Malware Analysis Report

2025-04-14 05:17

Sample ID 230927-kx3v8aag39
Target file.exe
SHA256 837ef3bdbec1b4a38ba2e4041dfec9c34f210964f403207021fe0537e7409b33
Tags
djvu glupteba redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper evasion infostealer loader ransomware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

837ef3bdbec1b4a38ba2e4041dfec9c34f210964f403207021fe0537e7409b33

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

djvu glupteba redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper evasion infostealer loader ransomware stealer trojan upx

UAC bypass

Glupteba payload

Glupteba

Windows security bypass

SmokeLoader

Detected Djvu ransomware

RedLine

Vidar

Djvu Ransomware

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Uses the VBS compiler for execution

Deletes itself

Windows security modification

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

System policy modification

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-27 08:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-27 08:59

Reported

2023-09-27 09:02

Platform

win7-20230831-en

Max time kernel

36s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\980E.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\980E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\980E.exe = "0" C:\Users\Admin\AppData\Local\Temp\980E.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\912A.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\980E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\980E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\980E.exe = "0" C:\Users\Admin\AppData\Local\Temp\980E.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\980E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\980E.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\C25A.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 1244 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 1244 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 1244 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 1244 wrote to memory of 2632 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2632 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2632 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2632 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1244 wrote to memory of 2632 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 2724 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\8E6A.exe C:\Users\Admin\AppData\Local\Temp\8E6A.exe
PID 1244 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 1244 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 1244 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 1244 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2632 wrote to memory of 1684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 1684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 1684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 1684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 1684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 1684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 1684 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 2856 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\912A.exe C:\Users\Admin\AppData\Local\Temp\912A.exe
PID 1244 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\980E.exe
PID 1244 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\980E.exe
PID 1244 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\980E.exe
PID 1244 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\980E.exe
PID 2928 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2928 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\980E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1244 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\B59D.exe
PID 1244 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\B59D.exe
PID 1244 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\B59D.exe
PID 1244 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\B59D.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\980E.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9020.dll

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

C:\Users\Admin\AppData\Local\Temp\912A.exe

C:\Users\Admin\AppData\Local\Temp\912A.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9020.dll

C:\Users\Admin\AppData\Local\Temp\912A.exe

C:\Users\Admin\AppData\Local\Temp\912A.exe

C:\Users\Admin\AppData\Local\Temp\980E.exe

C:\Users\Admin\AppData\Local\Temp\980E.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\980E.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Users\Admin\AppData\Local\Temp\B59D.exe

C:\Users\Admin\AppData\Local\Temp\B59D.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\C25A.exe

C:\Users\Admin\AppData\Local\Temp\C25A.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\912A.exe

"C:\Users\Admin\AppData\Local\Temp\912A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0a89cf07-348b-4883-94e8-cf60e0d087f6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\912A.exe

"C:\Users\Admin\AppData\Local\Temp\912A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

"C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe"

C:\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe

"C:\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe"

C:\Users\Admin\Pictures\pB4lAFN9BsPTVcx8Zu8dNUox.exe

"C:\Users\Admin\Pictures\pB4lAFN9BsPTVcx8Zu8dNUox.exe" --silent --allusers=0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 100

C:\Users\Admin\AppData\Local\Temp\is-OASJM.tmp\is-EOV4S.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OASJM.tmp\is-EOV4S.tmp" /SL4 $70124 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe

"C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe"

C:\Users\Admin\Pictures\5lf5qDHn6ZhrEmix4Jt2NSps.exe

"C:\Users\Admin\Pictures\5lf5qDHn6ZhrEmix4Jt2NSps.exe"

C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe

"C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe"

C:\Users\Admin\Pictures\68qCZWYG31R7K3ompUQghrBr.exe

"C:\Users\Admin\Pictures\68qCZWYG31R7K3ompUQghrBr.exe" /s

C:\Users\Admin\Pictures\GqtKL99M4gBsmO5FUGVx0EiD.exe

"C:\Users\Admin\Pictures\GqtKL99M4gBsmO5FUGVx0EiD.exe"

C:\Users\Admin\AppData\Local\Temp\7zSF1FD.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

"C:\Users\Admin\AppData\Local\Temp\8E6A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\7zS1B00.tmp\Install.exe

.\Install.exe /sFIsdidp "385118" /S

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\Pictures\sfOMHgjoXnGkDWe5WszmYn16.exe

"C:\Users\Admin\Pictures\sfOMHgjoXnGkDWe5WszmYn16.exe"

C:\Users\Admin\AppData\Local\Temp\is-7E9GI.tmp\is-00F0O.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7E9GI.tmp\is-00F0O.tmp" /SL4 $201C6 "C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe" 2841400 52224

C:\Users\Admin\Pictures\lYNtBksSC5moXsBv8uG1bRab.exe

"C:\Users\Admin\Pictures\lYNtBksSC5moXsBv8uG1bRab.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

"C:\Users\Admin\AppData\Local\Temp\8E6A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1313201344.exe"

C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe

"C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe"

C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build3.exe

"C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe

"C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 27

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Program Files (x86)\OSJMount\OSJMount.exe

"C:\Program Files (x86)\OSJMount\OSJMount.exe" -i

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 188.114.97.0:80 ji.alie3ksgbb.com tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
NL 13.227.219.83:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 188.114.97.1:443 jetpackdelivery.net tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 new.drivelikea.com udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 188.114.97.0:443 new.drivelikea.com tcp
US 8.8.8.8:53 lycheepanel.info udp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 8.8.8.8:53 galandskiyher3.com udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
NL 194.169.175.127:80 galandskiyher3.com tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 www.ccee.org.pe udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 192.185.161.46:443 www.ccee.org.pe tcp
US 8.8.8.8:53 flyawayaero.net udp
NL 108.156.60.116:80 int.down.360safe.com tcp
US 172.67.216.81:443 flyawayaero.net tcp
US 8.8.8.8:53 potatogoose.com udp
US 104.21.35.235:443 potatogoose.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.170:80 apps.identrust.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 yip.su udp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 apps.identrust.com udp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.170:80 apps.identrust.com tcp
NL 88.221.25.169:80 apps.identrust.com tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 8.8.8.8:53 host-file-host6.com udp
US 188.114.97.1:443 jetpackdelivery.net tcp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
PL 146.59.10.173:45035 tcp
TR 194.55.224.41:80 194.55.224.41 tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 colisumy.com udp
HU 84.224.216.79:80 colisumy.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
US 8.8.8.8:53 zexeq.com udp
IR 2.180.10.7:80 zexeq.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 148.251.234.93:443 yip.su tcp
IR 2.180.10.7:80 zexeq.com tcp
US 8.8.8.8:53 iup.360safe.com udp
DE 148.251.234.93:443 yip.su tcp
DE 148.251.234.93:443 yip.su tcp
DE 148.251.234.93:443 yip.su tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
DE 148.251.234.93:443 yip.su tcp
NL 151.236.127.236:80 iup.360safe.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 s.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
NL 151.236.127.236:80 iup.360safe.com tcp
DE 148.251.234.93:443 yip.su tcp

Files

memory/2448-0-0x0000000000220000-0x0000000000235000-memory.dmp

memory/2448-1-0x0000000000250000-0x0000000000259000-memory.dmp

memory/2448-2-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1244-3-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/2448-7-0x0000000000250000-0x0000000000259000-memory.dmp

memory/2448-4-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2448-8-0x0000000000220000-0x0000000000235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2724-18-0x0000000000350000-0x00000000003E2000-memory.dmp

memory/2724-19-0x0000000000350000-0x00000000003E2000-memory.dmp

memory/2724-23-0x0000000002620000-0x000000000273B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

\Users\Admin\AppData\Local\Temp\8E6A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2720-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2720-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E6A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\9020.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

C:\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2720-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2856-36-0x0000000002620000-0x00000000026B1000-memory.dmp

memory/2908-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2908-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2720-48-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\9020.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/2856-46-0x0000000003E10000-0x0000000003F2B000-memory.dmp

memory/2856-44-0x0000000002620000-0x00000000026B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\980E.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\Local\Temp\980E.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

memory/2908-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1684-57-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/1684-56-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2928-59-0x0000000000F50000-0x0000000000FD0000-memory.dmp

memory/2928-60-0x0000000073AB0000-0x000000007419E000-memory.dmp

memory/2928-61-0x0000000004EE0000-0x0000000004F20000-memory.dmp

memory/2928-62-0x0000000000990000-0x00000000009F0000-memory.dmp

memory/2928-63-0x0000000000330000-0x000000000034A000-memory.dmp

memory/1684-64-0x0000000002180000-0x0000000002288000-memory.dmp

memory/1980-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1684-69-0x0000000002290000-0x000000000237D000-memory.dmp

memory/1980-70-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1980-75-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1684-74-0x0000000002290000-0x000000000237D000-memory.dmp

memory/2928-76-0x0000000073AB0000-0x000000007419E000-memory.dmp

memory/1684-77-0x0000000002290000-0x000000000237D000-memory.dmp

memory/808-78-0x000000006F160000-0x000000006F70B000-memory.dmp

memory/808-79-0x000000006F160000-0x000000006F70B000-memory.dmp

memory/808-80-0x0000000002350000-0x0000000002390000-memory.dmp

memory/808-85-0x0000000002350000-0x0000000002390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B59D.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\B59D.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\CabB7AB.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/564-95-0x00000000000A0000-0x0000000000734000-memory.dmp

memory/1980-87-0x00000000733C0000-0x0000000073AAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarB829.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1980-111-0x00000000009D0000-0x0000000000A10000-memory.dmp

memory/808-112-0x0000000002350000-0x0000000002390000-memory.dmp

memory/564-114-0x00000000733C0000-0x0000000073AAE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d04a29045353ccd773e803baba42b768
SHA1 b25ae00a8518e778785e16ac547f712eb1ad5f4c
SHA256 e45b4ffa6ff55ad9eeef0fb1a458cab9ad19e88963e14f793c48b26842fb1023
SHA512 5a6892580c2d366742cf7a9baa55e3ee10784293f30a9165c56a687811c0cd40f15c886e28bc989534f67ed5a35bc1d5ea21144272dfa4ce318cbc37ed3394d6

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1012-174-0x00000000FFA40000-0x00000000FFAE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/956-193-0x0000000000400000-0x0000000000409000-memory.dmp

memory/956-196-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 56c5edb8252c3b13f3489be3c49c71f7
SHA1 69746a5af28fa74a40d6839ab69002aa9f83892d
SHA256 559fa5aff8e10fb3d478f6b932cdd40040f02456f8064bc0fbb333eccc4cd2a3
SHA512 b45e26d3d0f34a946e3b81e5aceeacd986bb9a751d1b9e676a09d22c70df985ee4aacee4aee5b293664880f17fd13cdebc8f866ae8600d148d624237e036f6ad

memory/952-192-0x0000000000220000-0x0000000000229000-memory.dmp

memory/952-191-0x0000000002670000-0x0000000002770000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d01a3e32cdaa9d2aca4a040cc9c5f20
SHA1 c6b9862ea44f8cd906cffa2d1c3715f9816926f6
SHA256 8d6c72d4a944fc16ffa1f2b2e49b81fe672e60bd81738aacee096363c448bd53
SHA512 37a9447c908c8210b0b095b2d4938684cd5aa63bf583e42a8994ee4c8782ec428a2cbfc8267fcd687867786c672a65cc22cc2305921f683ce6068bc715079ee7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d01a3e32cdaa9d2aca4a040cc9c5f20
SHA1 c6b9862ea44f8cd906cffa2d1c3715f9816926f6
SHA256 8d6c72d4a944fc16ffa1f2b2e49b81fe672e60bd81738aacee096363c448bd53
SHA512 37a9447c908c8210b0b095b2d4938684cd5aa63bf583e42a8994ee4c8782ec428a2cbfc8267fcd687867786c672a65cc22cc2305921f683ce6068bc715079ee7

memory/564-277-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/3048-292-0x00000000733C0000-0x0000000073AAE000-memory.dmp

C:\Users\Admin\AppData\Local\0a89cf07-348b-4883-94e8-cf60e0d087f6\8E6A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/2908-301-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/808-293-0x000000006F160000-0x000000006F70B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2136-280-0x00000000042D0000-0x00000000046C8000-memory.dmp

memory/3048-279-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/3048-276-0x0000000000370000-0x00000000004E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\C25A.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\C25A.exe

MD5 17dd7bceefde77f3a3f41e856ff6ab26
SHA1 aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3
SHA256 c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111
SHA512 c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 3a11e9de3df0da3101e5dc8977f36010
SHA1 ef1988d77f22a77a76c852ea29655d044d7313f4
SHA256 2bed87901ee6da52f23bf4135027fbdc595c8878e810dc7e0aa249ec594a04b3
SHA512 7feda669cfa8edc121841a013373788e332760c052536cbe4547c933ddab57022a789153c0ac99809bdba25b71ef5993380fe0f3734a19f3cfe03418d12a2289

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ecf7eb76e391a63c332e7d68b5b40a6
SHA1 2a2a92837908b79c70708580136d7941ce970cb5
SHA256 b05494e3fa23a9b14d5675d5ac0785f07f9ef235d9cfd31517c76a301acda944
SHA512 130a225721092c754cc5a5324a8033b3301859f7b11752f5d553955da879bea5a22faabbc0ccf49230ce7772cad376c78fe5677bf80edda8f32095478c13af3f

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2856-302-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1244-307-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/2968-318-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2968-320-0x0000000000400000-0x0000000000430000-memory.dmp

memory/956-317-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2748-306-0x0000000000350000-0x00000000003E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2968-325-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe

MD5 55a59bf8266919152495f5195c34169f
SHA1 9c77f14e86d97ff796229dcba5e043d9d15efbe1
SHA256 b422a292ac86c0b51a3c0c2271e5d1565c89914a05fe361f61331fae95185152
SHA512 1e9a4f2da7886d37a18f02029dde7e18252fef7b62478cb8531503ddf7cd970bc6f79aac881780c434492c5ab396d5d15978d416d8c097eb2362cbe9932d1377

C:\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe

MD5 55a59bf8266919152495f5195c34169f
SHA1 9c77f14e86d97ff796229dcba5e043d9d15efbe1
SHA256 b422a292ac86c0b51a3c0c2271e5d1565c89914a05fe361f61331fae95185152
SHA512 1e9a4f2da7886d37a18f02029dde7e18252fef7b62478cb8531503ddf7cd970bc6f79aac881780c434492c5ab396d5d15978d416d8c097eb2362cbe9932d1377

C:\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2968-367-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

memory/2968-346-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe

MD5 ae734fd25e32844afea091f8331b32e2
SHA1 b1dffb4fe5761d333d2f4638f9474cdbae38a65c
SHA256 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d
SHA512 e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801

\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe

MD5 ae734fd25e32844afea091f8331b32e2
SHA1 b1dffb4fe5761d333d2f4638f9474cdbae38a65c
SHA256 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d
SHA512 e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801

\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe

MD5 ae734fd25e32844afea091f8331b32e2
SHA1 b1dffb4fe5761d333d2f4638f9474cdbae38a65c
SHA256 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d
SHA512 e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801

C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe

MD5 ae734fd25e32844afea091f8331b32e2
SHA1 b1dffb4fe5761d333d2f4638f9474cdbae38a65c
SHA256 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d
SHA512 e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801

memory/2748-364-0x0000000000350000-0x00000000003E1000-memory.dmp

C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe

MD5 13239f44e31f26e26aebc2463d61a0da
SHA1 0c8f775cbfbda056d744c7ca905511bb3395c7bf
SHA256 a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035
SHA512 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5

\Users\Admin\AppData\Local\Temp\912A.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2968-333-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Pictures\pB4lAFN9BsPTVcx8Zu8dNUox.exe

MD5 43fd98462ee61b7d620f83e8c34f0d14
SHA1 1539112172fd3479960bb84456ced59a59880c17
SHA256 250acf84a99aae3e7df120eeb1c1a6847742b8a5b4a4918be55ebe45faa04876
SHA512 8fff981aee3a645f766e7addddd8cec97c1784a41560bf7e8c951fb4fdbc7e7e2a7895f517527464c32f079762995e716f304df11801341a6b92f7e6f5de42a7

memory/2968-382-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe

MD5 e721b36c3d5b07d56f40cfb68b5fbb29
SHA1 265d6cd33a9375a39da892909c0faee171dd2e35
SHA256 c3be589719d339453aec542b8eec945479a0568b44ce58c96e9d195a579e8278
SHA512 ce6d8127b944930d15a4c5c91f366310ba2a62f8454399f795af8c0408946f69067898b5712926e5087ccd18a2a486018ec9c23ff73a48b856dfe08b8036fc4a

C:\Users\Admin\Pictures\5lf5qDHn6ZhrEmix4Jt2NSps.exe

MD5 4f11bf9c4f0002126072590e0834b59f
SHA1 3c7eb3e28cfd5a4e1fd58a8405ecddfba6512729
SHA256 1f50a480c5a15f69d47a9ef703f1db2b837fb60b683321e5b8ebef5fd740eed4
SHA512 a3de95550e03d0748d08d8e1c75ba681b486c8faf8f898f612f99aa9a219785cb99a086991191bafedebddffca343ff0828d87ce624aa804a5ee97286bcb4f51

memory/2968-397-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1636-402-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2528-400-0x0000000000210000-0x0000000000218000-memory.dmp

C:\Users\Admin\Pictures\68qCZWYG31R7K3ompUQghrBr.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

memory/2968-423-0x0000000000320000-0x0000000000326000-memory.dmp

memory/2528-445-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

memory/2720-446-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2136-462-0x00000000042D0000-0x00000000046C8000-memory.dmp

memory/2136-468-0x00000000046D0000-0x0000000004FBB000-memory.dmp

memory/2136-475-0x0000000000400000-0x0000000002985000-memory.dmp

memory/1076-476-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1620-480-0x00000000001D0000-0x0000000000705000-memory.dmp

memory/1636-483-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2968-484-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/1100-485-0x00000000FF870000-0x00000000FF8C2000-memory.dmp

memory/1980-486-0x00000000074C0000-0x00000000079F5000-memory.dmp

memory/808-487-0x000000006F160000-0x000000006F70B000-memory.dmp

memory/808-491-0x0000000002350000-0x0000000002390000-memory.dmp

memory/808-489-0x0000000002350000-0x0000000002390000-memory.dmp

memory/2856-492-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2528-494-0x000000001AFF0000-0x000000001B070000-memory.dmp

C:\Users\Admin\Pictures\sfOMHgjoXnGkDWe5WszmYn16.exe

MD5 542fb147e8aa58585fee0936e4efa86c
SHA1 73ea404c082de9b4caa34f2b2baebe5012202b97
SHA256 60b30234ec6be8256281f7636183f3123840fa0b97d02147d4ff52238e330b5d
SHA512 bace03b42f9c43b42484ccde2985f22208c3e5714f47eaf20a4336cba531d445c1cd39a1b6f4f5b6570c3fa051d9f9d100f3de9e28995ba5bf40388b66e2d635

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3K15O6G8U8XKVFKFH6WF.temp

MD5 09bc951ad4eead977ad52b92832eaa63
SHA1 f3f1a08e89f062a59a30e061191d0bc3efe49ed4
SHA256 6c1b455b36b2e1ccbcd21ded2561988951c3ccd48f5a83d4fbfb5ee89139f5a3
SHA512 1d09032a399c183c7b340cfb5eb5b9999e84435c43befa1b4f018c88f0066c09c9b3a54928ce91563c78617ba72862ee88a9e4fe2c7378e0657781a0d480f8e7

memory/2884-565-0x000000001B100000-0x000000001B3E2000-memory.dmp

memory/2884-566-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2720-567-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2884-621-0x000000000261B000-0x0000000002682000-memory.dmp

memory/2884-673-0x000007FEEE200000-0x000007FEEEB9D000-memory.dmp

memory/2884-674-0x0000000002614000-0x0000000002617000-memory.dmp

C:\Users\Admin\Pictures\lYNtBksSC5moXsBv8uG1bRab.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/1568-676-0x0000000000830000-0x0000000000B4C000-memory.dmp

memory/808-704-0x000000006F160000-0x000000006F70B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OBFH2.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2704-744-0x00000000027D2000-0x0000000002801000-memory.dmp

memory/2704-745-0x0000000000220000-0x0000000000271000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-27 08:59

Reported

2023-09-27 09:02

Platform

win10v2004-20230915-en

Max time kernel

34s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe N/A

Uses the VBS compiler for execution

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4684 set thread context of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 4684 N/A N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 2660 wrote to memory of 4684 N/A N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 2660 wrote to memory of 4684 N/A N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 4684 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\C98A.exe C:\Users\Admin\AppData\Local\Temp\C98A.exe
PID 2660 wrote to memory of 60 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2660 wrote to memory of 60 N/A N/A C:\Windows\system32\regsvr32.exe
PID 60 wrote to memory of 1488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 60 wrote to memory of 1488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 60 wrote to memory of 1488 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\C98A.exe

C:\Users\Admin\AppData\Local\Temp\C98A.exe

C:\Users\Admin\AppData\Local\Temp\C98A.exe

C:\Users\Admin\AppData\Local\Temp\C98A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CB50.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CB50.dll

C:\Users\Admin\AppData\Local\Temp\CCC8.exe

C:\Users\Admin\AppData\Local\Temp\CCC8.exe

C:\Users\Admin\AppData\Local\Temp\CCC8.exe

C:\Users\Admin\AppData\Local\Temp\CCC8.exe

C:\Users\Admin\AppData\Local\Temp\D12E.exe

C:\Users\Admin\AppData\Local\Temp\D12E.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D12E.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\DDE1.exe

C:\Users\Admin\AppData\Local\Temp\DDE1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 54.96.66.104.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 104.21.18.99:80 potunulit.org tcp
US 8.8.8.8:53 99.18.21.104.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 flyawayaero.net udp
US 104.21.93.225:443 flyawayaero.net tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
NL 13.227.219.74:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 jetpackdelivery.net udp
US 188.114.97.1:443 jetpackdelivery.net tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 188.114.96.0:80 ji.alie3ksgbb.com tcp
US 8.8.8.8:53 new.drivelikea.com udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 188.114.96.0:443 new.drivelikea.com tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 galandskiyher3.com udp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 int.down.360safe.com udp
NL 194.169.175.127:80 galandskiyher3.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 www.ccee.org.pe udp

Files

memory/4612-0-0x0000000002050000-0x0000000002065000-memory.dmp

memory/4612-1-0x0000000002070000-0x0000000002079000-memory.dmp

memory/4612-2-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2660-3-0x00000000028D0000-0x00000000028E6000-memory.dmp

memory/4612-4-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4612-8-0x0000000002050000-0x0000000002065000-memory.dmp

memory/4612-7-0x0000000002070000-0x0000000002079000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C98A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

C:\Users\Admin\AppData\Local\Temp\C98A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/4684-17-0x00000000042B0000-0x0000000004346000-memory.dmp

memory/4684-18-0x00000000043B0000-0x00000000044CB000-memory.dmp

memory/1444-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1444-22-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C98A.exe

MD5 8f2f61172cc6cc8e38e4db6828255e8f
SHA1 d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d
SHA256 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc
SHA512 e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57

memory/1444-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CB50.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

C:\Users\Admin\AppData\Local\Temp\CB50.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/1444-25-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCC8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\CCC8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1488-32-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/1488-31-0x0000000001020000-0x0000000001026000-memory.dmp

memory/716-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-36-0x0000000004460000-0x000000000457B000-memory.dmp

memory/716-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/716-40-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCC8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/716-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1072-35-0x0000000004180000-0x000000000421C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D12E.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

C:\Users\Admin\AppData\Local\Temp\D12E.exe

MD5 f62db17095733535b6cfd2d07d7fd994
SHA1 cb75466f4814f879f640e95fa8b88b4c6e8dd0c5
SHA256 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c
SHA512 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516

memory/4844-46-0x0000000000420000-0x00000000004A0000-memory.dmp

memory/4844-47-0x00000000726A0000-0x0000000072E50000-memory.dmp

memory/4844-48-0x00000000053E0000-0x0000000005984000-memory.dmp

memory/4844-49-0x0000000004F30000-0x0000000004FCC000-memory.dmp

memory/4844-50-0x0000000004D50000-0x0000000004DE2000-memory.dmp

memory/4844-51-0x0000000004D10000-0x0000000004D20000-memory.dmp

memory/4844-52-0x0000000004D00000-0x0000000004D0A000-memory.dmp

memory/4844-53-0x00000000050C0000-0x0000000005120000-memory.dmp

memory/4844-54-0x0000000004F00000-0x0000000004F1A000-memory.dmp

memory/1488-55-0x0000000002D60000-0x0000000002E68000-memory.dmp

memory/4880-56-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1488-59-0x0000000002E70000-0x0000000002F5D000-memory.dmp

memory/4880-62-0x0000000005140000-0x0000000005150000-memory.dmp

memory/5108-65-0x00000000726A0000-0x0000000072E50000-memory.dmp

memory/5108-66-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDE1.exe

MD5 9c8c4d608b91bab3d6eb1c6819e4680e
SHA1 0bcdc1a7bf930d215e711b36d5f3017dbb7df20d
SHA256 f1317cb2509c35d36334a5098ff895a8d6dadfb249df032b288ad049f1e02d13
SHA512 261a7709776cafd04d6b3f6e8b2ad4213b0b6057be004b1c374d0499ec79284b8c4bd7c80e4061050eb5102432d5c66c4a1eee0ab317a6d73d575d9f17d2d993

memory/3240-74-0x0000000000AD0000-0x0000000001164000-memory.dmp

memory/5108-73-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

memory/3240-75-0x00000000726A0000-0x0000000072E50000-memory.dmp

memory/5108-72-0x00000000050B0000-0x00000000056D8000-memory.dmp

memory/1488-71-0x0000000002E70000-0x0000000002F5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDE1.exe

MD5 b054ee8f270e8645dc5cd71b156238ed
SHA1 8083839dfebb2a5522ff5b1e340fb45189b510ef
SHA256 888ca1ae9ef7f813926214c349aab249aae3b62aefe1afebc1a2be769836e75a
SHA512 77d6177297bfe04cf9ec3e36f84e704443dccdbd130abaf6f365f62f4337b7b4c936bd71eb95f9585122652abd41634e06c7c90910a46cc9c177205553f88863

memory/4844-63-0x00000000726A0000-0x0000000072E50000-memory.dmp

memory/5108-60-0x0000000004A40000-0x0000000004A76000-memory.dmp

memory/4880-58-0x00000000726A0000-0x0000000072E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 0ed7974b4b4e6b4166f2f8d2ddcc2c91
SHA1 d0dc1b068e1831b1afaccf7ba8ee4a2e13c27e4f
SHA256 59cae545ca975425469cc4054d5243dc6373d0236b2488557c58cab32ba62c16
SHA512 53a0b715b04cc6eaf66b3e7c3c1c080ae6b11e7f8e3952431afe805185b762cc30609e31860ba177e3217f6d6d150782a0439487599b9c8de4379a006774612b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sect5sx.g1w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5108-82-0x0000000005750000-0x0000000005772000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 d3531428adc2d0460a431f81b8ca61b4
SHA1 fc586d9ec0e7f40e7046463288c9185d3d3ef4c0
SHA256 3a3e14024f98d436671c789e0287f5d495f340b85ae375f1c13ccba97ceeb049
SHA512 035ca5fbde927df9f2bd83bd4b154a72734f0311a93cdb95e6159c225f96110469600c1d4dcacec27fe2f4352269a849933d343fd70681d5f03f684825ef94d8

memory/5108-96-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/4940-98-0x00007FF60C4F0000-0x00007FF60C592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E544.exe

MD5 4d6bd2da2a8ed3199329116d10da40e9
SHA1 b150b2c1fcbbed8e2e839ab3f7f9df6f0370a173
SHA256 0d7e0bfd31094c8b41d7d48850b8cb8aac92ab88ac6a5e2abe2435e1bf0eccef
SHA512 ed999152afcb11c3b99ef15c07081682135930a6ee6f8597496116b08781fe53f467a13bcff39e3d0abea1d53cb497c80ec0ecd7e996a6abe7686f91955471f4

C:\Users\Admin\AppData\Local\Temp\E544.exe

MD5 4d6bd2da2a8ed3199329116d10da40e9
SHA1 b150b2c1fcbbed8e2e839ab3f7f9df6f0370a173
SHA256 0d7e0bfd31094c8b41d7d48850b8cb8aac92ab88ac6a5e2abe2435e1bf0eccef
SHA512 ed999152afcb11c3b99ef15c07081682135930a6ee6f8597496116b08781fe53f467a13bcff39e3d0abea1d53cb497c80ec0ecd7e996a6abe7686f91955471f4