Analysis Overview
SHA256
be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec
Threat Level: Known bad
The file be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Amadey
RedLine
Detected Djvu ransomware
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Themida packer
Executes dropped EXE
Checks BIOS information in registry
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Uses Task Scheduler COM API
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-14 08:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-14 08:19
Reported
2023-09-14 08:22
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\DE0D.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\DE0D.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\DE0D.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F92B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A46.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DA81.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EEAB.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e4f9f5fe-3523-49e5-a9af-8293e2b60932\\DA81.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DA81.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\DE0D.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DE0D.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\F92B.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\A46.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DA81.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7A5.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7A5.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7A5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DE0D.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E283.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe
"C:\Users\Admin\AppData\Local\Temp\be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec.exe"
C:\Users\Admin\AppData\Local\Temp\DA81.exe
C:\Users\Admin\AppData\Local\Temp\DA81.exe
C:\Users\Admin\AppData\Local\Temp\DE0D.exe
C:\Users\Admin\AppData\Local\Temp\DE0D.exe
C:\Users\Admin\AppData\Local\Temp\E040.exe
C:\Users\Admin\AppData\Local\Temp\E040.exe
C:\Users\Admin\AppData\Local\Temp\E283.exe
C:\Users\Admin\AppData\Local\Temp\E283.exe
C:\Users\Admin\AppData\Local\Temp\E3EC.exe
C:\Users\Admin\AppData\Local\Temp\E3EC.exe
C:\Users\Admin\AppData\Local\Temp\EEAB.exe
C:\Users\Admin\AppData\Local\Temp\EEAB.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\F92B.exe
C:\Users\Admin\AppData\Local\Temp\F92B.exe
C:\Users\Admin\AppData\Local\Temp\DA81.exe
C:\Users\Admin\AppData\Local\Temp\DA81.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Users\Admin\AppData\Local\Temp\FC39.exe
C:\Users\Admin\AppData\Local\Temp\FC39.exe
C:\Users\Admin\AppData\Local\Temp\207.exe
C:\Users\Admin\AppData\Local\Temp\207.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\7A5.exe
C:\Users\Admin\AppData\Local\Temp\7A5.exe
C:\Users\Admin\AppData\Local\Temp\A46.exe
C:\Users\Admin\AppData\Local\Temp\A46.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E3F.dll
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e4f9f5fe-3523-49e5-a9af-8293e2b60932" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E3F.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Users\Admin\AppData\Local\Temp\F92B.exe
C:\Users\Admin\AppData\Local\Temp\F92B.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\F92B.exe
"C:\Users\Admin\AppData\Local\Temp\F92B.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\A46.exe
C:\Users\Admin\AppData\Local\Temp\A46.exe
C:\Users\Admin\AppData\Local\Temp\A46.exe
"C:\Users\Admin\AppData\Local\Temp\A46.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\DA81.exe
"C:\Users\Admin\AppData\Local\Temp\DA81.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\F92B.exe
"C:\Users\Admin\AppData\Local\Temp\F92B.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 568
C:\Users\Admin\AppData\Local\Temp\A46.exe
"C:\Users\Admin\AppData\Local\Temp\A46.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\DA81.exe
"C:\Users\Admin\AppData\Local\Temp\DA81.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2468 -ip 2468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 568
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| HU | 84.224.216.79:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.216.224.84.in-addr.arpa | udp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| US | 8.8.8.8:53 | 232.175.169.194.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| HU | 84.224.216.79:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| MD | 176.123.9.142:14845 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| NL | 194.169.175.232:45450 | tcp | |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| GB | 51.38.95.107:42494 | tcp | |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.95.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.32.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login-sofi.4dq.com | udp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| DE | 45.79.249.147:443 | login-sofi.4dq.com | tcp |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.249.79.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| NL | 194.169.175.232:45450 | tcp | |
| US | 8.8.8.8:53 | 113.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.121.18.2.in-addr.arpa | udp |
| US | 38.181.25.43:3325 | tcp | |
| US | 8.8.8.8:53 | 43.25.181.38.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | gudintas.at | udp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| US | 8.8.8.8:53 | 44.55.182.186.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| US | 95.214.27.254:80 | tcp | |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| AR | 186.182.55.44:80 | gudintas.at | tcp |
| US | 95.214.27.254:80 | tcp | |
| US | 95.214.27.254:80 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 95.214.27.254:80 | tcp |
Files
memory/3348-0-0x0000000002080000-0x0000000002095000-memory.dmp
memory/3348-1-0x00000000020A0000-0x00000000020A9000-memory.dmp
memory/3348-2-0x0000000000400000-0x0000000000480000-memory.dmp
memory/3348-4-0x0000000000400000-0x0000000000480000-memory.dmp
memory/3348-7-0x0000000002080000-0x0000000002095000-memory.dmp
memory/2868-3-0x0000000003270000-0x0000000003286000-memory.dmp
memory/3348-8-0x00000000020A0000-0x00000000020A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA81.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\DA81.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\DE0D.exe
| MD5 | 1b67e388efc2b48f047e9eeb16edcef2 |
| SHA1 | 2c5ddc2006c38caed1adab80df1e5a370821b47f |
| SHA256 | 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1 |
| SHA512 | 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94 |
C:\Users\Admin\AppData\Local\Temp\DE0D.exe
| MD5 | 1b67e388efc2b48f047e9eeb16edcef2 |
| SHA1 | 2c5ddc2006c38caed1adab80df1e5a370821b47f |
| SHA256 | 46c718a1a788637723d284c0b8da50ff03c39ba214ee735c78b230d4055fa1f1 |
| SHA512 | 21fa1ebbba8a62176813547ee1a61297ab2ea862d36d349b06510819ce6d9d0502a2351ab23949248eb78335482defae86a98bc390e94cb08706219adb017e94 |
memory/4676-20-0x00000000005F0000-0x0000000000E92000-memory.dmp
memory/4676-21-0x00000000770D0000-0x00000000771C0000-memory.dmp
memory/4676-22-0x00000000770D0000-0x00000000771C0000-memory.dmp
memory/4676-23-0x00000000770D0000-0x00000000771C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E040.exe
| MD5 | 47bf72d09074bd98b5022c0c384e3a18 |
| SHA1 | dc0e787ea6f91f8de6f342b052131a2a71682f4a |
| SHA256 | e196fc1201671122a3b8db9d285d367f87e6f14302f28b7362386bccbd09cc9b |
| SHA512 | 3c80a1c971f4424c14b540e665492c08f4fbe87b19ecf1c461f7d91ac5ca1eb5f6940b47de9a358f8fd96447c4ceb9141001189cfed55ec7659a4a34222d5dcd |
memory/4676-29-0x00000000770D0000-0x00000000771C0000-memory.dmp
memory/4676-31-0x0000000077E14000-0x0000000077E16000-memory.dmp
memory/4676-27-0x00000000770D0000-0x00000000771C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E283.exe
| MD5 | 52e2f416fb09cf8da94bf1a88a8bc31b |
| SHA1 | b368ea2376b00d1439e292952d281c577d26049b |
| SHA256 | cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345 |
| SHA512 | a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732 |
C:\Users\Admin\AppData\Local\Temp\E040.exe
| MD5 | 47bf72d09074bd98b5022c0c384e3a18 |
| SHA1 | dc0e787ea6f91f8de6f342b052131a2a71682f4a |
| SHA256 | e196fc1201671122a3b8db9d285d367f87e6f14302f28b7362386bccbd09cc9b |
| SHA512 | 3c80a1c971f4424c14b540e665492c08f4fbe87b19ecf1c461f7d91ac5ca1eb5f6940b47de9a358f8fd96447c4ceb9141001189cfed55ec7659a4a34222d5dcd |
C:\Users\Admin\AppData\Local\Temp\E3EC.exe
| MD5 | 24f97033c62127b816fe4733b9b8a3f0 |
| SHA1 | bd8a47ad195de6fa694a6b8de214a7d06b516824 |
| SHA256 | f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612 |
| SHA512 | c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a |
memory/4676-40-0x00000000005F0000-0x0000000000E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E283.exe
| MD5 | 52e2f416fb09cf8da94bf1a88a8bc31b |
| SHA1 | b368ea2376b00d1439e292952d281c577d26049b |
| SHA256 | cce9583aa5844ea41e7402a170d96eb8d6ab7b2b05363b7dbe81a2e8af655345 |
| SHA512 | a4ad5d6d60e8ee8d881552aba745a30d3ed0cc7021e503063f865f1fb1136b71b37aa6e6dae16ce1895f3d857eb80651bf0d194e9a506e5746ce96dc549d4732 |
memory/4676-41-0x0000000005850000-0x00000000058EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E3EC.exe
| MD5 | 24f97033c62127b816fe4733b9b8a3f0 |
| SHA1 | bd8a47ad195de6fa694a6b8de214a7d06b516824 |
| SHA256 | f1b1e5919f4add8c22320c69c6e394066de60695a36de7d4227efaadfef3e612 |
| SHA512 | c657278d886d296d2d7192b7a845a3d8accb59c15ea54b0588ebe0d595dbf0a403e674cb446f7c543502b1a9e24d064b0196c85eb3557ca473456aebbdfdf49a |
memory/1756-44-0x00000000005D0000-0x0000000000600000-memory.dmp
memory/1756-45-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1756-49-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/1756-50-0x0000000004A90000-0x00000000050A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEAB.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1756-53-0x00000000050F0000-0x00000000051FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEAB.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1756-55-0x0000000005230000-0x0000000005242000-memory.dmp
memory/1756-57-0x0000000004940000-0x0000000004950000-memory.dmp
memory/1756-60-0x0000000005250000-0x000000000528C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4636-65-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4676-69-0x00000000005F0000-0x0000000000E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4636-70-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/1480-72-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4676-73-0x00000000770D0000-0x00000000771C0000-memory.dmp
memory/4636-74-0x0000000004DC0000-0x0000000004DD0000-memory.dmp
memory/4676-71-0x00000000770D0000-0x00000000771C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1480-75-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/4676-76-0x00000000770D0000-0x00000000771C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F92B.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
memory/4676-82-0x00000000770D0000-0x00000000771C0000-memory.dmp
memory/1480-83-0x0000000000C80000-0x0000000000C90000-memory.dmp
memory/3460-84-0x0000000002220000-0x000000000233B000-memory.dmp
memory/3460-85-0x0000000001FC0000-0x0000000002051000-memory.dmp
memory/4160-86-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F92B.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
memory/4676-78-0x00000000770D0000-0x00000000771C0000-memory.dmp
memory/4160-88-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA81.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\FC39.exe
| MD5 | 47bf72d09074bd98b5022c0c384e3a18 |
| SHA1 | dc0e787ea6f91f8de6f342b052131a2a71682f4a |
| SHA256 | e196fc1201671122a3b8db9d285d367f87e6f14302f28b7362386bccbd09cc9b |
| SHA512 | 3c80a1c971f4424c14b540e665492c08f4fbe87b19ecf1c461f7d91ac5ca1eb5f6940b47de9a358f8fd96447c4ceb9141001189cfed55ec7659a4a34222d5dcd |
memory/4160-92-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4160-93-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC39.exe
| MD5 | 47bf72d09074bd98b5022c0c384e3a18 |
| SHA1 | dc0e787ea6f91f8de6f342b052131a2a71682f4a |
| SHA256 | e196fc1201671122a3b8db9d285d367f87e6f14302f28b7362386bccbd09cc9b |
| SHA512 | 3c80a1c971f4424c14b540e665492c08f4fbe87b19ecf1c461f7d91ac5ca1eb5f6940b47de9a358f8fd96447c4ceb9141001189cfed55ec7659a4a34222d5dcd |
C:\Users\Admin\AppData\Local\Temp\207.exe
| MD5 | c82816b9cae5ab07c38a317572f3453f |
| SHA1 | ce1911787bf09e30932a07308e9f1b04dcf7f3dd |
| SHA256 | 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695 |
| SHA512 | 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b |
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
memory/2336-107-0x00007FF8E05F0000-0x00007FF8E10B1000-memory.dmp
memory/2336-106-0x000001B3F8D70000-0x000001B3F8D8A000-memory.dmp
memory/1756-112-0x0000000075300000-0x0000000075AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
C:\Users\Admin\AppData\Local\Temp\1000073001\aafg31.exe
| MD5 | b236b8e5bab2445e09876a88d83a995a |
| SHA1 | 3278af413aad4772a57a4c33418d504f958465d9 |
| SHA256 | ac81724fd3a660ce17e5d5b2b560285e4725f93ecc4d9ed9fcfab041532914c2 |
| SHA512 | 3d62f525db2d7058a4540f2f4825df9cb211ea7bee399285762af0d8234021605288e8cf15e12fe6d721ead82059fa1fbf7c7a7b672a968888fc8cbe0e478da5 |
memory/2336-113-0x000001B3F9740000-0x000001B3F9750000-memory.dmp
memory/2336-99-0x000001B3F70C0000-0x000001B3F7154000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\207.exe
| MD5 | c82816b9cae5ab07c38a317572f3453f |
| SHA1 | ce1911787bf09e30932a07308e9f1b04dcf7f3dd |
| SHA256 | 07f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695 |
| SHA512 | 0451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b |
memory/4692-118-0x00007FF6D0970000-0x00007FF6D09A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7A5.exe
| MD5 | 9f18d3100a04163ce61368d6738d01f5 |
| SHA1 | 9593c15ed64a7dfdb8e77b16cb80386fa65f2a37 |
| SHA256 | 2ae5932352f9e2d0f9a6c05f6977b7566c0a0913ae0717c787380ea35045969b |
| SHA512 | 465aa7578e236b7ae2b0a37b25dfaee0b109ac7dcbbf0f9733c9282c6f552feb82c4b4cc9fbb10aab7cde0c9443517430d72246c906b43a10dc3a6f1c2d3dd1d |
C:\Users\Admin\AppData\Local\Temp\7A5.exe
| MD5 | 9f18d3100a04163ce61368d6738d01f5 |
| SHA1 | 9593c15ed64a7dfdb8e77b16cb80386fa65f2a37 |
| SHA256 | 2ae5932352f9e2d0f9a6c05f6977b7566c0a0913ae0717c787380ea35045969b |
| SHA512 | 465aa7578e236b7ae2b0a37b25dfaee0b109ac7dcbbf0f9733c9282c6f552feb82c4b4cc9fbb10aab7cde0c9443517430d72246c906b43a10dc3a6f1c2d3dd1d |
C:\Users\Admin\AppData\Local\Temp\A46.exe
| MD5 | c2273e3679c0660d8b4cd294ec6f88a7 |
| SHA1 | 1b01c714e54dca1c562ccb77e746a9645eee7cfc |
| SHA256 | d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664 |
| SHA512 | afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d |
C:\Users\Admin\AppData\Local\Temp\A46.exe
| MD5 | c2273e3679c0660d8b4cd294ec6f88a7 |
| SHA1 | 1b01c714e54dca1c562ccb77e746a9645eee7cfc |
| SHA256 | d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664 |
| SHA512 | afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d |
memory/1756-132-0x00000000055B0000-0x0000000005642000-memory.dmp
memory/1756-133-0x0000000005BC0000-0x0000000006164000-memory.dmp
memory/1756-128-0x0000000005530000-0x00000000055A6000-memory.dmp
memory/4676-138-0x0000000003530000-0x0000000003545000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E3F.dll
| MD5 | cd473f96a31e502950837fb6ed2fe819 |
| SHA1 | 87bf2e1161ef159b56db4a6350d4dfe219f30683 |
| SHA256 | b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c |
| SHA512 | 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94 |
C:\Users\Admin\AppData\Local\e4f9f5fe-3523-49e5-a9af-8293e2b60932\DA81.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
memory/4676-147-0x0000000003530000-0x0000000003545000-memory.dmp
memory/4676-144-0x0000000003530000-0x0000000003545000-memory.dmp
memory/4636-139-0x00000000052F0000-0x0000000005356000-memory.dmp
memory/4676-137-0x0000000003530000-0x0000000003545000-memory.dmp
memory/1756-129-0x0000000004940000-0x0000000004950000-memory.dmp
memory/4636-148-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/4676-151-0x0000000003530000-0x0000000003545000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E3F.dll
| MD5 | cd473f96a31e502950837fb6ed2fe819 |
| SHA1 | 87bf2e1161ef159b56db4a6350d4dfe219f30683 |
| SHA256 | b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c |
| SHA512 | 509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94 |
memory/1712-153-0x0000000010000000-0x00000000102D3000-memory.dmp
memory/4636-155-0x0000000004DC0000-0x0000000004DD0000-memory.dmp
memory/4676-157-0x0000000003530000-0x0000000003545000-memory.dmp
memory/4504-152-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/1480-159-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/4676-160-0x0000000003530000-0x0000000003545000-memory.dmp
memory/1712-161-0x0000000002110000-0x0000000002116000-memory.dmp
memory/4676-163-0x0000000003530000-0x0000000003545000-memory.dmp
memory/1480-165-0x0000000000C80000-0x0000000000C90000-memory.dmp
memory/4676-166-0x0000000003530000-0x0000000003545000-memory.dmp
memory/4676-168-0x0000000003530000-0x0000000003545000-memory.dmp
memory/4676-173-0x0000000003530000-0x0000000003545000-memory.dmp
memory/4676-176-0x0000000003530000-0x0000000003545000-memory.dmp
memory/1756-175-0x0000000006370000-0x00000000063C0000-memory.dmp
memory/4676-178-0x0000000003530000-0x0000000003545000-memory.dmp
memory/4160-180-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1508-179-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1480-181-0x00000000062D0000-0x0000000006492000-memory.dmp
memory/2336-185-0x00007FF8E05F0000-0x00007FF8E10B1000-memory.dmp
memory/4676-187-0x00000000770D0000-0x00000000771C0000-memory.dmp
memory/1480-184-0x0000000008680000-0x0000000008BAC000-memory.dmp
memory/1508-188-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/1508-191-0x0000000005260000-0x0000000005270000-memory.dmp
memory/4676-192-0x00000000005F0000-0x0000000000E92000-memory.dmp
memory/2336-194-0x000001B3F9740000-0x000001B3F9750000-memory.dmp
memory/2472-195-0x0000000002080000-0x0000000002111000-memory.dmp
memory/4284-198-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F92B.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
memory/4284-199-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4504-200-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/4284-201-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4692-205-0x0000000003200000-0x0000000003371000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | bcf9c82a8e06cd4dbc7c6f8166b03d62 |
| SHA1 | aa072fd0adc30bc7d45952443a137972eaea0499 |
| SHA256 | 32b64ccb43add6147056e3f68bd46c762c8b38dea72735355fc422160a0f417d |
| SHA512 | 7a26e9797da034f01a08a1b62e4e7e39de67526257d015a0ef7590968af690fecb1852a0f3ee05f64bbf571344eb74ef4d404d2f145f7e7dd36f6a21816ba4a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 5daba4f0bf3b14879277d299c1f70ff3 |
| SHA1 | b2d8547d2be5ee58acb4bb389364db0cc637fef0 |
| SHA256 | 5ff5aba800b62725d316e343846e7e1f22a00217c6954b70873712ec463400d9 |
| SHA512 | dfc5a741ddb33f622274072ba3b5e35eeb48f7a20b5a3af079168f7a92861a9cd76f8e8b86f66ab5d1a2367f5ee0d3a7e9643e424aed7ecec36fa1aeace4260a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | b21311597244be50a172fb309a1c52df |
| SHA1 | 2b662f3bf3c6a0606251381a3298e9bac3bfce66 |
| SHA256 | 9a69ea575d80ba67bfbebfdd4b2d3a5ac9e0ee8c04fbd8b99e8f0c7fe53b2080 |
| SHA512 | c768b3fa558b3a0bc3f48b9408f6f1f05428480c75ac095e9282167fad32687441e5d8234456d7d8225ada8207a13fc0bc382cd1f27e267987d2704d6183def0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 9622537e51915638708894cb1125d8df |
| SHA1 | 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd |
| SHA256 | 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c |
| SHA512 | 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7 |
C:\Users\Admin\AppData\Local\e4f9f5fe-3523-49e5-a9af-8293e2b60932\DA81.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\F92B.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
memory/4284-219-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2400-225-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2400-227-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A46.exe
| MD5 | c2273e3679c0660d8b4cd294ec6f88a7 |
| SHA1 | 1b01c714e54dca1c562ccb77e746a9645eee7cfc |
| SHA256 | d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664 |
| SHA512 | afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d |
memory/2400-228-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 6bb82e63cdf8de9d79154002b8987663 |
| SHA1 | 45a4870c3dbff09b9ea31d4ab2909e6ee86908a7 |
| SHA256 | 57261cbea6f3d4a3755ec9cc56fa0adadb77b159fc7103c9e80e34d4d443b51e |
| SHA512 | c55ffb0c9dca0c2e35e31f382089c7221cc518b6931df5b321cfa11a2a9923e8ea7560312cecfee532a912d2d2fcd02db620a2dc4d41e5094b0e14dfc6b51a05 |
memory/2400-238-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4460-242-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A46.exe
| MD5 | c2273e3679c0660d8b4cd294ec6f88a7 |
| SHA1 | 1b01c714e54dca1c562ccb77e746a9645eee7cfc |
| SHA256 | d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664 |
| SHA512 | afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d |
memory/2868-237-0x00000000033E0000-0x00000000033F6000-memory.dmp
memory/4160-246-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA81.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
memory/1712-249-0x0000000002500000-0x0000000002602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F92B.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\A46.exe
| MD5 | c2273e3679c0660d8b4cd294ec6f88a7 |
| SHA1 | 1b01c714e54dca1c562ccb77e746a9645eee7cfc |
| SHA256 | d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664 |
| SHA512 | afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d |
C:\Users\Admin\AppData\Local\Temp\DA81.exe
| MD5 | 2340b48b4a14c41d93d84ec7974cc8d6 |
| SHA1 | 877c209472761292e20de46711260b87b3c3a2ba |
| SHA256 | 1baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5 |
| SHA512 | 87b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be |
C:\Users\Admin\AppData\Roaming\hwvcvjw
| MD5 | 9f18d3100a04163ce61368d6738d01f5 |
| SHA1 | 9593c15ed64a7dfdb8e77b16cb80386fa65f2a37 |
| SHA256 | 2ae5932352f9e2d0f9a6c05f6977b7566c0a0913ae0717c787380ea35045969b |
| SHA512 | 465aa7578e236b7ae2b0a37b25dfaee0b109ac7dcbbf0f9733c9282c6f552feb82c4b4cc9fbb10aab7cde0c9443517430d72246c906b43a10dc3a6f1c2d3dd1d |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\1000074001\toolspub2.exe
| MD5 | a137245d8bc8109c4bc3df6e2b37d327 |
| SHA1 | ed8973e65b2aacb60683787831de37e7c805fa6c |
| SHA256 | f342950ea78a3910911df852de530912090acea09b895e299d4ba0132ee146ee |
| SHA512 | 5d83e91ac5862c62d5b90418a75feaedcffb01aa2a396d1cb71c11d9dfbfb0e415d38687ce0736b7159f874835ace02f27d11067b2ab6b81f58a948f10fabc00 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |