Analysis Overview
SHA256
1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c
Threat Level: Known bad
The file 1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Detect Fabookie payload
Glupteba
RedLine
Detected Djvu ransomware
Glupteba payload
Djvu Ransomware
Fabookie
Downloads MZ/PE file
Stops running service(s)
Deletes itself
UPX packed file
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-24 11:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-24 11:36
Reported
2023-09-24 11:38
Platform
win7-20230831-en
Max time kernel
54s
Max time network
155s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Fabookie
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
SmokeLoader
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98luhwAlXnOux2mgWGlciLMJ.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iSeZ6SXihV4Dli79GZdF1yRn.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FA59ahuLWl8QUdItvDmcF0B6.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJMBXYdymlDm3XwlpvgLutMh.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sLbxvV9ZCj296DkQYzI9jgz0.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GrlnB98L26sGSwNgPXvXxpku.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7pMR3vtf6oNwFCUmEepkMimn.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pxsTeXc22OkrINIdEMQZDyKe.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cp4JGtzl8oBvWwawlvmzI0us.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8F3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8F3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCDB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D923.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E46A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E46A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EB8C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aafg31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kos1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\hfKCfrwKwtfhBmKU30a2Kt2j.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\B8F3.exe | C:\Users\Admin\AppData\Local\Temp\B8F3.exe |
| PID 2644 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Local\Temp\BCDB.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
| PID 2416 set thread context of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\E46A.exe | C:\Users\Admin\AppData\Local\Temp\E46A.exe |
| PID 588 set thread context of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\EB8C.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\EB8C.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe"
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BBD1.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\BBD1.dll
C:\Users\Admin\AppData\Local\Temp\BCDB.exe
C:\Users\Admin\AppData\Local\Temp\BCDB.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\AppData\Local\Temp\D923.exe
C:\Users\Admin\AppData\Local\Temp\D923.exe
C:\Users\Admin\AppData\Local\Temp\E46A.exe
C:\Users\Admin\AppData\Local\Temp\E46A.exe
C:\Users\Admin\AppData\Local\Temp\E46A.exe
C:\Users\Admin\AppData\Local\Temp\E46A.exe
C:\Users\Admin\AppData\Local\Temp\EB8C.exe
C:\Users\Admin\AppData\Local\Temp\EB8C.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 52
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
C:\Users\Admin\Pictures\hfKCfrwKwtfhBmKU30a2Kt2j.exe
"C:\Users\Admin\Pictures\hfKCfrwKwtfhBmKU30a2Kt2j.exe"
C:\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe
"C:\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe"
C:\Users\Admin\Pictures\vDgna56ZwuOAudYuiVDuq6b8.exe
"C:\Users\Admin\Pictures\vDgna56ZwuOAudYuiVDuq6b8.exe"
C:\Users\Admin\Pictures\HNCyRjxl4LzJ5r19WQmiZdv1.exe
"C:\Users\Admin\Pictures\HNCyRjxl4LzJ5r19WQmiZdv1.exe" --silent --allusers=0
C:\Users\Admin\Pictures\g5zeJzaocLxhHCpUNRj7sVD2.exe
"C:\Users\Admin\Pictures\g5zeJzaocLxhHCpUNRj7sVD2.exe"
C:\Users\Admin\Pictures\U7yHt8SvJyX6Buu2YX5LuwXz.exe
"C:\Users\Admin\Pictures\U7yHt8SvJyX6Buu2YX5LuwXz.exe" /s
C:\Users\Admin\Pictures\3zZWRTLylhhtTSYwvDIxuRbw.exe
"C:\Users\Admin\Pictures\3zZWRTLylhhtTSYwvDIxuRbw.exe"
C:\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
"C:\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe"
C:\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe
"C:\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe"
C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4AC6.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\is-QGQB7.tmp\is-4AFPO.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QGQB7.tmp\is-4AFPO.tmp" /SL4 $C01EE "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
C:\Users\Admin\Pictures\IjC0vqhoTiUNca4U0Iy7YKv2.exe
"C:\Users\Admin\Pictures\IjC0vqhoTiUNca4U0Iy7YKv2.exe"
C:\Users\Admin\AppData\Local\Temp\7zS5928.tmp\Install.exe
.\Install.exe /ZRdidNyFJI "385118" /S
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\966ad2b1-748d-4025-9920-dd02833032bb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\E46A.exe
"C:\Users\Admin\AppData\Local\Temp\E46A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\Pictures\X2v2KlPmZ15Cr2dsy1iO6W0h.exe
"C:\Users\Admin\Pictures\X2v2KlPmZ15Cr2dsy1iO6W0h.exe"
C:\Users\Admin\AppData\Local\Temp\is-4G173.tmp\IjC0vqhoTiUNca4U0Iy7YKv2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4G173.tmp\IjC0vqhoTiUNca4U0Iy7YKv2.tmp" /SL5="$201B0,491750,408064,C:\Users\Admin\Pictures\IjC0vqhoTiUNca4U0Iy7YKv2.exe"
C:\Users\Admin\Pictures\SH1ytfU14d6kI7ZgpmKkkCZr.exe
"C:\Users\Admin\Pictures\SH1ytfU14d6kI7ZgpmKkkCZr.exe"
C:\Users\Admin\AppData\Local\Temp\E46A.exe
"C:\Users\Admin\AppData\Local\Temp\E46A.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1320430567.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "g5zeJzaocLxhHCpUNRj7sVD2.exe" /f & erase "C:\Users\Admin\Pictures\g5zeJzaocLxhHCpUNRj7sVD2.exe" & exit
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 172.67.181.144:80 | potunulit.org | tcp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| US | 172.67.216.81:443 | flyawayaero.net | tcp |
| US | 8.8.8.8:53 | downloads.digitalpulsedata.com | udp |
| US | 8.8.8.8:53 | ji.alie3ksgbb.com | udp |
| US | 8.8.8.8:53 | jetpackdelivery.net | udp |
| US | 188.114.97.0:80 | jetpackdelivery.net | tcp |
| US | 188.114.96.0:443 | jetpackdelivery.net | tcp |
| NL | 13.227.219.122:443 | downloads.digitalpulsedata.com | tcp |
| US | 8.8.8.8:53 | potatogoose.com | udp |
| US | 172.67.180.173:443 | potatogoose.com | tcp |
| US | 8.8.8.8:53 | hbn42414.beget.tech | udp |
| RU | 87.236.19.5:80 | hbn42414.beget.tech | tcp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| US | 172.67.187.122:443 | lycheepanel.info | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | galandskiyher3.com | udp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | www.amsangroup.com | udp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| NL | 194.169.175.127:80 | galandskiyher3.com | tcp |
| US | 190.8.176.96:443 | www.amsangroup.com | tcp |
| NL | 108.156.60.116:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.132:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| US | 185.244.226.4:443 | link.storjshare.io | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 2.18.121.132:80 | apps.identrust.com | tcp |
| US | 2.18.121.132:80 | apps.identrust.com | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| GB | 51.38.95.107:42494 | tcp | |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 188.114.96.0:443 | jetpackdelivery.net | tcp |
| US | 172.67.187.122:443 | lycheepanel.info | tcp |
| US | 8.8.8.8:53 | justsafepay.com | udp |
| US | 188.114.96.0:443 | justsafepay.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | script.google.com | udp |
| DE | 172.217.23.206:80 | script.google.com | tcp |
| DE | 172.217.23.206:443 | script.google.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| US | 8.8.8.8:53 | script.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | script.googleusercontent.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| NL | 108.156.60.116:80 | int.down.360safe.com | tcp |
| NL | 52.222.137.220:80 | sd.p.360safe.com | tcp |
| NL | 108.156.60.18:80 | int.down.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| NL | 108.156.60.43:80 | int.down.360safe.com | tcp |
| NL | 108.156.60.9:80 | int.down.360safe.com | tcp |
| NL | 108.156.60.116:80 | int.down.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| NL | 108.156.60.9:80 | int.down.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| NL | 108.156.60.116:80 | int.down.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | m7val1dat0r.info | udp |
| US | 188.114.96.0:443 | m7val1dat0r.info | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| KR | 211.168.53.110:80 | colisumy.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
Files
memory/2280-0-0x0000000000220000-0x0000000000235000-memory.dmp
memory/2280-1-0x0000000000240000-0x0000000000249000-memory.dmp
memory/2280-2-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2280-4-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1212-3-0x0000000002990000-0x00000000029A6000-memory.dmp
memory/2280-7-0x0000000000240000-0x0000000000249000-memory.dmp
memory/2280-8-0x0000000000220000-0x0000000000235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
memory/2816-18-0x0000000003DF0000-0x0000000003E81000-memory.dmp
memory/2816-19-0x0000000003DF0000-0x0000000003E81000-memory.dmp
memory/2816-20-0x0000000003E90000-0x0000000003FAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
memory/2596-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\B8F3.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
C:\Users\Admin\AppData\Local\Temp\B8F3.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
memory/2596-25-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBD1.dll
| MD5 | 9b9f5bbdb27f30ffb9eddec2df39137e |
| SHA1 | 92c46dcd23fcda7d0d53e1a49f9a4d3e9684d054 |
| SHA256 | 7eaebda0f4c88c43d8de32202090c3e158f5f25cf8dcef20a46b4eb0d72cd4bc |
| SHA512 | 33def0eead3fadf32ba0c5da7e626986b7a928af2f0cb4d480d1c422737581332d63acd2795a3bd793916b2a074f809d699d9732d81c23373c2620e76ddfc675 |
C:\Users\Admin\AppData\Local\Temp\BCDB.exe
| MD5 | 3240f8928a130bb155571570c563200a |
| SHA1 | aa621ddde551f7e0dbeed157ab1eac3f1906f493 |
| SHA256 | a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42 |
| SHA512 | e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b |
\Users\Admin\AppData\Local\Temp\BCDB.exe
| MD5 | 3240f8928a130bb155571570c563200a |
| SHA1 | aa621ddde551f7e0dbeed157ab1eac3f1906f493 |
| SHA256 | a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42 |
| SHA512 | e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b |
\Users\Admin\AppData\Local\Temp\BCDB.exe
| MD5 | 3240f8928a130bb155571570c563200a |
| SHA1 | aa621ddde551f7e0dbeed157ab1eac3f1906f493 |
| SHA256 | a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42 |
| SHA512 | e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b |
\Users\Admin\AppData\Local\Temp\BBD1.dll
| MD5 | 9b9f5bbdb27f30ffb9eddec2df39137e |
| SHA1 | 92c46dcd23fcda7d0d53e1a49f9a4d3e9684d054 |
| SHA256 | 7eaebda0f4c88c43d8de32202090c3e158f5f25cf8dcef20a46b4eb0d72cd4bc |
| SHA512 | 33def0eead3fadf32ba0c5da7e626986b7a928af2f0cb4d480d1c422737581332d63acd2795a3bd793916b2a074f809d699d9732d81c23373c2620e76ddfc675 |
\Users\Admin\AppData\Local\Temp\BCDB.exe
| MD5 | 3240f8928a130bb155571570c563200a |
| SHA1 | aa621ddde551f7e0dbeed157ab1eac3f1906f493 |
| SHA256 | a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42 |
| SHA512 | e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b |
memory/2744-39-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2744-40-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2744-42-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2804-43-0x0000000000160000-0x0000000000166000-memory.dmp
memory/2804-44-0x0000000010000000-0x000000001019C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D923.exe
| MD5 | d5345b2a5d6b34670005f5c3b574371f |
| SHA1 | 33a8b62b3b384bef6b6646ab4d154b7e37ce2727 |
| SHA256 | 4b77eeabc30512a512339603a46914b3060a3447dd3c53743bd2cc03c21f2229 |
| SHA512 | 24b13562dfc3e486e15f6c50ccb3b3ecbaabb733759e134c6031334be8b177431f17491d3477803355ede23a59e54902ffc102310c225cb3beb824197ade8025 |
C:\Users\Admin\AppData\Local\Temp\D923.exe
| MD5 | d5345b2a5d6b34670005f5c3b574371f |
| SHA1 | 33a8b62b3b384bef6b6646ab4d154b7e37ce2727 |
| SHA256 | 4b77eeabc30512a512339603a46914b3060a3447dd3c53743bd2cc03c21f2229 |
| SHA512 | 24b13562dfc3e486e15f6c50ccb3b3ecbaabb733759e134c6031334be8b177431f17491d3477803355ede23a59e54902ffc102310c225cb3beb824197ade8025 |
memory/3020-51-0x0000000000C40000-0x00000000012D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E46A.exe
| MD5 | c082d1ba8c66d2c5adee770992c8c249 |
| SHA1 | b32b610c10181cd4dad3c40e7a86c709f6127fc2 |
| SHA256 | dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375 |
| SHA512 | ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194 |
C:\Users\Admin\AppData\Local\Temp\E46A.exe
| MD5 | c082d1ba8c66d2c5adee770992c8c249 |
| SHA1 | b32b610c10181cd4dad3c40e7a86c709f6127fc2 |
| SHA256 | dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375 |
| SHA512 | ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194 |
memory/2416-59-0x0000000000220000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E46A.exe
| MD5 | c082d1ba8c66d2c5adee770992c8c249 |
| SHA1 | b32b610c10181cd4dad3c40e7a86c709f6127fc2 |
| SHA256 | dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375 |
| SHA512 | ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194 |
\Users\Admin\AppData\Local\Temp\E46A.exe
| MD5 | c082d1ba8c66d2c5adee770992c8c249 |
| SHA1 | b32b610c10181cd4dad3c40e7a86c709f6127fc2 |
| SHA256 | dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375 |
| SHA512 | ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194 |
memory/3056-64-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2416-67-0x0000000000220000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E46A.exe
| MD5 | c082d1ba8c66d2c5adee770992c8c249 |
| SHA1 | b32b610c10181cd4dad3c40e7a86c709f6127fc2 |
| SHA256 | dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375 |
| SHA512 | ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194 |
memory/2416-68-0x0000000002620000-0x000000000273B000-memory.dmp
memory/2804-69-0x0000000002300000-0x000000000240F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB8C.exe
| MD5 | 39ee7dec3d4fa8b450670eaab709812c |
| SHA1 | 91b804b25c548eb6de1dfdc539c29a6e391a9314 |
| SHA256 | a9df8f78f78992960304cfe308505d0897c95486d9749853ab70fdfa151de02d |
| SHA512 | a497b3d0944822275cfa3fffcccf8534c69af1cfccecba521a342b8cfaa92dc9334fed226be8e82fd025c5af4fba531c24a3eaa5d5271601925879dd0c0c83c9 |
C:\Users\Admin\AppData\Local\Temp\EB8C.exe
| MD5 | 39ee7dec3d4fa8b450670eaab709812c |
| SHA1 | 91b804b25c548eb6de1dfdc539c29a6e391a9314 |
| SHA256 | a9df8f78f78992960304cfe308505d0897c95486d9749853ab70fdfa151de02d |
| SHA512 | a497b3d0944822275cfa3fffcccf8534c69af1cfccecba521a342b8cfaa92dc9334fed226be8e82fd025c5af4fba531c24a3eaa5d5271601925879dd0c0c83c9 |
memory/2744-76-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/2804-78-0x0000000010000000-0x000000001019C000-memory.dmp
memory/3056-79-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2744-80-0x0000000004C40000-0x0000000004C80000-memory.dmp
memory/3020-81-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/3056-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2804-83-0x0000000002410000-0x0000000002505000-memory.dmp
memory/2804-86-0x0000000002410000-0x0000000002505000-memory.dmp
memory/656-87-0x0000000000400000-0x0000000000430000-memory.dmp
memory/656-89-0x0000000000400000-0x0000000000430000-memory.dmp
memory/656-91-0x0000000000400000-0x0000000000430000-memory.dmp
memory/656-100-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2804-93-0x0000000002410000-0x0000000002505000-memory.dmp
memory/656-92-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 92c101b0079f38a8c168e88147c12c23 |
| SHA1 | 7a18ac43e5b5efd1c230735da46dc91355814cdc |
| SHA256 | 2b62be4fabe67ab964949c88947e394345df27c5e9f52cdc493edf0aaba55543 |
| SHA512 | f52896df64fa203cdcc39e96ce7583170bd1301358f52ad9bcfef7b91e3cdc1a3cc30bff96b53c7cbe9ff999539a7932b57d7520e4a47caa4f3b065840c16619 |
\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 92c101b0079f38a8c168e88147c12c23 |
| SHA1 | 7a18ac43e5b5efd1c230735da46dc91355814cdc |
| SHA256 | 2b62be4fabe67ab964949c88947e394345df27c5e9f52cdc493edf0aaba55543 |
| SHA512 | f52896df64fa203cdcc39e96ce7583170bd1301358f52ad9bcfef7b91e3cdc1a3cc30bff96b53c7cbe9ff999539a7932b57d7520e4a47caa4f3b065840c16619 |
\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 92c101b0079f38a8c168e88147c12c23 |
| SHA1 | 7a18ac43e5b5efd1c230735da46dc91355814cdc |
| SHA256 | 2b62be4fabe67ab964949c88947e394345df27c5e9f52cdc493edf0aaba55543 |
| SHA512 | f52896df64fa203cdcc39e96ce7583170bd1301358f52ad9bcfef7b91e3cdc1a3cc30bff96b53c7cbe9ff999539a7932b57d7520e4a47caa4f3b065840c16619 |
memory/656-103-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 92c101b0079f38a8c168e88147c12c23 |
| SHA1 | 7a18ac43e5b5efd1c230735da46dc91355814cdc |
| SHA256 | 2b62be4fabe67ab964949c88947e394345df27c5e9f52cdc493edf0aaba55543 |
| SHA512 | f52896df64fa203cdcc39e96ce7583170bd1301358f52ad9bcfef7b91e3cdc1a3cc30bff96b53c7cbe9ff999539a7932b57d7520e4a47caa4f3b065840c16619 |
memory/2576-104-0x00000000FF830000-0x00000000FF909000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | f0ba7739cc07608c54312e79abaf9ece |
| SHA1 | 38b075b2e04bc8eee78b89766c1cede5ad889a7e |
| SHA256 | 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f |
| SHA512 | 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165 |
memory/656-116-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | f0ba7739cc07608c54312e79abaf9ece |
| SHA1 | 38b075b2e04bc8eee78b89766c1cede5ad889a7e |
| SHA256 | 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f |
| SHA512 | 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | f0ba7739cc07608c54312e79abaf9ece |
| SHA1 | 38b075b2e04bc8eee78b89766c1cede5ad889a7e |
| SHA256 | 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f |
| SHA512 | 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | f0ba7739cc07608c54312e79abaf9ece |
| SHA1 | 38b075b2e04bc8eee78b89766c1cede5ad889a7e |
| SHA256 | 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f |
| SHA512 | 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165 |
memory/656-113-0x0000000000400000-0x0000000000430000-memory.dmp
memory/656-125-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/656-126-0x0000000000300000-0x0000000000306000-memory.dmp
memory/2744-128-0x0000000073390000-0x0000000073A7E000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d974162e0cccb469e745708ced4124c0 |
| SHA1 | 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929 |
| SHA256 | 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5 |
| SHA512 | ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1 |
C:\Users\Admin\AppData\Local\Temp\CabA5F.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d974162e0cccb469e745708ced4124c0 |
| SHA1 | 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929 |
| SHA256 | 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5 |
| SHA512 | ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d974162e0cccb469e745708ced4124c0 |
| SHA1 | 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929 |
| SHA256 | 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5 |
| SHA512 | ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d974162e0cccb469e745708ced4124c0 |
| SHA1 | 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929 |
| SHA256 | 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5 |
| SHA512 | ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1 |
C:\Users\Admin\AppData\Local\Temp\TarC26.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2744-155-0x0000000004C40000-0x0000000004C80000-memory.dmp
memory/3020-156-0x0000000073390000-0x0000000073A7E000-memory.dmp
\Users\Admin\AppData\Local\Temp\EB8C.exe
| MD5 | 39ee7dec3d4fa8b450670eaab709812c |
| SHA1 | 91b804b25c548eb6de1dfdc539c29a6e391a9314 |
| SHA256 | a9df8f78f78992960304cfe308505d0897c95486d9749853ab70fdfa151de02d |
| SHA512 | a497b3d0944822275cfa3fffcccf8534c69af1cfccecba521a342b8cfaa92dc9334fed226be8e82fd025c5af4fba531c24a3eaa5d5271601925879dd0c0c83c9 |
\Users\Admin\AppData\Local\Temp\EB8C.exe
| MD5 | 39ee7dec3d4fa8b450670eaab709812c |
| SHA1 | 91b804b25c548eb6de1dfdc539c29a6e391a9314 |
| SHA256 | a9df8f78f78992960304cfe308505d0897c95486d9749853ab70fdfa151de02d |
| SHA512 | a497b3d0944822275cfa3fffcccf8534c69af1cfccecba521a342b8cfaa92dc9334fed226be8e82fd025c5af4fba531c24a3eaa5d5271601925879dd0c0c83c9 |
\Users\Admin\AppData\Local\Temp\EB8C.exe
| MD5 | 39ee7dec3d4fa8b450670eaab709812c |
| SHA1 | 91b804b25c548eb6de1dfdc539c29a6e391a9314 |
| SHA256 | a9df8f78f78992960304cfe308505d0897c95486d9749853ab70fdfa151de02d |
| SHA512 | a497b3d0944822275cfa3fffcccf8534c69af1cfccecba521a342b8cfaa92dc9334fed226be8e82fd025c5af4fba531c24a3eaa5d5271601925879dd0c0c83c9 |
\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
memory/656-179-0x0000000004780000-0x00000000047C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
memory/1776-202-0x00000000002B0000-0x0000000000424000-memory.dmp
memory/1776-203-0x0000000073390000-0x0000000073A7E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a70925a23bb5efed012a5ae017f68cb6 |
| SHA1 | 670a0234f857047f0c2b2e97d1318e6a5a2a1798 |
| SHA256 | 7783d51a9f9138f9a9bdd35ac113e6975fdbbf87df3769d3e3f0fd59fd9e9d8f |
| SHA512 | 3d401764657e1b218b25d67d577313a1e647d99e1a9808fde5b5c8e984b513cfa716a379d016ce9cf61f552964be9c399f56ed09355c19a30fe220575b01ea33 |
memory/3020-207-0x0000000073390000-0x0000000073A7E000-memory.dmp
\Users\Admin\Pictures\hfKCfrwKwtfhBmKU30a2Kt2j.exe
| MD5 | 4b9d22ddf2f84d9b5958f0f4a1d6b954 |
| SHA1 | 82a607e3f40681621419a3a0972efef2ed8d8131 |
| SHA256 | 6e7dd960a59b65b7cbc784b51e370f10b018bf4a07c114fd4bf1a19dbda2e30a |
| SHA512 | 7013f17a44867b74884b29d8ffb58fb5f6ba5986b0b6fc7f5189a8c47f966bf05a7532f6fbd4c98e3c34eebc97c1fba390e6ed5914582090d935a970472615cd |
\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe
| MD5 | e27a6161f976b50d5a787d903497d06a |
| SHA1 | cc55a5451e8b0923936547c863fcb9696b7cbec9 |
| SHA256 | 4494ef6d16e351c288c1329cc4f6c8a5bc85b3c573b083f08b58eafaec2308b0 |
| SHA512 | a504257b5b43dfe666fc8a4bcd56267f3d06795216fea4f5c9b8ad83714d655c2c81be187677f9329d03d3c1c971b5999b231244e0ecbe4105d9451c57ef9906 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | d4ae187b4574036c2d76b6df8a8c1a30 |
| SHA1 | b06f409fa14bab33cbaf4a37811b8740b624d9e5 |
| SHA256 | a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7 |
| SHA512 | 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | d4ae187b4574036c2d76b6df8a8c1a30 |
| SHA1 | b06f409fa14bab33cbaf4a37811b8740b624d9e5 |
| SHA256 | a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7 |
| SHA512 | 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | 4ea57268c2122b9d3b117d39ff943ec5 |
| SHA1 | 5a81d429e3523b148cf09e3dfd7f4481f680fc5d |
| SHA256 | a0a9a151aaf7f5f169b0becac50395ff231cf92c0e05e61dc10c1ec8b16435d9 |
| SHA512 | c0712e8cf6e037810c6146fe50694658907e29f37e5f1767adb153d80e78df82effd383d78fea17fd27625e4e42b3204a97db234144dd7b2b141ad85d81f268f |
C:\Users\Admin\Pictures\hfKCfrwKwtfhBmKU30a2Kt2j.exe
| MD5 | 4b9d22ddf2f84d9b5958f0f4a1d6b954 |
| SHA1 | 82a607e3f40681621419a3a0972efef2ed8d8131 |
| SHA256 | 6e7dd960a59b65b7cbc784b51e370f10b018bf4a07c114fd4bf1a19dbda2e30a |
| SHA512 | 7013f17a44867b74884b29d8ffb58fb5f6ba5986b0b6fc7f5189a8c47f966bf05a7532f6fbd4c98e3c34eebc97c1fba390e6ed5914582090d935a970472615cd |
C:\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe
| MD5 | e27a6161f976b50d5a787d903497d06a |
| SHA1 | cc55a5451e8b0923936547c863fcb9696b7cbec9 |
| SHA256 | 4494ef6d16e351c288c1329cc4f6c8a5bc85b3c573b083f08b58eafaec2308b0 |
| SHA512 | a504257b5b43dfe666fc8a4bcd56267f3d06795216fea4f5c9b8ad83714d655c2c81be187677f9329d03d3c1c971b5999b231244e0ecbe4105d9451c57ef9906 |
\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe
| MD5 | e27a6161f976b50d5a787d903497d06a |
| SHA1 | cc55a5451e8b0923936547c863fcb9696b7cbec9 |
| SHA256 | 4494ef6d16e351c288c1329cc4f6c8a5bc85b3c573b083f08b58eafaec2308b0 |
| SHA512 | a504257b5b43dfe666fc8a4bcd56267f3d06795216fea4f5c9b8ad83714d655c2c81be187677f9329d03d3c1c971b5999b231244e0ecbe4105d9451c57ef9906 |
C:\Users\Admin\Pictures\hfKCfrwKwtfhBmKU30a2Kt2j.exe
| MD5 | 4b9d22ddf2f84d9b5958f0f4a1d6b954 |
| SHA1 | 82a607e3f40681621419a3a0972efef2ed8d8131 |
| SHA256 | 6e7dd960a59b65b7cbc784b51e370f10b018bf4a07c114fd4bf1a19dbda2e30a |
| SHA512 | 7013f17a44867b74884b29d8ffb58fb5f6ba5986b0b6fc7f5189a8c47f966bf05a7532f6fbd4c98e3c34eebc97c1fba390e6ed5914582090d935a970472615cd |
\Users\Admin\Pictures\hfKCfrwKwtfhBmKU30a2Kt2j.exe
| MD5 | 4b9d22ddf2f84d9b5958f0f4a1d6b954 |
| SHA1 | 82a607e3f40681621419a3a0972efef2ed8d8131 |
| SHA256 | 6e7dd960a59b65b7cbc784b51e370f10b018bf4a07c114fd4bf1a19dbda2e30a |
| SHA512 | 7013f17a44867b74884b29d8ffb58fb5f6ba5986b0b6fc7f5189a8c47f966bf05a7532f6fbd4c98e3c34eebc97c1fba390e6ed5914582090d935a970472615cd |
C:\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe
| MD5 | e27a6161f976b50d5a787d903497d06a |
| SHA1 | cc55a5451e8b0923936547c863fcb9696b7cbec9 |
| SHA256 | 4494ef6d16e351c288c1329cc4f6c8a5bc85b3c573b083f08b58eafaec2308b0 |
| SHA512 | a504257b5b43dfe666fc8a4bcd56267f3d06795216fea4f5c9b8ad83714d655c2c81be187677f9329d03d3c1c971b5999b231244e0ecbe4105d9451c57ef9906 |
\Users\Admin\Pictures\vDgna56ZwuOAudYuiVDuq6b8.exe
| MD5 | 2d05cb7fb4726bb51c6059540f0e013e |
| SHA1 | e7d75ad671c662ba956e54ccfff28465e851624d |
| SHA256 | 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4 |
| SHA512 | 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b |
memory/1036-262-0x0000000004440000-0x0000000004838000-memory.dmp
C:\Users\Admin\Pictures\vDgna56ZwuOAudYuiVDuq6b8.exe
| MD5 | 2d05cb7fb4726bb51c6059540f0e013e |
| SHA1 | e7d75ad671c662ba956e54ccfff28465e851624d |
| SHA256 | 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4 |
| SHA512 | 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b |
\Users\Admin\Pictures\g5zeJzaocLxhHCpUNRj7sVD2.exe
| MD5 | e4fa45f80ec75d24124d434010023355 |
| SHA1 | d495157ba5ff2408b7ef2a1ad6be1b3c55bf7a1a |
| SHA256 | c6d7d32807a9342d95e865e9828cf214722a097ec3f903ff8225d5a2e9c257c2 |
| SHA512 | 717119cb492e9b9818bc86b436adb67acdfb4f08e0ccdd666b7b148a01969c18a8da8bb083d7c86dc4a4857871fc8537cf33e49c75cc189fa3a40442542fb7ba |
\Users\Admin\Pictures\HNCyRjxl4LzJ5r19WQmiZdv1.exe
| MD5 | 0e922cb58d6ff5ea5f7cd8e010b878b0 |
| SHA1 | c29f3082931919d445e4e2de8e616a2f6174fd0c |
| SHA256 | a1906b84a07fabf7670353afa915f30588f111e570f9b98cba105897b97d46d0 |
| SHA512 | ad1de02a6e174a42deb042541be7b0932accf9284e9e4ddbc51cfa807c47bd005d98a2a29d88b1be1193d642dcd0d07f1cbffb03e59307997da7675fe83a0ee6 |
C:\Users\Admin\Pictures\vDgna56ZwuOAudYuiVDuq6b8.exe
| MD5 | 2d05cb7fb4726bb51c6059540f0e013e |
| SHA1 | e7d75ad671c662ba956e54ccfff28465e851624d |
| SHA256 | 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4 |
| SHA512 | 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b |
\Users\Admin\Pictures\vDgna56ZwuOAudYuiVDuq6b8.exe
| MD5 | 2d05cb7fb4726bb51c6059540f0e013e |
| SHA1 | e7d75ad671c662ba956e54ccfff28465e851624d |
| SHA256 | 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4 |
| SHA512 | 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b |
\Users\Admin\Pictures\U7yHt8SvJyX6Buu2YX5LuwXz.exe
| MD5 | aa3602359bb93695da27345d82a95c77 |
| SHA1 | 9cb550458f95d631fef3a89144fc9283d6c9f75a |
| SHA256 | e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d |
| SHA512 | adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36 |
\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
| MD5 | 9cb4b92f6b0eef1a38d3dcf3c8ff9757 |
| SHA1 | cf2b0790f9294d031638b773736b981238228866 |
| SHA256 | c64c495ea57849d9cb866161a2d778db143512f546385b6539bcd5018092ac34 |
| SHA512 | 43b1af48587f45eecf432b1d454b08436431cfd1c615228bf192dadf453b3b54742b3ed49c99ef0b1a0bc069aa5d14201e766fe36ea0becf331617f519045ec8 |
C:\Users\Admin\Pictures\vDgna56ZwuOAudYuiVDuq6b8.exe
| MD5 | 2d05cb7fb4726bb51c6059540f0e013e |
| SHA1 | e7d75ad671c662ba956e54ccfff28465e851624d |
| SHA256 | 8f116aee53abca68ca7be71a7b5574c84f5df03d38fc8a524ce4d256ab380aa4 |
| SHA512 | 890999d65ab16445eb6743ad83802c14d3798da9485a973b237dc3c419683358e9c2609a3566594e53a60ae207561724c06c533c4d1fa2c42f9f9056e0e8b82b |
\Users\Admin\Pictures\3zZWRTLylhhtTSYwvDIxuRbw.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
C:\Users\Admin\Pictures\g5zeJzaocLxhHCpUNRj7sVD2.exe
| MD5 | e4fa45f80ec75d24124d434010023355 |
| SHA1 | d495157ba5ff2408b7ef2a1ad6be1b3c55bf7a1a |
| SHA256 | c6d7d32807a9342d95e865e9828cf214722a097ec3f903ff8225d5a2e9c257c2 |
| SHA512 | 717119cb492e9b9818bc86b436adb67acdfb4f08e0ccdd666b7b148a01969c18a8da8bb083d7c86dc4a4857871fc8537cf33e49c75cc189fa3a40442542fb7ba |
\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
| MD5 | 9cb4b92f6b0eef1a38d3dcf3c8ff9757 |
| SHA1 | cf2b0790f9294d031638b773736b981238228866 |
| SHA256 | c64c495ea57849d9cb866161a2d778db143512f546385b6539bcd5018092ac34 |
| SHA512 | 43b1af48587f45eecf432b1d454b08436431cfd1c615228bf192dadf453b3b54742b3ed49c99ef0b1a0bc069aa5d14201e766fe36ea0becf331617f519045ec8 |
\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
| MD5 | 9cb4b92f6b0eef1a38d3dcf3c8ff9757 |
| SHA1 | cf2b0790f9294d031638b773736b981238228866 |
| SHA256 | c64c495ea57849d9cb866161a2d778db143512f546385b6539bcd5018092ac34 |
| SHA512 | 43b1af48587f45eecf432b1d454b08436431cfd1c615228bf192dadf453b3b54742b3ed49c99ef0b1a0bc069aa5d14201e766fe36ea0becf331617f519045ec8 |
C:\Users\Admin\Pictures\HNCyRjxl4LzJ5r19WQmiZdv1.exe
| MD5 | 0e922cb58d6ff5ea5f7cd8e010b878b0 |
| SHA1 | c29f3082931919d445e4e2de8e616a2f6174fd0c |
| SHA256 | a1906b84a07fabf7670353afa915f30588f111e570f9b98cba105897b97d46d0 |
| SHA512 | ad1de02a6e174a42deb042541be7b0932accf9284e9e4ddbc51cfa807c47bd005d98a2a29d88b1be1193d642dcd0d07f1cbffb03e59307997da7675fe83a0ee6 |
C:\Users\Admin\Pictures\3zZWRTLylhhtTSYwvDIxuRbw.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
C:\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
| MD5 | 9cb4b92f6b0eef1a38d3dcf3c8ff9757 |
| SHA1 | cf2b0790f9294d031638b773736b981238228866 |
| SHA256 | c64c495ea57849d9cb866161a2d778db143512f546385b6539bcd5018092ac34 |
| SHA512 | 43b1af48587f45eecf432b1d454b08436431cfd1c615228bf192dadf453b3b54742b3ed49c99ef0b1a0bc069aa5d14201e766fe36ea0becf331617f519045ec8 |
C:\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
| MD5 | 9cb4b92f6b0eef1a38d3dcf3c8ff9757 |
| SHA1 | cf2b0790f9294d031638b773736b981238228866 |
| SHA256 | c64c495ea57849d9cb866161a2d778db143512f546385b6539bcd5018092ac34 |
| SHA512 | 43b1af48587f45eecf432b1d454b08436431cfd1c615228bf192dadf453b3b54742b3ed49c99ef0b1a0bc069aa5d14201e766fe36ea0becf331617f519045ec8 |
\Users\Admin\AppData\Local\Temp\Opera_installer_2309241137134342608.dll
| MD5 | 6aceaeba686345df2e1f3284cc090abe |
| SHA1 | 5cc8eb87a170c5bc91472cd6cc6d435370ae741b |
| SHA256 | 73e29a88eccb162b70b366b9c91986b7bf5ce90b9072eaa88f146fb06e8d8885 |
| SHA512 | 8448a64feaed4bb1af04c9a34d92c5ecfbf7da3c4cb2a1f23ccc024cfd53da8a18a6bdb45c8c337f212c23e0f1b25da44118e9b41774d7aa74b6e0a64f944d69 |
C:\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
| MD5 | 9cb4b92f6b0eef1a38d3dcf3c8ff9757 |
| SHA1 | cf2b0790f9294d031638b773736b981238228866 |
| SHA256 | c64c495ea57849d9cb866161a2d778db143512f546385b6539bcd5018092ac34 |
| SHA512 | 43b1af48587f45eecf432b1d454b08436431cfd1c615228bf192dadf453b3b54742b3ed49c99ef0b1a0bc069aa5d14201e766fe36ea0becf331617f519045ec8 |
C:\Users\Admin\Pictures\HNCyRjxl4LzJ5r19WQmiZdv1.exe
| MD5 | 0e922cb58d6ff5ea5f7cd8e010b878b0 |
| SHA1 | c29f3082931919d445e4e2de8e616a2f6174fd0c |
| SHA256 | a1906b84a07fabf7670353afa915f30588f111e570f9b98cba105897b97d46d0 |
| SHA512 | ad1de02a6e174a42deb042541be7b0932accf9284e9e4ddbc51cfa807c47bd005d98a2a29d88b1be1193d642dcd0d07f1cbffb03e59307997da7675fe83a0ee6 |
C:\Users\Admin\Pictures\g5zeJzaocLxhHCpUNRj7sVD2.exe
| MD5 | e4fa45f80ec75d24124d434010023355 |
| SHA1 | d495157ba5ff2408b7ef2a1ad6be1b3c55bf7a1a |
| SHA256 | c6d7d32807a9342d95e865e9828cf214722a097ec3f903ff8225d5a2e9c257c2 |
| SHA512 | 717119cb492e9b9818bc86b436adb67acdfb4f08e0ccdd666b7b148a01969c18a8da8bb083d7c86dc4a4857871fc8537cf33e49c75cc189fa3a40442542fb7ba |
\Users\Admin\Pictures\g5zeJzaocLxhHCpUNRj7sVD2.exe
| MD5 | e4fa45f80ec75d24124d434010023355 |
| SHA1 | d495157ba5ff2408b7ef2a1ad6be1b3c55bf7a1a |
| SHA256 | c6d7d32807a9342d95e865e9828cf214722a097ec3f903ff8225d5a2e9c257c2 |
| SHA512 | 717119cb492e9b9818bc86b436adb67acdfb4f08e0ccdd666b7b148a01969c18a8da8bb083d7c86dc4a4857871fc8537cf33e49c75cc189fa3a40442542fb7ba |
C:\Users\Admin\Pictures\U7yHt8SvJyX6Buu2YX5LuwXz.exe
| MD5 | aa3602359bb93695da27345d82a95c77 |
| SHA1 | 9cb550458f95d631fef3a89144fc9283d6c9f75a |
| SHA256 | e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d |
| SHA512 | adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36 |
\Users\Admin\Pictures\oivzm540mO830wiumh9nk3Z6.exe
| MD5 | 9cb4b92f6b0eef1a38d3dcf3c8ff9757 |
| SHA1 | cf2b0790f9294d031638b773736b981238228866 |
| SHA256 | c64c495ea57849d9cb866161a2d778db143512f546385b6539bcd5018092ac34 |
| SHA512 | 43b1af48587f45eecf432b1d454b08436431cfd1c615228bf192dadf453b3b54742b3ed49c99ef0b1a0bc069aa5d14201e766fe36ea0becf331617f519045ec8 |
C:\Users\Admin\Pictures\U7yHt8SvJyX6Buu2YX5LuwXz.exe
| MD5 | aa3602359bb93695da27345d82a95c77 |
| SHA1 | 9cb550458f95d631fef3a89144fc9283d6c9f75a |
| SHA256 | e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d |
| SHA512 | adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36 |
memory/656-274-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/2880-314-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2880-313-0x0000000002650000-0x0000000002750000-memory.dmp
memory/2744-315-0x000000000CCC0000-0x000000000D1F5000-memory.dmp
memory/2752-316-0x00000000FF610000-0x00000000FF6B2000-memory.dmp
memory/1036-317-0x0000000004840000-0x000000000512B000-memory.dmp
memory/1036-321-0x0000000000400000-0x0000000002985000-memory.dmp
memory/2608-328-0x0000000000CD0000-0x0000000001205000-memory.dmp
memory/1036-329-0x0000000004440000-0x0000000004838000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f8f59b9a5f67ac3795441bc4388a476 |
| SHA1 | 7b0cd29aea0d0ce83e15f57deb15450c9cc2dcba |
| SHA256 | 12f8d28e638c5ff876263892be0314841719d72cdfa73beb0414de91c3f5e0a0 |
| SHA512 | 54797a62820acf6db76525aa25aeace6f7635ae24f36422eeea664fd8b1711c4ca71ed6eeaf324b04c3caaa1bc619869540a60b18cabb62f992d99d1c8f30e7b |
\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
C:\Users\Admin\Pictures\5DcRCwbO98vkpPbvGxBzB2V7.exe
| MD5 | e27a6161f976b50d5a787d903497d06a |
| SHA1 | cc55a5451e8b0923936547c863fcb9696b7cbec9 |
| SHA256 | 4494ef6d16e351c288c1329cc4f6c8a5bc85b3c573b083f08b58eafaec2308b0 |
| SHA512 | a504257b5b43dfe666fc8a4bcd56267f3d06795216fea4f5c9b8ad83714d655c2c81be187677f9329d03d3c1c971b5999b231244e0ecbe4105d9451c57ef9906 |
memory/2680-344-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2496-360-0x0000000002A00000-0x0000000002B00000-memory.dmp
memory/2836-352-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2496-362-0x00000000003C0000-0x00000000003FE000-memory.dmp
memory/1776-377-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/2496-379-0x0000000000400000-0x00000000025B2000-memory.dmp
memory/656-382-0x0000000004780000-0x00000000047C0000-memory.dmp
memory/1036-385-0x0000000000400000-0x0000000002985000-memory.dmp
memory/2836-390-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2496-395-0x0000000000400000-0x00000000025B2000-memory.dmp
memory/1496-398-0x000000013FAC0000-0x0000000140003000-memory.dmp
memory/1212-406-0x0000000003740000-0x0000000003756000-memory.dmp
memory/2836-408-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\Pictures\IjC0vqhoTiUNca4U0Iy7YKv2.exe
| MD5 | a2cc32a235869ff08ce951a7c159d2a3 |
| SHA1 | fee7b158df4c261fd7e6c9153c07cea2a0c44bde |
| SHA256 | 8db8e0ace2bbad2031e63db31a3996773c5ba941ffebc215996d9e419f9710f8 |
| SHA512 | b8d04ee6a322127b21fb169b40c52100c8d11ffb9e1d9da916de9b8fbe5c64e4c0c9fc419da2ab69fdb74be794b9092493c335e5d8c1ad7cd1f0e7f27648e898 |
memory/1856-464-0x0000000000AF0000-0x0000000000AF8000-memory.dmp
memory/1724-496-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1856-543-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp
memory/2028-545-0x0000000001370000-0x0000000001A67000-memory.dmp
memory/2028-546-0x0000000001370000-0x0000000001A67000-memory.dmp
memory/1724-547-0x0000000000400000-0x000000000046A000-memory.dmp
memory/2576-548-0x0000000002F50000-0x00000000030C1000-memory.dmp
memory/2576-549-0x00000000030D0000-0x0000000003201000-memory.dmp
memory/1856-550-0x000000001B190000-0x000000001B210000-memory.dmp
memory/2028-551-0x0000000000040000-0x0000000000737000-memory.dmp
memory/2028-552-0x0000000001370000-0x0000000001A67000-memory.dmp
memory/1060-553-0x0000000002380000-0x0000000002A77000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | adf7cc543768322197c5ed1236052335 |
| SHA1 | 1e90143d4a5289f9bc68fc9191ac8d3d4bca12d5 |
| SHA256 | 7f32fde4d8bce84aac693d543b58af2a3198414121332155139fd9ccd63d9494 |
| SHA512 | 6bca1b32450047e65e9c92199b72eac1ef25194cc91a24e4426fbe62578e35c43943b45f591456ca1b646357facca5c12444abd82f8b48e509b95bddf9cf8d6c |
memory/3056-621-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1616-629-0x0000000000330000-0x00000000003C2000-memory.dmp
memory/2796-628-0x0000000002410000-0x0000000002411000-memory.dmp
C:\Users\Admin\Pictures\X2v2KlPmZ15Cr2dsy1iO6W0h.exe
| MD5 | e51c4f97170c0923d9b34384ebda122c |
| SHA1 | 9025b27d2a2a412f33faafe717ce3da0d042ed76 |
| SHA256 | ea4c2dba59c22eca6aa0ed125faf7cffe0f56d0eaee90addcc33b82fa195f99f |
| SHA512 | 9828c91f1f7788e920995bf987bdcf84012dad3dcb0d314b130c2b583156e60a6069a851bfa2230efdef1ce9e5cf19a71a6c30cbf79ab38b23209e4662ce564b |
C:\Users\Admin\Pictures\SH1ytfU14d6kI7ZgpmKkkCZr.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
memory/2744-658-0x000000000CCC0000-0x000000000D1F5000-memory.dmp
memory/1036-659-0x0000000000400000-0x0000000002985000-memory.dmp
memory/2392-660-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/2784-661-0x0000000004350000-0x0000000004748000-memory.dmp
memory/2784-662-0x0000000000400000-0x0000000002985000-memory.dmp
memory/2752-663-0x00000000031B0000-0x00000000032E1000-memory.dmp
memory/2392-667-0x0000000000C20000-0x0000000000F3C000-memory.dmp
memory/2680-677-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2496-676-0x0000000002A00000-0x0000000002B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | 13701b5f47799e064b1ddeb18bce96d9 |
| SHA1 | 1807f0c2ae8a72a823f0fdb0a2c3401a6e89a095 |
| SHA256 | a34a5bbba3330c67d8bef87a9888f6d25faf554254a1b2b40ffdaf2ce07b81aa |
| SHA512 | c247ee79649e6467d0e50e8380ada70df8f809016b460ebe5570bfa6c6181284181231bf94c4e5288982741e343c4cf8af735351e7bb38469b0546ef237c30bf |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 4881eb0e1607cfc7dbedc665c4dd36c7 |
| SHA1 | b27952f43ad10360b2e5810c029dec0bc932b9c0 |
| SHA256 | eb59b5a0fcba7d2e2e1692da1fa0ca61c4bf15e118a1cc52f366c0fc61d6983e |
| SHA512 | 8b2e138ed14789f67b75ba1c0483255cd6706319025ca073d38178b856986d0c5288ba18c449da6310ec7828627dd410a0b356580a1f98f9dd53c506bf929a3a |
memory/2496-714-0x0000000000400000-0x00000000025B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-24 11:36
Reported
2023-09-24 11:38
Platform
win10v2004-20230915-en
Max time kernel
153s
Max time network
162s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4B72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4E23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4B72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6093.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2812 set thread context of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\4E23.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
| PID 1588 set thread context of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\4B72.exe | C:\Users\Admin\AppData\Local\Temp\4B72.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1b03697e2b8b2408ae694ce59b76a83677b990546d5e3d27732d5dd62347224c_JC.exe"
C:\Users\Admin\AppData\Local\Temp\4B72.exe
C:\Users\Admin\AppData\Local\Temp\4B72.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4CF9.dll
C:\Users\Admin\AppData\Local\Temp\4E23.exe
C:\Users\Admin\AppData\Local\Temp\4E23.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4CF9.dll
C:\Users\Admin\AppData\Local\Temp\4B72.exe
C:\Users\Admin\AppData\Local\Temp\4B72.exe
C:\Users\Admin\AppData\Local\Temp\6093.exe
C:\Users\Admin\AppData\Local\Temp\6093.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\5f476f65-68ad-4a61-bbea-f005c2cbd796" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\66BE.exe
C:\Users\Admin\AppData\Local\Temp\66BE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 101.32.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 101.15.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
Files
memory/1188-0-0x00000000006F0000-0x0000000000705000-memory.dmp
memory/1188-1-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/1188-2-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3124-3-0x0000000002AD0000-0x0000000002AE6000-memory.dmp
memory/1188-4-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1188-8-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/1188-7-0x00000000006F0000-0x0000000000705000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4B72.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
C:\Users\Admin\AppData\Local\Temp\4B72.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
memory/1588-18-0x00000000042B0000-0x0000000004345000-memory.dmp
memory/1588-19-0x0000000004460000-0x000000000457B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4E23.exe
| MD5 | 3240f8928a130bb155571570c563200a |
| SHA1 | aa621ddde551f7e0dbeed157ab1eac3f1906f493 |
| SHA256 | a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42 |
| SHA512 | e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b |
C:\Users\Admin\AppData\Local\Temp\4E23.exe
| MD5 | 3240f8928a130bb155571570c563200a |
| SHA1 | aa621ddde551f7e0dbeed157ab1eac3f1906f493 |
| SHA256 | a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42 |
| SHA512 | e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b |
C:\Users\Admin\AppData\Local\Temp\4CF9.dll
| MD5 | 9b9f5bbdb27f30ffb9eddec2df39137e |
| SHA1 | 92c46dcd23fcda7d0d53e1a49f9a4d3e9684d054 |
| SHA256 | 7eaebda0f4c88c43d8de32202090c3e158f5f25cf8dcef20a46b4eb0d72cd4bc |
| SHA512 | 33def0eead3fadf32ba0c5da7e626986b7a928af2f0cb4d480d1c422737581332d63acd2795a3bd793916b2a074f809d699d9732d81c23373c2620e76ddfc675 |
memory/4548-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4548-27-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4B72.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
C:\Users\Admin\AppData\Local\Temp\4CF9.dll
| MD5 | 9b9f5bbdb27f30ffb9eddec2df39137e |
| SHA1 | 92c46dcd23fcda7d0d53e1a49f9a4d3e9684d054 |
| SHA256 | 7eaebda0f4c88c43d8de32202090c3e158f5f25cf8dcef20a46b4eb0d72cd4bc |
| SHA512 | 33def0eead3fadf32ba0c5da7e626986b7a928af2f0cb4d480d1c422737581332d63acd2795a3bd793916b2a074f809d699d9732d81c23373c2620e76ddfc675 |
memory/4548-29-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4548-30-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3796-31-0x0000000002870000-0x0000000002876000-memory.dmp
memory/3796-32-0x0000000010000000-0x000000001019C000-memory.dmp
memory/4668-34-0x0000000074DE0000-0x0000000075590000-memory.dmp
memory/4668-35-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4668-37-0x0000000005090000-0x00000000050A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6093.exe
| MD5 | 17babdf3fe34211124f30a21b1dab992 |
| SHA1 | 563ad01cd395a59c7328d988bc705b2eb46c9810 |
| SHA256 | 420f9663ae6840d5bed911d35b672efab6f0415165c12426db44bc68410ef72d |
| SHA512 | a8aded23074d6db0966fce15f4337d0cb62e913821b4db1077dae8d9faa72d4a5732f338980ebc255d7e6afc1c72eccfeb21525c50b004ada3093f3d0b55dcc6 |
C:\Users\Admin\AppData\Local\Temp\6093.exe
| MD5 | 50d3e926522928e0bb665bec03216a64 |
| SHA1 | ed8fb52a945da7ef686ee451f8518d6e0c2a87fd |
| SHA256 | 289722c9385eae72747a01db8313e58670605df8cc5adc2ac6531a6503ea5ff4 |
| SHA512 | a27c7e10eb113fd3fdabd7db1927acdf2a95283d867c37ed999bb1ab3896c03d5ca97d975b8af1dfac5acdddb76720f0ec47fd0f002a59eb96c3758ab6d361d1 |
memory/3796-42-0x0000000002C30000-0x0000000002D3F000-memory.dmp
memory/2740-43-0x0000000074DE0000-0x0000000075590000-memory.dmp
memory/2740-41-0x0000000000B40000-0x00000000011D0000-memory.dmp
C:\Users\Admin\AppData\Local\5f476f65-68ad-4a61-bbea-f005c2cbd796\4B72.exe
| MD5 | 0511a0c819ade47392a2f3a51eaf1f0b |
| SHA1 | 39b0471e8d501702179bfcb744728c00dcced7ba |
| SHA256 | 635a73433a258fa5a9b3b015f57ca84e1c296e9b65888fb64ebb602213a9d49d |
| SHA512 | a3fc26ace23b84369a653a508744bb4502b64d4acf7548eabf4efe255a4faad89ca5d37e5bfe54f2f1ef81061fed95467cc4aa5672429a5f6714959f28bad1b5 |
memory/3796-54-0x0000000002D50000-0x0000000002E45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\66BE.exe
| MD5 | c0526b466507cb44d67f6d6f8f209047 |
| SHA1 | 4fe125837e7fc7167258b80277c856a7f5e85275 |
| SHA256 | fc60a01b7577ee26125e216619c0942529777a7734bef8c0cdacbf8004b7a79b |
| SHA512 | f3d610b658fce192e63cda1846fabd3b0af9c8bef3b38515b04af61737bd1349ad22ef018f3247b8ba3ba146658af4e9fba799f46790299944d7081146944fad |
C:\Users\Admin\AppData\Local\Temp\66BE.exe
| MD5 | c0526b466507cb44d67f6d6f8f209047 |
| SHA1 | 4fe125837e7fc7167258b80277c856a7f5e85275 |
| SHA256 | fc60a01b7577ee26125e216619c0942529777a7734bef8c0cdacbf8004b7a79b |
| SHA512 | f3d610b658fce192e63cda1846fabd3b0af9c8bef3b38515b04af61737bd1349ad22ef018f3247b8ba3ba146658af4e9fba799f46790299944d7081146944fad |
memory/3796-60-0x0000000002D50000-0x0000000002E45000-memory.dmp
memory/3600-62-0x00000000027E0000-0x00000000028E0000-memory.dmp
memory/3600-63-0x00000000027C0000-0x00000000027C9000-memory.dmp