Local\Temp\21D6.exe
"C:\Users\Admin\AppData\Local\Temp\21D6.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2108 -ip 2108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 568
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| KR | 211.53.230.67:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.230.53.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.175.169.194.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| KR | 211.53.230.67:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 101.14.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| NL | 194.169.175.232:45450 | tcp | |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| GB | 51.38.95.107:42494 | tcp | |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| US | 8.8.8.8:53 | 107.95.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.32.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login-sofi.4dq.com | udp |
| DE | 45.79.249.147:443 | login-sofi.4dq.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 147.249.79.45.in-addr.arpa | udp |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 194.169.175.232:45450 | tcp | |
| US | 8.8.8.8:53 | 147.121.18.2.in-addr.arpa | udp |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | 43.25.181.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | gudintas.at | udp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 126.233.171.211.in-addr.arpa | udp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| US | 95.214.27.254:80 | tcp | |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| KR | 211.171.233.126:80 | gudintas.at | tcp |
| US | 95.214.27.254:80 | tcp | |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 95.214.27.254:80 | tcp |
Files
memory/3188-1-0x00000000022F0000-0x00000000023F0000-memory.dmp
memory/3188-2-0x0000000000400000-0x0000000002290000-memory.dmp
memory/3188-3-0x0000000003FE0000-0x0000000003FE9000-memory.dmp
memory/3220-4-0x0000000002D60000-0x0000000002D76000-memory.dmp
memory/3188-5-0x0000000000400000-0x0000000002290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/1404-16-0x0000000003EF0000-0x0000000003F8C000-memory.dmp
memory/1404-17-0x00000000040D0000-0x00000000041EB000-memory.dmp
memory/4116-18-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/4116-20-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-21-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-22-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F50F.exe
| MD5 | 1b67e388efc2b48f047e9eeb16edcef2 |
| SHA1 | 2c5ddc2006c38caed1adab80df1e5a370821b47f |
| SHA256 | 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1 |
| SHA512 | 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94 |
C:\Users\Admin\AppData\Local\Temp\F50F.exe
| MD5 | 1b67e388efc2b48f047e9eeb16edcef2 |
| SHA1 | 2c5ddc2006c38caed1adab80df1e5a370821b47f |
| SHA256 | 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1 |
| SHA512 | 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94 |
memory/4840-27-0x0000000000150000-0x00000000009F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F6E5.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
memory/4840-31-0x0000000075000000-0x00000000750F0000-memory.dmp
memory/4840-32-0x0000000075000000-0x00000000750F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F6E5.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
memory/4840-36-0x0000000075000000-0x00000000750F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F995.exe
| MD5 | 52e2f416fb09cf8da94bf1a88a8bc31b |
| SHA1 | b368ea2376b00d1439e292952d281c577d26049b |
| SHA256 | cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345 |
| SHA512 | a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732 |
memory/4840-39-0x0000000075000000-0x00000000750F0000-memory.dmp
memory/4840-37-0x0000000075000000-0x00000000750F0000-memory.dmp
memory/4840-40-0x0000000077074000-0x0000000077076000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FB3C.exe
| MD5 | 24f97033c62127b816fe4733b9b8a3f0 |
| SHA1 | bd8a47ad195de6fa694a6b8de214a7d06b516824 |
| SHA256 | f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612 |
| SHA512 | c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a |
C:\Users\Admin\AppData\Local\Temp\F995.exe
| MD5 | 52e2f416fb09cf8da94bf1a88a8bc31b |
| SHA1 | b368ea2376b00d1439e292952d281c577d26049b |
| SHA256 | cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345 |
| SHA512 | a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732 |
C:\Users\Admin\AppData\Local\Temp\FB3C.exe
| MD5 | 24f97033c62127b816fe4733b9b8a3f0 |
| SHA1 | bd8a47ad195de6fa694a6b8de214a7d06b516824 |
| SHA256 | f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612 |
| SHA512 | c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a |
memory/4840-48-0x0000000000150000-0x00000000009F2000-memory.dmp
memory/4676-50-0x0000000000400000-0x0000000000445000-memory.dmp
memory/4676-51-0x00000000005B0000-0x00000000005E0000-memory.dmp
memory/4840-53-0x0000000005530000-0x00000000055CC000-memory.dmp
memory/4676-56-0x00000000732F0000-0x0000000073AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2DE.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4676-66-0x0000000004AC0000-0x00000000050D8000-memory.dmp
memory/4676-67-0x0000000005100000-0x000000000520A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2DE.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4676-68-0x0000000005240000-0x0000000005252000-memory.dmp
memory/4676-69-0x0000000002300000-0x0000000002310000-memory.dmp
memory/4676-73-0x0000000005260000-0x000000000529C000-memory.dmp
memory/1136-74-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4840-80-0x0000000000150000-0x00000000009F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1136-82-0x00000000732F0000-0x0000000073AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4840-86-0x0000000075000000-0x00000000750F0000-memory.dmp
memory/1136-87-0x0000000004C40000-0x0000000004C50000-memory.dmp
memory/4840-84-0x0000000075000000-0x00000000750F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\7ded9d1d-64fb-4467-ba2b-e62e40be173a\EEB5.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/4840-90-0x0000000075000000-0x00000000750F0000-memory.dmp
memory/2600-89-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4840-91-0x0000000075000000-0x00000000750F0000-memory.dmp
memory/2600-92-0x00000000732F0000-0x0000000073AA0000-memory.dmp
memory/4840-95-0x0000000075000000-0x00000000750F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1260.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/2600-98-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1260.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
C:\Users\Admin\AppData\Local\Temp\1260.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/2296-106-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/2296-107-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2296-113-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4052-114-0x0000000003EA0000-0x0000000003F3D000-memory.dmp
memory/4676-115-0x00000000732F0000-0x0000000073AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1511.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
C:\Users\Admin\AppData\Local\Temp\1511.exe
| MD5 | f80d0dc2fe6ef74e286f99444bd6fe83 |
| SHA1 | 30d3c3da98bc194650f0709b445863b76edb4fd8 |
| SHA256 | 3ca4b678e40e02cf19a8f52b171e699e3fcf7532019c9cad7cf02443aa7847fa |
| SHA512 | 48ef97586cd55b57a63122a772359c947b83f2578da2a374e46f1be0d829ec936ae28309296d29bc387b704794e8db3431fab003958c687b02356898cd6c797b |
memory/5052-120-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4676-122-0x0000000002300000-0x0000000002310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\17D1.exe
| MD5 | b7a9dd705bcc0dbfc9cabc69b2953b33 |
| SHA1 | bb0c29b2169c908b8d25637651eeaa32135e0b80 |
| SHA256 | aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d |
| SHA512 | 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf |
memory/5052-127-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
C:\Users\Admin\AppData\Local\Temp\17D1.exe
| MD5 | b7a9dd705bcc0dbfc9cabc69b2953b33 |
| SHA1 | bb0c29b2169c908b8d25637651eeaa32135e0b80 |
| SHA256 | aeb52394baaa77dd4761926e2ae17bdb10423408fac0256159ea61b18c3b5e3d |
| SHA512 | 62140abc3a36ee8593b59389a5b98ebc9baab411c6c5f466d3a4291f7a89c4cff469373a5a1dd530df9decdee165480834cb7323dd78728eadee52acc8f2eadf |
memory/2788-134-0x0000024DEB2D0000-0x0000024DEB390000-memory.dmp
memory/2788-135-0x00007FF8854A0000-0x00007FF885F61000-memory.dmp
memory/2788-136-0x0000024DED030000-0x0000024DED04A000-memory.dmp
memory/1136-137-0x0000000004C40000-0x0000000004C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B8B.exe
| MD5 | 08f32f388b42aab675eea1bf2d60d770 |
| SHA1 | e53e062934952fa51c68a9400afa631880ccebe6 |
| SHA256 | c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1 |
| SHA512 | 82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 8cb8f90ec602fd3a3e719cb78d8c7cce |
| SHA1 | cdf764f8683ff175fb19bb0ed9e8765e28033e3b |
| SHA256 | da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651 |
| SHA512 | 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | d272d40d06c9224846bed1da19a0fd81 |
| SHA1 | fcde5227f4ea8bdbef5176ef8061ee32814d1498 |
| SHA256 | 4e84fe01a5a5fff30234eecbcf49e9fe4d4f48580fa9f6cbe0d6f3be07de38a9 |
| SHA512 | a34f31b50b458a5bdaec812a9c74244114685e1f733824f98525d6b0b2b22afc3a0731e77afbe239fab712d1939f291ac248ec9380c1c025d5af460d9bcab31a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 9622537e51915638708894cb1125d8df |
| SHA1 | 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd |
| SHA256 | 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c |
| SHA512 | 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7 |
memory/4368-154-0x00007FF76A860000-0x00007FF76A898000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 16f6e334f44d3d5af858df7112c4a51f |
| SHA1 | 9a7d99c844bcd19b1d924aa4276c521b31d1e8d6 |
| SHA256 | 7c6669c70c62b06f3050f27b2a230d5d901edcdd4a1b067b0a91fa9d54df795e |
| SHA512 | 052a1ac8e3e296a4b7ee4279fd7eaee49082a1ee653215e3fa4cc11d82237536bc2d872f6247f57c0ef93d461acb5ac19e8ffde58b25a6057dd8508e2791cdbf |
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
memory/4676-156-0x0000000005540000-0x00000000055B6000-memory.dmp
memory/2600-160-0x00000000732F0000-0x0000000073AA0000-memory.dmp
memory/1876-163-0x0000000002300000-0x0000000002400000-memory.dmp
memory/1876-167-0x00000000022F0000-0x00000000022F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21D6.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
memory/5052-170-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1260.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/1876-174-0x0000000000400000-0x0000000002291000-memory.dmp
memory/2600-175-0x0000000004FD0000-0x0000000004FE0000-memory.dmp
memory/4840-179-0x00000000030F0000-0x0000000003105000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2533.dll
| MD5 | 29a6feecd31507dcbf3355f6af904f10 |
| SHA1 | 255c9a34e25e24c426efe0cb2a7000761de4b95d |
| SHA256 | 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082 |
| SHA512 | e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6 |
memory/1840-186-0x0000000003FE0000-0x0000000004080000-memory.dmp
memory/1840-184-0x0000000004080000-0x000000000419B000-memory.dmp
memory/4840-183-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/4132-182-0x0000000003F90000-0x000000000402C000-memory.dmp
memory/4840-177-0x00000000030F0000-0x0000000003105000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21D6.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
memory/3116-197-0x0000000000B60000-0x0000000000B66000-memory.dmp
memory/1136-193-0x0000000005FD0000-0x0000000006020000-memory.dmp
memory/3116-198-0x0000000010000000-0x00000000102FA000-memory.dmp
memory/4012-201-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-206-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4840-208-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/4840-211-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/4012-209-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4840-215-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/4676-218-0x0000000006400000-0x00000000065C2000-memory.dmp
memory/4840-219-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/4840-225-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/4676-224-0x00000000065D0000-0x0000000006AFC000-memory.dmp
memory/4840-230-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/2916-231-0x00000000732F0000-0x0000000073AA0000-memory.dmp
memory/2788-228-0x00007FF8854A0000-0x00007FF885F61000-memory.dmp
memory/2916-234-0x0000000005460000-0x0000000005470000-memory.dmp
memory/3220-220-0x0000000002EE0000-0x0000000002EF6000-memory.dmp
memory/3900-236-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3468-205-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21D6.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
memory/4840-204-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/3468-196-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4012-195-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3468-192-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1260.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/4840-194-0x00000000030F0000-0x0000000003105000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2533.dll
| MD5 | 29a6feecd31507dcbf3355f6af904f10 |
| SHA1 | 255c9a34e25e24c426efe0cb2a7000761de4b95d |
| SHA256 | 3224f041256733ebd84c7881b95bb107e1c2cfb14de5c1688591fbb8888d9082 |
| SHA512 | e5ff8abe366b5995c97f7d2478fd833ce77e88deda668cb1280fab5bf94f0ee78b8293cdef9b2af83364d25f16d42e78bcfddc83028af67b0cf08b6e65b0edf6 |
memory/4840-187-0x00000000030F0000-0x0000000003105000-memory.dmp
memory/1136-161-0x0000000006530000-0x0000000006AD4000-memory.dmp
memory/4676-159-0x0000000005660000-0x00000000056C6000-memory.dmp
memory/4676-158-0x00000000055C0000-0x0000000005652000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B8B.exe
| MD5 | 08f32f388b42aab675eea1bf2d60d770 |
| SHA1 | e53e062934952fa51c68a9400afa631880ccebe6 |
| SHA256 | c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1 |
| SHA512 | 82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7 |
memory/1136-124-0x00000000732F0000-0x0000000073AA0000-memory.dmp
memory/5052-119-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1260.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/744-101-0x0000000004040000-0x00000000040D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEB5.exe
| MD5 | 1631bd067f7a26ffbb67687957320e4a |
| SHA1 | 39db651bf4d3d499411c5678c221886b48406622 |
| SHA256 | f7665c9ff359f8ba548e2332044aa3ac414611be38545a852e6610de334c6120 |
| SHA512 | 0f277406f801420be908383a6928abeb89b415339a34cc75f5227b67f427cafab5f89bcab2814a3ba58fc981db1f1febee5650c9e0a3e7b82136e0e6581346da |
memory/4116-93-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21D6.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
C:\Users\Admin\AppData\Local\Temp\21D6.exe
| MD5 | 39ad210451d748bf993549920c723a0f |
| SHA1 | 96897d5a8cd21ef0f71c1c40159cff9373855508 |
| SHA256 | b1190ed46fe58679028a9df4ca56c631f32a0726ce8db6c3f16976931413246a |
| SHA512 | d5be30e11ec719da28ea70b9172749563541b1f61fd79591d026f6f164e503255a4e12f9b3d00c581cd237bc8684909d88801341af9104aa69c4b6e55d918024 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 7f305d024899e4809fb6f4ae00da304c |
| SHA1 | f88a0812d36e0562ede3732ab511f459a09faff8 |
| SHA256 | 8fe1088ad55d05a3c2149648c8c1ce55862e925580308afe4a4ff6cfb089c769 |
| SHA512 | bc40698582400427cd47cf80dcf39202a74148b69ed179483160b4023368d53301fa12fe6d530d9c7cdfe5f78d19ee87a285681f537950334677f8af8dfeb2ae |
C:\Users\Admin\AppData\Roaming\tvaedtc
| MD5 | 08f32f388b42aab675eea1bf2d60d770 |
| SHA1 | e53e062934952fa51c68a9400afa631880ccebe6 |
| SHA256 | c55c92457d03edbc7ec6f2c1ed55ca5e79d66d5ee568beab370229cd278649b1 |
| SHA512 | 82ebb2416b4980bd699c04233800469ac23ba68d5ba950cd91d1a950af699bbd847a883e1907527000cc7fb7d34e3dd00d8d4609fd3324964f7317a7116b5ba7 |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |