Analysis Overview
SHA256
837ef3bdbec1b4a38ba2e4041dfec9c34f210964f403207021fe0537e7409b33
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Glupteba payload
Glupteba
Windows security bypass
SmokeLoader
Detected Djvu ransomware
RedLine
Vidar
Djvu Ransomware
Downloads MZ/PE file
Modifies file permissions
Executes dropped EXE
Uses the VBS compiler for execution
Deletes itself
Windows security modification
Loads dropped DLL
UPX packed file
Checks whether UAC is enabled
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
System policy modification
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-27 08:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-27 08:59
Reported
2023-09-27 09:02
Platform
win7-20230831-en
Max time kernel
36s
Max time network
152s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
SmokeLoader
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\980E.exe = "0" | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E6A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E6A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\912A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\912A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B59D.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E6A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\912A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\980E.exe = "0" | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2724 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\8E6A.exe | C:\Users\Admin\AppData\Local\Temp\8E6A.exe |
| PID 2856 set thread context of 2908 | N/A | C:\Users\Admin\AppData\Local\Temp\912A.exe | C:\Users\Admin\AppData\Local\Temp\912A.exe |
| PID 2928 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\980E.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C25A.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\980E.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9020.dll
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
C:\Users\Admin\AppData\Local\Temp\912A.exe
C:\Users\Admin\AppData\Local\Temp\912A.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9020.dll
C:\Users\Admin\AppData\Local\Temp\912A.exe
C:\Users\Admin\AppData\Local\Temp\912A.exe
C:\Users\Admin\AppData\Local\Temp\980E.exe
C:\Users\Admin\AppData\Local\Temp\980E.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\980E.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Users\Admin\AppData\Local\Temp\B59D.exe
C:\Users\Admin\AppData\Local\Temp\B59D.exe
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\C25A.exe
C:\Users\Admin\AppData\Local\Temp\C25A.exe
C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
C:\Users\Admin\AppData\Local\Temp\912A.exe
"C:\Users\Admin\AppData\Local\Temp\912A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0a89cf07-348b-4883-94e8-cf60e0d087f6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\912A.exe
"C:\Users\Admin\AppData\Local\Temp\912A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
"C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe"
C:\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe
"C:\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe"
C:\Users\Admin\Pictures\pB4lAFN9BsPTVcx8Zu8dNUox.exe
"C:\Users\Admin\Pictures\pB4lAFN9BsPTVcx8Zu8dNUox.exe" --silent --allusers=0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 100
C:\Users\Admin\AppData\Local\Temp\is-OASJM.tmp\is-EOV4S.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OASJM.tmp\is-EOV4S.tmp" /SL4 $70124 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe
"C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe"
C:\Users\Admin\Pictures\5lf5qDHn6ZhrEmix4Jt2NSps.exe
"C:\Users\Admin\Pictures\5lf5qDHn6ZhrEmix4Jt2NSps.exe"
C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe
"C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe"
C:\Users\Admin\Pictures\68qCZWYG31R7K3ompUQghrBr.exe
"C:\Users\Admin\Pictures\68qCZWYG31R7K3ompUQghrBr.exe" /s
C:\Users\Admin\Pictures\GqtKL99M4gBsmO5FUGVx0EiD.exe
"C:\Users\Admin\Pictures\GqtKL99M4gBsmO5FUGVx0EiD.exe"
C:\Users\Admin\AppData\Local\Temp\7zSF1FD.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
"C:\Users\Admin\AppData\Local\Temp\8E6A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\7zS1B00.tmp\Install.exe
.\Install.exe /sFIsdidp "385118" /S
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\Pictures\sfOMHgjoXnGkDWe5WszmYn16.exe
"C:\Users\Admin\Pictures\sfOMHgjoXnGkDWe5WszmYn16.exe"
C:\Users\Admin\AppData\Local\Temp\is-7E9GI.tmp\is-00F0O.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7E9GI.tmp\is-00F0O.tmp" /SL4 $201C6 "C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe" 2841400 52224
C:\Users\Admin\Pictures\lYNtBksSC5moXsBv8uG1bRab.exe
"C:\Users\Admin\Pictures\lYNtBksSC5moXsBv8uG1bRab.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
"C:\Users\Admin\AppData\Local\Temp\8E6A.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1313201344.exe"
C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe
"C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe"
C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build3.exe
"C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe
"C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe"
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 27
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
C:\Program Files (x86)\OSJMount\OSJMount.exe
"C:\Program Files (x86)\OSJMount\OSJMount.exe" -i
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | ji.alie3ksgbb.com | udp |
| US | 188.114.97.0:80 | ji.alie3ksgbb.com | tcp |
| US | 8.8.8.8:53 | downloads.digitalpulsedata.com | udp |
| NL | 13.227.219.83:443 | downloads.digitalpulsedata.com | tcp |
| US | 8.8.8.8:53 | jetpackdelivery.net | udp |
| US | 188.114.97.1:443 | jetpackdelivery.net | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | new.drivelikea.com | udp |
| US | 8.8.8.8:53 | hbn42414.beget.tech | udp |
| US | 188.114.97.0:443 | new.drivelikea.com | tcp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| RU | 87.236.19.5:80 | hbn42414.beget.tech | tcp |
| US | 8.8.8.8:53 | galandskiyher3.com | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| NL | 194.169.175.127:80 | galandskiyher3.com | tcp |
| US | 172.67.187.122:443 | lycheepanel.info | tcp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 8.8.8.8:53 | www.ccee.org.pe | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 192.185.161.46:443 | www.ccee.org.pe | tcp |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| NL | 108.156.60.116:80 | int.down.360safe.com | tcp |
| US | 172.67.216.81:443 | flyawayaero.net | tcp |
| US | 8.8.8.8:53 | potatogoose.com | udp |
| US | 104.21.35.235:443 | potatogoose.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.170:80 | apps.identrust.com | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | yip.su | udp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.170:80 | apps.identrust.com | tcp |
| NL | 88.221.25.169:80 | apps.identrust.com | tcp |
| US | 172.67.187.122:443 | lycheepanel.info | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 188.114.97.1:443 | jetpackdelivery.net | tcp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| PL | 146.59.10.173:45035 | tcp | |
| TR | 194.55.224.41:80 | 194.55.224.41 | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| HU | 84.224.216.79:80 | colisumy.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| IR | 2.180.10.7:80 | zexeq.com | tcp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| IR | 2.180.10.7:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| NL | 151.236.127.236:80 | iup.360safe.com | tcp |
| NL | 151.236.127.236:80 | iup.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| NL | 151.236.127.236:80 | iup.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| NL | 151.236.127.236:80 | iup.360safe.com | tcp |
| NL | 151.236.127.236:80 | iup.360safe.com | tcp |
| DE | 148.251.234.93:443 | yip.su | tcp |
Files
memory/2448-0-0x0000000000220000-0x0000000000235000-memory.dmp
memory/2448-1-0x0000000000250000-0x0000000000259000-memory.dmp
memory/2448-2-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1244-3-0x00000000029F0000-0x0000000002A06000-memory.dmp
memory/2448-7-0x0000000000250000-0x0000000000259000-memory.dmp
memory/2448-4-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2448-8-0x0000000000220000-0x0000000000235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
memory/2724-18-0x0000000000350000-0x00000000003E2000-memory.dmp
memory/2724-19-0x0000000000350000-0x00000000003E2000-memory.dmp
memory/2724-23-0x0000000002620000-0x000000000273B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
\Users\Admin\AppData\Local\Temp\8E6A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
memory/2720-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2720-26-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8E6A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
C:\Users\Admin\AppData\Local\Temp\9020.dll
| MD5 | bd882e889728e1bca4297f27233c43df |
| SHA1 | 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc |
| SHA256 | 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b |
| SHA512 | 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf |
C:\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
C:\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
C:\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
memory/2720-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2856-36-0x0000000002620000-0x00000000026B1000-memory.dmp
memory/2908-42-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2908-47-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2720-48-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\9020.dll
| MD5 | bd882e889728e1bca4297f27233c43df |
| SHA1 | 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc |
| SHA256 | 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b |
| SHA512 | 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf |
memory/2856-46-0x0000000003E10000-0x0000000003F2B000-memory.dmp
memory/2856-44-0x0000000002620000-0x00000000026B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
C:\Users\Admin\AppData\Local\Temp\980E.exe
| MD5 | f62db17095733535b6cfd2d07d7fd994 |
| SHA1 | cb75466f4814f879f640e95fa8b88b4c6e8dd0c5 |
| SHA256 | 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c |
| SHA512 | 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516 |
C:\Users\Admin\AppData\Local\Temp\980E.exe
| MD5 | f62db17095733535b6cfd2d07d7fd994 |
| SHA1 | cb75466f4814f879f640e95fa8b88b4c6e8dd0c5 |
| SHA256 | 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c |
| SHA512 | 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516 |
memory/2908-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1684-57-0x0000000010000000-0x00000000101A4000-memory.dmp
memory/1684-56-0x0000000000240000-0x0000000000246000-memory.dmp
memory/2928-59-0x0000000000F50000-0x0000000000FD0000-memory.dmp
memory/2928-60-0x0000000073AB0000-0x000000007419E000-memory.dmp
memory/2928-61-0x0000000004EE0000-0x0000000004F20000-memory.dmp
memory/2928-62-0x0000000000990000-0x00000000009F0000-memory.dmp
memory/2928-63-0x0000000000330000-0x000000000034A000-memory.dmp
memory/1684-64-0x0000000002180000-0x0000000002288000-memory.dmp
memory/1980-67-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1684-69-0x0000000002290000-0x000000000237D000-memory.dmp
memory/1980-70-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1980-75-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1684-74-0x0000000002290000-0x000000000237D000-memory.dmp
memory/2928-76-0x0000000073AB0000-0x000000007419E000-memory.dmp
memory/1684-77-0x0000000002290000-0x000000000237D000-memory.dmp
memory/808-78-0x000000006F160000-0x000000006F70B000-memory.dmp
memory/808-79-0x000000006F160000-0x000000006F70B000-memory.dmp
memory/808-80-0x0000000002350000-0x0000000002390000-memory.dmp
memory/808-85-0x0000000002350000-0x0000000002390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B59D.exe
| MD5 | 46ec3f1333f627b301fa9c871343bc9a |
| SHA1 | 59483a7dd5c33a5a14c4da9441230f7810cd4329 |
| SHA256 | 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6 |
| SHA512 | b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d |
C:\Users\Admin\AppData\Local\Temp\B59D.exe
| MD5 | 46ec3f1333f627b301fa9c871343bc9a |
| SHA1 | 59483a7dd5c33a5a14c4da9441230f7810cd4329 |
| SHA256 | 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6 |
| SHA512 | b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d |
C:\Users\Admin\AppData\Local\Temp\CabB7AB.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/564-95-0x00000000000A0000-0x0000000000734000-memory.dmp
memory/1980-87-0x00000000733C0000-0x0000000073AAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarB829.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/1980-111-0x00000000009D0000-0x0000000000A10000-memory.dmp
memory/808-112-0x0000000002350000-0x0000000002390000-memory.dmp
memory/564-114-0x00000000733C0000-0x0000000073AAE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d04a29045353ccd773e803baba42b768 |
| SHA1 | b25ae00a8518e778785e16ac547f712eb1ad5f4c |
| SHA256 | e45b4ffa6ff55ad9eeef0fb1a458cab9ad19e88963e14f793c48b26842fb1023 |
| SHA512 | 5a6892580c2d366742cf7a9baa55e3ee10784293f30a9165c56a687811c0cd40f15c886e28bc989534f67ed5a35bc1d5ea21144272dfa4ce318cbc37ed3394d6 |
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 4c6c11197bbcbdf3a66c9dc1fd7b542f |
| SHA1 | 78912bac8af6ed28ba23e58d5e63614444ef64e1 |
| SHA256 | 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63 |
| SHA512 | 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948 |
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 4c6c11197bbcbdf3a66c9dc1fd7b542f |
| SHA1 | 78912bac8af6ed28ba23e58d5e63614444ef64e1 |
| SHA256 | 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63 |
| SHA512 | 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bb924d501954bee604c97534385ecbda |
| SHA1 | 05a480d2489f18329fb302171f1b077aa5da6fd2 |
| SHA256 | c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372 |
| SHA512 | 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bb924d501954bee604c97534385ecbda |
| SHA1 | 05a480d2489f18329fb302171f1b077aa5da6fd2 |
| SHA256 | c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372 |
| SHA512 | 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bb924d501954bee604c97534385ecbda |
| SHA1 | 05a480d2489f18329fb302171f1b077aa5da6fd2 |
| SHA256 | c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372 |
| SHA512 | 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bb924d501954bee604c97534385ecbda |
| SHA1 | 05a480d2489f18329fb302171f1b077aa5da6fd2 |
| SHA256 | c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372 |
| SHA512 | 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0 |
memory/1012-174-0x00000000FFA40000-0x00000000FFAE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 4c6c11197bbcbdf3a66c9dc1fd7b542f |
| SHA1 | 78912bac8af6ed28ba23e58d5e63614444ef64e1 |
| SHA256 | 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63 |
| SHA512 | 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948 |
\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 4c6c11197bbcbdf3a66c9dc1fd7b542f |
| SHA1 | 78912bac8af6ed28ba23e58d5e63614444ef64e1 |
| SHA256 | 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63 |
| SHA512 | 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948 |
\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 4c6c11197bbcbdf3a66c9dc1fd7b542f |
| SHA1 | 78912bac8af6ed28ba23e58d5e63614444ef64e1 |
| SHA256 | 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63 |
| SHA512 | 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bb924d501954bee604c97534385ecbda |
| SHA1 | 05a480d2489f18329fb302171f1b077aa5da6fd2 |
| SHA256 | c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372 |
| SHA512 | 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0 |
memory/956-193-0x0000000000400000-0x0000000000409000-memory.dmp
memory/956-196-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bb924d501954bee604c97534385ecbda |
| SHA1 | 05a480d2489f18329fb302171f1b077aa5da6fd2 |
| SHA256 | c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372 |
| SHA512 | 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 56c5edb8252c3b13f3489be3c49c71f7 |
| SHA1 | 69746a5af28fa74a40d6839ab69002aa9f83892d |
| SHA256 | 559fa5aff8e10fb3d478f6b932cdd40040f02456f8064bc0fbb333eccc4cd2a3 |
| SHA512 | b45e26d3d0f34a946e3b81e5aceeacd986bb9a751d1b9e676a09d22c70df985ee4aacee4aee5b293664880f17fd13cdebc8f866ae8600d148d624237e036f6ad |
memory/952-192-0x0000000000220000-0x0000000000229000-memory.dmp
memory/952-191-0x0000000002670000-0x0000000002770000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bb924d501954bee604c97534385ecbda |
| SHA1 | 05a480d2489f18329fb302171f1b077aa5da6fd2 |
| SHA256 | c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372 |
| SHA512 | 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 21bdc4635e67b42af297b5d422b47cdc |
| SHA1 | da08dd00ae5bc0da5ec6433569bcc68c4a8a9410 |
| SHA256 | f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287 |
| SHA512 | 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 09d2bae3b05f4c92b25a8c6225df6483 |
| SHA1 | ff084d8a1f43903b95bf9144b3719126a3d40cc8 |
| SHA256 | a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5 |
| SHA512 | 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 21bdc4635e67b42af297b5d422b47cdc |
| SHA1 | da08dd00ae5bc0da5ec6433569bcc68c4a8a9410 |
| SHA256 | f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287 |
| SHA512 | 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d01a3e32cdaa9d2aca4a040cc9c5f20 |
| SHA1 | c6b9862ea44f8cd906cffa2d1c3715f9816926f6 |
| SHA256 | 8d6c72d4a944fc16ffa1f2b2e49b81fe672e60bd81738aacee096363c448bd53 |
| SHA512 | 37a9447c908c8210b0b095b2d4938684cd5aa63bf583e42a8994ee4c8782ec428a2cbfc8267fcd687867786c672a65cc22cc2305921f683ce6068bc715079ee7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d01a3e32cdaa9d2aca4a040cc9c5f20 |
| SHA1 | c6b9862ea44f8cd906cffa2d1c3715f9816926f6 |
| SHA256 | 8d6c72d4a944fc16ffa1f2b2e49b81fe672e60bd81738aacee096363c448bd53 |
| SHA512 | 37a9447c908c8210b0b095b2d4938684cd5aa63bf583e42a8994ee4c8782ec428a2cbfc8267fcd687867786c672a65cc22cc2305921f683ce6068bc715079ee7 |
memory/564-277-0x00000000733C0000-0x0000000073AAE000-memory.dmp
memory/3048-292-0x00000000733C0000-0x0000000073AAE000-memory.dmp
C:\Users\Admin\AppData\Local\0a89cf07-348b-4883-94e8-cf60e0d087f6\8E6A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
memory/2908-301-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
C:\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
C:\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
memory/808-293-0x000000006F160000-0x000000006F70B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos.exe
| MD5 | 076ab7d1cc5150a5e9f8745cc5f5fb6c |
| SHA1 | 7b40783a27a38106e2cc91414f2bc4d8b484c578 |
| SHA256 | d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90 |
| SHA512 | 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b |
C:\Users\Admin\AppData\Local\Temp\kos.exe
| MD5 | 076ab7d1cc5150a5e9f8745cc5f5fb6c |
| SHA1 | 7b40783a27a38106e2cc91414f2bc4d8b484c578 |
| SHA256 | d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90 |
| SHA512 | 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b |
\Users\Admin\AppData\Local\Temp\kos.exe
| MD5 | 076ab7d1cc5150a5e9f8745cc5f5fb6c |
| SHA1 | 7b40783a27a38106e2cc91414f2bc4d8b484c578 |
| SHA256 | d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90 |
| SHA512 | 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b |
memory/2136-280-0x00000000042D0000-0x00000000046C8000-memory.dmp
memory/3048-279-0x00000000733C0000-0x0000000073AAE000-memory.dmp
memory/3048-276-0x0000000000370000-0x00000000004E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
C:\Users\Admin\AppData\Local\Temp\C25A.exe
| MD5 | 17dd7bceefde77f3a3f41e856ff6ab26 |
| SHA1 | aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3 |
| SHA256 | c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111 |
| SHA512 | c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4 |
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
C:\Users\Admin\AppData\Local\Temp\C25A.exe
| MD5 | 17dd7bceefde77f3a3f41e856ff6ab26 |
| SHA1 | aad2d11ae82315e0c54f6e18d2aa4dc5d9a040d3 |
| SHA256 | c68005ba0828cbee40df02a6742e06b5d2a7f7d6bc05087f27bbe1368077c111 |
| SHA512 | c1b68aebdb5b7ed75d800738635223e4c8ce2e3a826b9042dd9543220a008653ec2fb9d1a2fb77da5e335fa1a0bc9ac640446c8e1f101c510780b467896f2fd4 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 21bdc4635e67b42af297b5d422b47cdc |
| SHA1 | da08dd00ae5bc0da5ec6433569bcc68c4a8a9410 |
| SHA256 | f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287 |
| SHA512 | 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 21bdc4635e67b42af297b5d422b47cdc |
| SHA1 | da08dd00ae5bc0da5ec6433569bcc68c4a8a9410 |
| SHA256 | f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287 |
| SHA512 | 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 3a11e9de3df0da3101e5dc8977f36010 |
| SHA1 | ef1988d77f22a77a76c852ea29655d044d7313f4 |
| SHA256 | 2bed87901ee6da52f23bf4135027fbdc595c8878e810dc7e0aa249ec594a04b3 |
| SHA512 | 7feda669cfa8edc121841a013373788e332760c052536cbe4547c933ddab57022a789153c0ac99809bdba25b71ef5993380fe0f3734a19f3cfe03418d12a2289 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | c0419d05ad443966df72dd199ad71dd8 |
| SHA1 | 0ba0b1ddfbd9e45879342dba9191efbc478edf05 |
| SHA256 | 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b |
| SHA512 | e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ecf7eb76e391a63c332e7d68b5b40a6 |
| SHA1 | 2a2a92837908b79c70708580136d7941ce970cb5 |
| SHA256 | b05494e3fa23a9b14d5675d5ac0785f07f9ef235d9cfd31517c76a301acda944 |
| SHA512 | 130a225721092c754cc5a5324a8033b3301859f7b11752f5d553955da879bea5a22faabbc0ccf49230ce7772cad376c78fe5677bf80edda8f32095478c13af3f |
\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
memory/2856-302-0x0000000000400000-0x0000000000413000-memory.dmp
\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
memory/1244-307-0x0000000002A40000-0x0000000002A56000-memory.dmp
memory/2968-318-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2968-320-0x0000000000400000-0x0000000000430000-memory.dmp
memory/956-317-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2748-306-0x0000000000350000-0x00000000003E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
memory/2968-325-0x0000000000400000-0x0000000000430000-memory.dmp
\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
| MD5 | 13239f44e31f26e26aebc2463d61a0da |
| SHA1 | 0c8f775cbfbda056d744c7ca905511bb3395c7bf |
| SHA256 | a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035 |
| SHA512 | 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5 |
\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
| MD5 | 13239f44e31f26e26aebc2463d61a0da |
| SHA1 | 0c8f775cbfbda056d744c7ca905511bb3395c7bf |
| SHA256 | a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035 |
| SHA512 | 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5 |
\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe
| MD5 | 55a59bf8266919152495f5195c34169f |
| SHA1 | 9c77f14e86d97ff796229dcba5e043d9d15efbe1 |
| SHA256 | b422a292ac86c0b51a3c0c2271e5d1565c89914a05fe361f61331fae95185152 |
| SHA512 | 1e9a4f2da7886d37a18f02029dde7e18252fef7b62478cb8531503ddf7cd970bc6f79aac881780c434492c5ab396d5d15978d416d8c097eb2362cbe9932d1377 |
C:\Users\Admin\Pictures\Yw9c7WIk6D8OmkiytpZZInlf.exe
| MD5 | 55a59bf8266919152495f5195c34169f |
| SHA1 | 9c77f14e86d97ff796229dcba5e043d9d15efbe1 |
| SHA256 | b422a292ac86c0b51a3c0c2271e5d1565c89914a05fe361f61331fae95185152 |
| SHA512 | 1e9a4f2da7886d37a18f02029dde7e18252fef7b62478cb8531503ddf7cd970bc6f79aac881780c434492c5ab396d5d15978d416d8c097eb2362cbe9932d1377 |
C:\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
memory/2968-367-0x0000000000400000-0x0000000000430000-memory.dmp
\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
| MD5 | 13239f44e31f26e26aebc2463d61a0da |
| SHA1 | 0c8f775cbfbda056d744c7ca905511bb3395c7bf |
| SHA256 | a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035 |
| SHA512 | 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5 |
memory/2968-346-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe
| MD5 | ae734fd25e32844afea091f8331b32e2 |
| SHA1 | b1dffb4fe5761d333d2f4638f9474cdbae38a65c |
| SHA256 | 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d |
| SHA512 | e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801 |
\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe
| MD5 | ae734fd25e32844afea091f8331b32e2 |
| SHA1 | b1dffb4fe5761d333d2f4638f9474cdbae38a65c |
| SHA256 | 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d |
| SHA512 | e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801 |
\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe
| MD5 | ae734fd25e32844afea091f8331b32e2 |
| SHA1 | b1dffb4fe5761d333d2f4638f9474cdbae38a65c |
| SHA256 | 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d |
| SHA512 | e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801 |
C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
| MD5 | 13239f44e31f26e26aebc2463d61a0da |
| SHA1 | 0c8f775cbfbda056d744c7ca905511bb3395c7bf |
| SHA256 | a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035 |
| SHA512 | 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5 |
C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
| MD5 | 13239f44e31f26e26aebc2463d61a0da |
| SHA1 | 0c8f775cbfbda056d744c7ca905511bb3395c7bf |
| SHA256 | a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035 |
| SHA512 | 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5 |
C:\Users\Admin\Pictures\A0v9cSHK4XNUvqvrWZE26BPI.exe
| MD5 | ae734fd25e32844afea091f8331b32e2 |
| SHA1 | b1dffb4fe5761d333d2f4638f9474cdbae38a65c |
| SHA256 | 7ea97f81f136aa078921e44fc6e10f889c998e0e393f4d3cd5a061b8525f6e1d |
| SHA512 | e5eb5c542db946d948de4e3330ff78e007128e00545632a9f365d516e8300b69abc0c205aa0e8260355272cb31d41dd32312647d9fb63160a971331702c69801 |
memory/2748-364-0x0000000000350000-0x00000000003E1000-memory.dmp
C:\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
| MD5 | 13239f44e31f26e26aebc2463d61a0da |
| SHA1 | 0c8f775cbfbda056d744c7ca905511bb3395c7bf |
| SHA256 | a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035 |
| SHA512 | 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5 |
\Users\Admin\Pictures\7GCnL9ZfG20sOnY2nMCw5StE.exe
| MD5 | 13239f44e31f26e26aebc2463d61a0da |
| SHA1 | 0c8f775cbfbda056d744c7ca905511bb3395c7bf |
| SHA256 | a345c3ca58360a791204e6722cb81bd4992390d394558df4b45aa344b16fb035 |
| SHA512 | 48fa941eda4abd1e7a8c3cb3a8ec8eb1d6b78f1bedc4b4244cfdd81c7a98cdae6a4d00736baad8322b8801e13793ba491f983cfe128615e73c54f2dd0b6646f5 |
\Users\Admin\AppData\Local\Temp\912A.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
memory/2968-333-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Pictures\pB4lAFN9BsPTVcx8Zu8dNUox.exe
| MD5 | 43fd98462ee61b7d620f83e8c34f0d14 |
| SHA1 | 1539112172fd3479960bb84456ced59a59880c17 |
| SHA256 | 250acf84a99aae3e7df120eeb1c1a6847742b8a5b4a4918be55ebe45faa04876 |
| SHA512 | 8fff981aee3a645f766e7addddd8cec97c1784a41560bf7e8c951fb4fdbc7e7e2a7895f517527464c32f079762995e716f304df11801341a6b92f7e6f5de42a7 |
memory/2968-382-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Pictures\GLfdRU0bqhUrEOzqIpWxiYKN.exe
| MD5 | e721b36c3d5b07d56f40cfb68b5fbb29 |
| SHA1 | 265d6cd33a9375a39da892909c0faee171dd2e35 |
| SHA256 | c3be589719d339453aec542b8eec945479a0568b44ce58c96e9d195a579e8278 |
| SHA512 | ce6d8127b944930d15a4c5c91f366310ba2a62f8454399f795af8c0408946f69067898b5712926e5087ccd18a2a486018ec9c23ff73a48b856dfe08b8036fc4a |
C:\Users\Admin\Pictures\5lf5qDHn6ZhrEmix4Jt2NSps.exe
| MD5 | 4f11bf9c4f0002126072590e0834b59f |
| SHA1 | 3c7eb3e28cfd5a4e1fd58a8405ecddfba6512729 |
| SHA256 | 1f50a480c5a15f69d47a9ef703f1db2b837fb60b683321e5b8ebef5fd740eed4 |
| SHA512 | a3de95550e03d0748d08d8e1c75ba681b486c8faf8f898f612f99aa9a219785cb99a086991191bafedebddffca343ff0828d87ce624aa804a5ee97286bcb4f51 |
memory/2968-397-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1636-402-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2528-400-0x0000000000210000-0x0000000000218000-memory.dmp
C:\Users\Admin\Pictures\68qCZWYG31R7K3ompUQghrBr.exe
| MD5 | aa3602359bb93695da27345d82a95c77 |
| SHA1 | 9cb550458f95d631fef3a89144fc9283d6c9f75a |
| SHA256 | e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d |
| SHA512 | adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36 |
memory/2968-423-0x0000000000320000-0x0000000000326000-memory.dmp
memory/2528-445-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp
memory/2720-446-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2136-462-0x00000000042D0000-0x00000000046C8000-memory.dmp
memory/2136-468-0x00000000046D0000-0x0000000004FBB000-memory.dmp
memory/2136-475-0x0000000000400000-0x0000000002985000-memory.dmp
memory/1076-476-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1620-480-0x00000000001D0000-0x0000000000705000-memory.dmp
memory/1636-483-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2968-484-0x00000000733C0000-0x0000000073AAE000-memory.dmp
memory/1100-485-0x00000000FF870000-0x00000000FF8C2000-memory.dmp
memory/1980-486-0x00000000074C0000-0x00000000079F5000-memory.dmp
memory/808-487-0x000000006F160000-0x000000006F70B000-memory.dmp
memory/808-491-0x0000000002350000-0x0000000002390000-memory.dmp
memory/808-489-0x0000000002350000-0x0000000002390000-memory.dmp
memory/2856-492-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2528-494-0x000000001AFF0000-0x000000001B070000-memory.dmp
C:\Users\Admin\Pictures\sfOMHgjoXnGkDWe5WszmYn16.exe
| MD5 | 542fb147e8aa58585fee0936e4efa86c |
| SHA1 | 73ea404c082de9b4caa34f2b2baebe5012202b97 |
| SHA256 | 60b30234ec6be8256281f7636183f3123840fa0b97d02147d4ff52238e330b5d |
| SHA512 | bace03b42f9c43b42484ccde2985f22208c3e5714f47eaf20a4336cba531d445c1cd39a1b6f4f5b6570c3fa051d9f9d100f3de9e28995ba5bf40388b66e2d635 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3K15O6G8U8XKVFKFH6WF.temp
| MD5 | 09bc951ad4eead977ad52b92832eaa63 |
| SHA1 | f3f1a08e89f062a59a30e061191d0bc3efe49ed4 |
| SHA256 | 6c1b455b36b2e1ccbcd21ded2561988951c3ccd48f5a83d4fbfb5ee89139f5a3 |
| SHA512 | 1d09032a399c183c7b340cfb5eb5b9999e84435c43befa1b4f018c88f0066c09c9b3a54928ce91563c78617ba72862ee88a9e4fe2c7378e0657781a0d480f8e7 |
memory/2884-565-0x000000001B100000-0x000000001B3E2000-memory.dmp
memory/2884-566-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2720-567-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2884-621-0x000000000261B000-0x0000000002682000-memory.dmp
memory/2884-673-0x000007FEEE200000-0x000007FEEEB9D000-memory.dmp
memory/2884-674-0x0000000002614000-0x0000000002617000-memory.dmp
C:\Users\Admin\Pictures\lYNtBksSC5moXsBv8uG1bRab.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\ea339898-0ef8-4530-8e30-d4098aa5d993\build2.exe
| MD5 | dcd1bd0f92fe24bf269f0e3ace8de280 |
| SHA1 | 73c06bb4010b87a83e07bcaf3d181e68d24da11f |
| SHA256 | fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456 |
| SHA512 | 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb |
memory/1568-676-0x0000000000830000-0x0000000000B4C000-memory.dmp
memory/808-704-0x000000006F160000-0x000000006F70B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OBFH2.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2704-744-0x00000000027D2000-0x0000000002801000-memory.dmp
memory/2704-745-0x0000000000220000-0x0000000000271000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-27 08:59
Reported
2023-09-27 09:02
Platform
win10v2004-20230915-en
Max time kernel
34s
Max time network
77s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C98A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C98A.exe | N/A |
Uses the VBS compiler for execution
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4684 set thread context of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\C98A.exe | C:\Users\Admin\AppData\Local\Temp\C98A.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\C98A.exe
C:\Users\Admin\AppData\Local\Temp\C98A.exe
C:\Users\Admin\AppData\Local\Temp\C98A.exe
C:\Users\Admin\AppData\Local\Temp\C98A.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CB50.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\CB50.dll
C:\Users\Admin\AppData\Local\Temp\CCC8.exe
C:\Users\Admin\AppData\Local\Temp\CCC8.exe
C:\Users\Admin\AppData\Local\Temp\CCC8.exe
C:\Users\Admin\AppData\Local\Temp\CCC8.exe
C:\Users\Admin\AppData\Local\Temp\D12E.exe
C:\Users\Admin\AppData\Local\Temp\D12E.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D12E.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Temp\DDE1.exe
C:\Users\Admin\AppData\Local\Temp\DDE1.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.96.66.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 104.21.18.99:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | 99.18.21.104.in-addr.arpa | udp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 101.32.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| US | 104.21.93.225:443 | flyawayaero.net | tcp |
| US | 8.8.8.8:53 | downloads.digitalpulsedata.com | udp |
| US | 8.8.8.8:53 | ji.alie3ksgbb.com | udp |
| NL | 13.227.219.74:443 | downloads.digitalpulsedata.com | tcp |
| US | 8.8.8.8:53 | jetpackdelivery.net | udp |
| US | 188.114.97.1:443 | jetpackdelivery.net | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 188.114.96.0:80 | ji.alie3ksgbb.com | tcp |
| US | 8.8.8.8:53 | new.drivelikea.com | udp |
| US | 8.8.8.8:53 | hbn42414.beget.tech | udp |
| US | 188.114.96.0:443 | new.drivelikea.com | tcp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| US | 8.8.8.8:53 | galandskiyher3.com | udp |
| RU | 87.236.19.5:80 | hbn42414.beget.tech | tcp |
| US | 172.67.187.122:443 | lycheepanel.info | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| NL | 194.169.175.127:80 | galandskiyher3.com | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| US | 8.8.8.8:53 | www.ccee.org.pe | udp |
Files
memory/4612-0-0x0000000002050000-0x0000000002065000-memory.dmp
memory/4612-1-0x0000000002070000-0x0000000002079000-memory.dmp
memory/4612-2-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2660-3-0x00000000028D0000-0x00000000028E6000-memory.dmp
memory/4612-4-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4612-8-0x0000000002050000-0x0000000002065000-memory.dmp
memory/4612-7-0x0000000002070000-0x0000000002079000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C98A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
C:\Users\Admin\AppData\Local\Temp\C98A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
memory/4684-17-0x00000000042B0000-0x0000000004346000-memory.dmp
memory/4684-18-0x00000000043B0000-0x00000000044CB000-memory.dmp
memory/1444-19-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1444-22-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C98A.exe
| MD5 | 8f2f61172cc6cc8e38e4db6828255e8f |
| SHA1 | d099f9c4d4b798c8cde7c8fd8447fd5fc82ad45d |
| SHA256 | 109ff1b8cc63e26cf45385b2521c9c56dae62d03ed0acbccb577a3ca729d8adc |
| SHA512 | e5290b3cd78698ce14c01a25a8f9c7efe2dff0f38f9c581490ae1aaef25bc971c05aca2d06eae4a4eecbf6033ab6bef9a541c7f1eb332ac0a6808ad4b0b77b57 |
memory/1444-23-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CB50.dll
| MD5 | bd882e889728e1bca4297f27233c43df |
| SHA1 | 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc |
| SHA256 | 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b |
| SHA512 | 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf |
C:\Users\Admin\AppData\Local\Temp\CB50.dll
| MD5 | bd882e889728e1bca4297f27233c43df |
| SHA1 | 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc |
| SHA256 | 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b |
| SHA512 | 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf |
memory/1444-25-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CCC8.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
C:\Users\Admin\AppData\Local\Temp\CCC8.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
memory/1488-32-0x0000000010000000-0x00000000101A4000-memory.dmp
memory/1488-31-0x0000000001020000-0x0000000001026000-memory.dmp
memory/716-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-36-0x0000000004460000-0x000000000457B000-memory.dmp
memory/716-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/716-40-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CCC8.exe
| MD5 | 81a0054a8065b79186a98a212a2d6a5e |
| SHA1 | 41a44da8581e024bd20d7ce1310f9b22ccecac90 |
| SHA256 | 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181 |
| SHA512 | 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72 |
memory/716-41-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-35-0x0000000004180000-0x000000000421C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D12E.exe
| MD5 | f62db17095733535b6cfd2d07d7fd994 |
| SHA1 | cb75466f4814f879f640e95fa8b88b4c6e8dd0c5 |
| SHA256 | 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c |
| SHA512 | 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516 |
C:\Users\Admin\AppData\Local\Temp\D12E.exe
| MD5 | f62db17095733535b6cfd2d07d7fd994 |
| SHA1 | cb75466f4814f879f640e95fa8b88b4c6e8dd0c5 |
| SHA256 | 9fe3bfd40d042b7a7e2d46578d5f889a90d0b0a36c233063f59fbdbb1fc5570c |
| SHA512 | 76f8889cfb56d70d8d3605b50d186e90e16ba53ad1de283e95c1d0d9e6f158d0c267d9377fe2a7498bbaec3ca030347bead67299c5ee9aa9faf531f5db0d2516 |
memory/4844-46-0x0000000000420000-0x00000000004A0000-memory.dmp
memory/4844-47-0x00000000726A0000-0x0000000072E50000-memory.dmp
memory/4844-48-0x00000000053E0000-0x0000000005984000-memory.dmp
memory/4844-49-0x0000000004F30000-0x0000000004FCC000-memory.dmp
memory/4844-50-0x0000000004D50000-0x0000000004DE2000-memory.dmp
memory/4844-51-0x0000000004D10000-0x0000000004D20000-memory.dmp
memory/4844-52-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/4844-53-0x00000000050C0000-0x0000000005120000-memory.dmp
memory/4844-54-0x0000000004F00000-0x0000000004F1A000-memory.dmp
memory/1488-55-0x0000000002D60000-0x0000000002E68000-memory.dmp
memory/4880-56-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1488-59-0x0000000002E70000-0x0000000002F5D000-memory.dmp
memory/4880-62-0x0000000005140000-0x0000000005150000-memory.dmp
memory/5108-65-0x00000000726A0000-0x0000000072E50000-memory.dmp
memory/5108-66-0x0000000000CB0000-0x0000000000CC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDE1.exe
| MD5 | 9c8c4d608b91bab3d6eb1c6819e4680e |
| SHA1 | 0bcdc1a7bf930d215e711b36d5f3017dbb7df20d |
| SHA256 | f1317cb2509c35d36334a5098ff895a8d6dadfb249df032b288ad049f1e02d13 |
| SHA512 | 261a7709776cafd04d6b3f6e8b2ad4213b0b6057be004b1c374d0499ec79284b8c4bd7c80e4061050eb5102432d5c66c4a1eee0ab317a6d73d575d9f17d2d993 |
memory/3240-74-0x0000000000AD0000-0x0000000001164000-memory.dmp
memory/5108-73-0x0000000000CB0000-0x0000000000CC0000-memory.dmp
memory/3240-75-0x00000000726A0000-0x0000000072E50000-memory.dmp
memory/5108-72-0x00000000050B0000-0x00000000056D8000-memory.dmp
memory/1488-71-0x0000000002E70000-0x0000000002F5D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDE1.exe
| MD5 | b054ee8f270e8645dc5cd71b156238ed |
| SHA1 | 8083839dfebb2a5522ff5b1e340fb45189b510ef |
| SHA256 | 888ca1ae9ef7f813926214c349aab249aae3b62aefe1afebc1a2be769836e75a |
| SHA512 | 77d6177297bfe04cf9ec3e36f84e704443dccdbd130abaf6f365f62f4337b7b4c936bd71eb95f9585122652abd41634e06c7c90910a46cc9c177205553f88863 |
memory/4844-63-0x00000000726A0000-0x0000000072E50000-memory.dmp
memory/5108-60-0x0000000004A40000-0x0000000004A76000-memory.dmp
memory/4880-58-0x00000000726A0000-0x0000000072E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | 0ed7974b4b4e6b4166f2f8d2ddcc2c91 |
| SHA1 | d0dc1b068e1831b1afaccf7ba8ee4a2e13c27e4f |
| SHA256 | 59cae545ca975425469cc4054d5243dc6373d0236b2488557c58cab32ba62c16 |
| SHA512 | 53a0b715b04cc6eaf66b3e7c3c1c080ae6b11e7f8e3952431afe805185b762cc30609e31860ba177e3217f6d6d150782a0439487599b9c8de4379a006774612b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sect5sx.g1w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5108-82-0x0000000005750000-0x0000000005772000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
| MD5 | d3531428adc2d0460a431f81b8ca61b4 |
| SHA1 | fc586d9ec0e7f40e7046463288c9185d3d3ef4c0 |
| SHA256 | 3a3e14024f98d436671c789e0287f5d495f340b85ae375f1c13ccba97ceeb049 |
| SHA512 | 035ca5fbde927df9f2bd83bd4b154a72734f0311a93cdb95e6159c225f96110469600c1d4dcacec27fe2f4352269a849933d343fd70681d5f03f684825ef94d8 |
memory/5108-96-0x0000000005A60000-0x0000000005AC6000-memory.dmp
memory/4940-98-0x00007FF60C4F0000-0x00007FF60C592000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E544.exe
| MD5 | 4d6bd2da2a8ed3199329116d10da40e9 |
| SHA1 | b150b2c1fcbbed8e2e839ab3f7f9df6f0370a173 |
| SHA256 | 0d7e0bfd31094c8b41d7d48850b8cb8aac92ab88ac6a5e2abe2435e1bf0eccef |
| SHA512 | ed999152afcb11c3b99ef15c07081682135930a6ee6f8597496116b08781fe53f467a13bcff39e3d0abea1d53cb497c80ec0ecd7e996a6abe7686f91955471f4 |
C:\Users\Admin\AppData\Local\Temp\E544.exe
| MD5 | 4d6bd2da2a8ed3199329116d10da40e9 |
| SHA1 | b150b2c1fcbbed8e2e839ab3f7f9df6f0370a173 |
| SHA256 | 0d7e0bfd31094c8b41d7d48850b8cb8aac92ab88ac6a5e2abe2435e1bf0eccef |
| SHA512 | ed999152afcb11c3b99ef15c07081682135930a6ee6f8597496116b08781fe53f467a13bcff39e3d0abea1d53cb497c80ec0ecd7e996a6abe7686f91955471f4 |