Malware Analysis Report

2025-04-14 05:16

Sample ID 230927-j6958aae28
Target file.exe
SHA256 837ef3bdbec1b4a38ba2e4041dfec9c34f210964f403207021fe0537e7409b33
Tags
djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper infostealer loader ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

837ef3bdbec1b4a38ba2e4041dfec9c34f210964f403207021fe0537e7409b33

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper infostealer loader ransomware trojan

Detected Djvu ransomware

Djvu Ransomware

Glupteba

RedLine

Glupteba payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Deletes itself

Modifies file permissions

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Runs net.exe

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-27 08:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-27 08:18

Reported

2023-09-27 08:20

Platform

win7-20230831-en

Max time kernel

27s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2612 set thread context of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2804 set thread context of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EF34.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 1288 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 1288 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 1288 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 2612 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\94D0.exe C:\Users\Admin\AppData\Local\Temp\94D0.exe
PID 1288 wrote to memory of 2660 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2660 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2660 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2660 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2660 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 1288 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 1288 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 1288 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 1288 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BD5.exe
PID 1288 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BD5.exe
PID 1288 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BD5.exe
PID 1288 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BD5.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe
PID 2804 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\99F1.exe C:\Users\Admin\AppData\Local\Temp\99F1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\94D0.exe

C:\Users\Admin\AppData\Local\Temp\94D0.exe

C:\Users\Admin\AppData\Local\Temp\94D0.exe

C:\Users\Admin\AppData\Local\Temp\94D0.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9760.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9760.dll

C:\Users\Admin\AppData\Local\Temp\99F1.exe

C:\Users\Admin\AppData\Local\Temp\99F1.exe

C:\Users\Admin\AppData\Local\Temp\9BD5.exe

C:\Users\Admin\AppData\Local\Temp\9BD5.exe

C:\Users\Admin\AppData\Local\Temp\99F1.exe

C:\Users\Admin\AppData\Local\Temp\99F1.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e563d9c6-c3b3-4804-b351-8bf2c9b67e15" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\94D0.exe

"C:\Users\Admin\AppData\Local\Temp\94D0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\94D0.exe

"C:\Users\Admin\AppData\Local\Temp\94D0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\99F1.exe

"C:\Users\Admin\AppData\Local\Temp\99F1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\99F1.exe

"C:\Users\Admin\AppData\Local\Temp\99F1.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EAE0.exe

C:\Users\Admin\AppData\Local\Temp\EAE0.exe

C:\Users\Admin\AppData\Local\Temp\EF34.exe

C:\Users\Admin\AppData\Local\Temp\EF34.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9BD5.exe" -Force

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 92

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\AppData\Local\Temp\is-83RB2.tmp\is-JHUS6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-83RB2.tmp\is-JHUS6.tmp" /SL4 $100016 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\50dd6d8b-e727-4d43-972b-63cda633e64f\build3.exe

"C:\Users\Admin\AppData\Local\50dd6d8b-e727-4d43-972b-63cda633e64f\build3.exe"

C:\Users\Admin\AppData\Local\d6de3f09-58de-43c4-b129-8c928ea370d8\build3.exe

"C:\Users\Admin\AppData\Local\d6de3f09-58de-43c4-b129-8c928ea370d8\build3.exe"

C:\Users\Admin\AppData\Local\d6de3f09-58de-43c4-b129-8c928ea370d8\build2.exe

"C:\Users\Admin\AppData\Local\d6de3f09-58de-43c4-b129-8c928ea370d8\build2.exe"

C:\Users\Admin\AppData\Local\50dd6d8b-e727-4d43-972b-63cda633e64f\build2.exe

"C:\Users\Admin\AppData\Local\50dd6d8b-e727-4d43-972b-63cda633e64f\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D5DF37FF-3338-4DE9-AA66-6EF6ADC53569} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\d6de3f09-58de-43c4-b129-8c928ea370d8\build2.exe

"C:\Users\Admin\AppData\Local\d6de3f09-58de-43c4-b129-8c928ea370d8\build2.exe"

C:\Users\Admin\AppData\Roaming\afjitwi

C:\Users\Admin\AppData\Roaming\afjitwi

C:\Users\Admin\AppData\Roaming\vdjitwi

C:\Users\Admin\AppData\Roaming\vdjitwi

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
HU 84.224.216.79:80 zexeq.com tcp
PE 190.12.87.61:80 colisumy.com tcp
PE 190.12.87.61:80 colisumy.com tcp
HU 84.224.216.79:80 zexeq.com tcp
HU 84.224.216.79:80 zexeq.com tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
PL 146.59.10.173:45035 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/1968-0-0x0000000000230000-0x0000000000245000-memory.dmp

memory/1968-1-0x0000000000250000-0x0000000000259000-memory.dmp

memory/1968-2-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1968-4-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1288-3-0x00000000020F0000-0x0000000002106000-memory.dmp

memory/1968-8-0x0000000000230000-0x0000000000245000-memory.dmp

memory/1968-7-0x0000000000250000-0x0000000000259000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2612-18-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2612-19-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2612-20-0x0000000003E70000-0x0000000003F8B000-memory.dmp

\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2740-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2740-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\9760.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/2740-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2740-31-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\9760.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

C:\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2804-39-0x00000000002F0000-0x0000000000381000-memory.dmp

memory/2804-40-0x00000000002F0000-0x0000000000381000-memory.dmp

memory/2804-41-0x0000000003F00000-0x000000000401B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\9BD5.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\9BD5.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2496-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2496-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2496-55-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9F4B.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2600-70-0x0000000000200000-0x0000000000206000-memory.dmp

memory/2600-71-0x0000000010000000-0x00000000101A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA0F4.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d3ed85f680ff93ca4a568796806ef04
SHA1 d5ad23ee4eb939b1fee05430b02dc40c23fa1f49
SHA256 3df0209ae7028a7044066b8765d39a31fcb424b8abb6e36d09862ac927264b08
SHA512 ba613ebd6b602a553e231563b5a74e288c8da7d8ec24050035303fd48c31a41b438bdae3f300da5ede3393cf9b2d05cb3ba493bd5ec2231b6bb3b78caeac256c

memory/2540-73-0x0000000000800000-0x0000000000880000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 09eb34b5cd85771b4b5791a7f2a993de
SHA1 450aab2f1e66a2ebabc961e39d8aefc4cb45c8a7
SHA256 a8d657748e91dae3e84b63fdbd7ef88e5be527f2ae664cd87d64e9f4d2aa4ed9
SHA512 ba2e4d4602b6945a659470470edf811c4ca9272c00b80f8d524015035b4248a9651ca912de8d0e9c1bfa514b92fa2e5bd13123c072d9b5f1b18614e7d11fcf67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 f413c362e800b9de4ca5bd570d30e8ee
SHA1 1a60cd5a1ac5126162a39224b8da2ada9b13394b
SHA256 0c2bbe8d89d9d59e3e04f032ad8379cdba84f323a07e22c07ba82b7c3d7a52a4
SHA512 5e6ad390a91a32e104b3e05e319c14daffcd0f52b3dc844eabde45c9ba47f40497c64e93466c87f851d7be9350db341ad1bc740a1c66ad2748086f1d5ad7274f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9acee239b4e375d9c529921090d2d81f
SHA1 2979ba72f696affa7a88c2fdad4dd49b84bea49c
SHA256 1d03f93970d1a0f121eef67dc4360c4404deb2957d88840f069869a008e5fdbe
SHA512 a5a0880c6c284adc704983079c51769fe75e6bfb0ae91b910122ce8180a5857eaefdd1e7760e61d1db3e62bc5c94f067b953c21585363fe3f1a6b29d9d98789d

memory/2540-127-0x0000000073020000-0x000000007370E000-memory.dmp

C:\Users\Admin\AppData\Local\e563d9c6-c3b3-4804-b351-8bf2c9b67e15\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2740-132-0x0000000000400000-0x0000000000537000-memory.dmp

memory/848-134-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2540-136-0x0000000004F90000-0x0000000004FD0000-memory.dmp

memory/848-135-0x00000000002C0000-0x0000000000352000-memory.dmp

\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\94D0.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2496-145-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2540-151-0x0000000001EB0000-0x0000000001F10000-memory.dmp

memory/2600-146-0x0000000001EA0000-0x0000000001FA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2600-150-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/2312-152-0x0000000002620000-0x00000000026B1000-memory.dmp

memory/2320-153-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-155-0x0000000002620000-0x00000000026B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2600-160-0x0000000002330000-0x000000000241D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAE0.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2540-163-0x00000000006C0000-0x00000000006DA000-memory.dmp

memory/1144-172-0x0000000073020000-0x000000007370E000-memory.dmp

memory/1144-173-0x0000000000920000-0x0000000000FB4000-memory.dmp

memory/2600-174-0x0000000002330000-0x000000000241D000-memory.dmp

memory/2856-175-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99F1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\EAE0.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\EF34.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

C:\Users\Admin\AppData\Local\Temp\EF34.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

memory/2600-183-0x0000000002330000-0x000000000241D000-memory.dmp

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1632-201-0x00000000FF6E0000-0x00000000FF782000-memory.dmp

memory/2436-207-0x00000000026D0000-0x00000000027D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1676-223-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2076-221-0x00000000043C0000-0x00000000047B8000-memory.dmp

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2540-220-0x0000000073020000-0x000000007370E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1676-219-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2436-209-0x0000000000020000-0x0000000000029000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1144-230-0x0000000073020000-0x000000007370E000-memory.dmp

memory/2076-232-0x00000000043C0000-0x00000000047B8000-memory.dmp

memory/2540-231-0x0000000004F90000-0x0000000004FD0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9acee239b4e375d9c529921090d2d81f
SHA1 2979ba72f696affa7a88c2fdad4dd49b84bea49c
SHA256 1d03f93970d1a0f121eef67dc4360c4404deb2957d88840f069869a008e5fdbe
SHA512 a5a0880c6c284adc704983079c51769fe75e6bfb0ae91b910122ce8180a5857eaefdd1e7760e61d1db3e62bc5c94f067b953c21585363fe3f1a6b29d9d98789d

memory/2076-243-0x00000000047C0000-0x00000000050AB000-memory.dmp

memory/2076-244-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/888-299-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1552-302-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/888-300-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/888-298-0x0000000000400000-0x0000000000430000-memory.dmp

memory/888-288-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1352-286-0x0000000073020000-0x000000007370E000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/888-313-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d32cb495b7e5665ef050462b2cce8173
SHA1 68df231d7dc91f23ea9e44178cf9e0ac38e78e3b
SHA256 977e83a1a94b0f9a6197f4ff1c3c5ef2ac1e9e9beed40771704d39c53b030363
SHA512 8e7b6e88e66ea0abe9872d9ca58762f680d36f914238d39764c28f9d2c5a641f9119a644e246efb451b78793b47cd80060b24e32d3633b6c7743338c505c7e04

memory/1676-383-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2540-356-0x0000000073020000-0x000000007370E000-memory.dmp

memory/888-397-0x0000000000330000-0x0000000000336000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 09eb34b5cd85771b4b5791a7f2a993de
SHA1 450aab2f1e66a2ebabc961e39d8aefc4cb45c8a7
SHA256 a8d657748e91dae3e84b63fdbd7ef88e5be527f2ae664cd87d64e9f4d2aa4ed9
SHA512 ba2e4d4602b6945a659470470edf811c4ca9272c00b80f8d524015035b4248a9651ca912de8d0e9c1bfa514b92fa2e5bd13123c072d9b5f1b18614e7d11fcf67

\Users\Admin\AppData\Local\Temp\is-83RB2.tmp\is-JHUS6.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 f413c362e800b9de4ca5bd570d30e8ee
SHA1 1a60cd5a1ac5126162a39224b8da2ada9b13394b
SHA256 0c2bbe8d89d9d59e3e04f032ad8379cdba84f323a07e22c07ba82b7c3d7a52a4
SHA512 5e6ad390a91a32e104b3e05e319c14daffcd0f52b3dc844eabde45c9ba47f40497c64e93466c87f851d7be9350db341ad1bc740a1c66ad2748086f1d5ad7274f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

memory/760-328-0x0000000000400000-0x0000000000408000-memory.dmp

memory/888-327-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3008-426-0x0000000001350000-0x0000000001358000-memory.dmp

memory/1352-338-0x0000000073020000-0x000000007370E000-memory.dmp

memory/888-337-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2360-312-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/760-323-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1352-276-0x00000000000E0000-0x0000000000254000-memory.dmp

memory/888-275-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1552-430-0x000000006EA90000-0x000000006F03B000-memory.dmp

memory/2420-436-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1552-446-0x0000000002660000-0x00000000026A0000-memory.dmp

C:\Users\Admin\AppData\Local\d6de3f09-58de-43c4-b129-8c928ea370d8\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8E7WD55\build3[1].exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1552-534-0x000000006EA90000-0x000000006F03B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-27 08:18

Reported

2023-09-27 08:20

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AC.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AC.exe
PID 3136 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AC.exe
PID 3136 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\Temp\8AC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\8AC.exe

C:\Users\Admin\AppData\Local\Temp\8AC.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C08.dll

C:\Users\Admin\AppData\Local\Temp\8AC.exe

C:\Users\Admin\AppData\Local\Temp\8AC.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C08.dll

C:\Users\Admin\AppData\Local\Temp\D03.exe

C:\Users\Admin\AppData\Local\Temp\D03.exe

C:\Users\Admin\AppData\Local\Temp\D03.exe

C:\Users\Admin\AppData\Local\Temp\D03.exe

C:\Users\Admin\AppData\Local\Temp\1542.exe

C:\Users\Admin\AppData\Local\Temp\1542.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp

Files

memory/3736-0-0x00000000005F0000-0x0000000000605000-memory.dmp

memory/3736-1-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/3736-2-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3136-3-0x00000000031C0000-0x00000000031D6000-memory.dmp

memory/3736-4-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3736-8-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/3736-7-0x00000000005F0000-0x0000000000605000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AC.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\8AC.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/4872-18-0x00000000042A0000-0x0000000004341000-memory.dmp

memory/4872-19-0x0000000004350000-0x000000000446B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C08.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/3984-21-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AC.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\D03.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3984-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3984-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D03.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\C08.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/3136-31-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-33-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-32-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-35-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1960-40-0x0000000000A70000-0x0000000000A76000-memory.dmp

memory/3136-38-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3408-41-0x00000000043B0000-0x00000000044CB000-memory.dmp

memory/3408-37-0x00000000041D0000-0x0000000004271000-memory.dmp

memory/2120-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3136-53-0x00000000083D0000-0x00000000083E0000-memory.dmp

memory/3136-55-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-59-0x0000000001300000-0x0000000001310000-memory.dmp

memory/2120-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1542.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\Local\Temp\1542.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

memory/3136-67-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-69-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1500-71-0x0000000000160000-0x00000000001E0000-memory.dmp

memory/3136-72-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-75-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-74-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1500-73-0x0000000072E70000-0x0000000073620000-memory.dmp

memory/3136-70-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-65-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-60-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-58-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-56-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-57-0x00000000083D0000-0x00000000083D4000-memory.dmp

memory/3136-54-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-52-0x0000000001300000-0x0000000001310000-memory.dmp

memory/3136-50-0x0000000001300000-0x0000000001310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D03.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3136-46-0x0000000001300000-0x0000000001310000-memory.dmp

memory/2120-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3136-43-0x0000000001300000-0x0000000001310000-memory.dmp

memory/1960-36-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/3984-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1500-76-0x0000000005120000-0x00000000056C4000-memory.dmp

memory/1500-77-0x0000000004C70000-0x0000000004D0C000-memory.dmp