Analysis Overview
SHA256
a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271
Threat Level: Known bad
The file NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
SmokeLoader
Vidar
Glupteba
Djvu Ransomware
Glupteba payload
RedLine payload
RedLine
Amadey
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Checks computer location settings
Modifies file permissions
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-14 10:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-14 10:46
Reported
2023-10-15 00:36
Platform
win7-20230831-en
Max time kernel
191s
Max time network
196s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44E1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\76352554-0e1a-4793-a28b-223740cbc378\\CF8F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2284 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | C:\Users\Admin\AppData\Local\Temp\CF8F.exe |
| PID 2548 set thread context of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\D1F0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1664 set thread context of 1072 | N/A | C:\Users\Admin\AppData\Local\Temp\CF8F.exe | C:\Users\Admin\AppData\Local\Temp\CF8F.exe |
| PID 2432 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe |
| PID 2660 set thread context of 2156 | N/A | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\590E.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\590E.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
C:\Users\Admin\AppData\Local\Temp\D1F0.exe
C:\Users\Admin\AppData\Local\Temp\D1F0.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\76352554-0e1a-4793-a28b-223740cbc378" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
"C:\Users\Admin\AppData\Local\Temp\CF8F.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
"C:\Users\Admin\AppData\Local\Temp\CF8F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\FCB8.exe
C:\Users\Admin\AppData\Local\Temp\FCB8.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3F45.dll
C:\Users\Admin\AppData\Local\Temp\44E1.exe
C:\Users\Admin\AppData\Local\Temp\44E1.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\Temp\590E.exe
C:\Users\Admin\AppData\Local\Temp\590E.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3F45.dll
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B8114C9F-A7FC-4604-BB1F-CB51DAF828E3} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe"
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
"C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015003640.log C:\Windows\Logs\CBS\CbsPersist_20231015003640.cab
C:\Users\Admin\AppData\Local\Temp\590E.exe
"C:\Users\Admin\AppData\Local\Temp\590E.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.1:443 | api.2ip.ua | tcp |
| US | 188.114.97.1:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| MX | 201.110.239.142:80 | colisumy.com | tcp |
| KR | 211.119.84.112:80 | zexeq.com | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| KR | 211.119.84.112:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 128.140.102.206:80 | 128.140.102.206 | tcp |
Files
memory/3036-1-0x0000000000230000-0x0000000000330000-memory.dmp
memory/3036-2-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/3036-3-0x00000000003B0000-0x00000000003BB000-memory.dmp
memory/1264-4-0x0000000002A30000-0x0000000002A46000-memory.dmp
memory/3036-5-0x0000000000400000-0x00000000005B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/2284-20-0x0000000004400000-0x0000000004492000-memory.dmp
memory/2284-21-0x0000000004400000-0x0000000004492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/2284-24-0x00000000044A0000-0x00000000045BB000-memory.dmp
\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/2528-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2528-28-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/2284-31-0x0000000004400000-0x0000000004492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D1F0.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
C:\Users\Admin\AppData\Local\Temp\D1F0.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/2528-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2528-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\76352554-0e1a-4793-a28b-223740cbc378\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/1664-60-0x00000000002C0000-0x0000000000352000-memory.dmp
memory/2528-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1664-62-0x00000000002C0000-0x0000000000352000-memory.dmp
memory/1696-64-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1696-63-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1696-66-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/1696-68-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1696-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1696-71-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1664-75-0x00000000002C0000-0x0000000000352000-memory.dmp
memory/1072-78-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-79-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1696-77-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF8F.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | c6113f1c49133dabab28c3c26162c969 |
| SHA1 | 31b7316e1e13002fc985a0fa47f7c457c06ef5c0 |
| SHA256 | 31d0444a05a2e3edfa6c28b34cc57769cd8eea56a2de6003976ccf23253e57bd |
| SHA512 | 96b6bcfae26a38299df116ef5037691b28e2a5d6c5033cfde50c63d844291d91921cade97ef6a7079971f97e1cc8b6c5a10ff8d0c7826e141abd31ca19758dea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9967597ee3945af816a504b559682a7e |
| SHA1 | 7793bcdd427e0b3109022c80bcfd6f94a7bf0111 |
| SHA256 | 0574c1bfb06162e98d0e4c0e0b233e8d12d6155df13c26c32ca96f002a43690b |
| SHA512 | 709218bf62701619e40babf2cee55a822deb27022ee9e10f170c925a56d633aba480167b448168445865d08af004ea08c36fc9653acb16b66c536c233bc6aa44 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b4f6b7adf4283a76d9768f041a37546f |
| SHA1 | 41c93a0c2b329f520d0e82a99eff6381a01969f4 |
| SHA256 | 0f87fd27ac95e99f2a0813294a8f271b4756f2e60a3d283182e965b15bd6d20c |
| SHA512 | e411d6aa0d842ab4b1d8332215badda66022bc056573fce8d3d37b2d822faebbf2cb6b9384ff63dc9cf2181b63fd597c553818660f7f0fd9dee28f2023219d87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfe76bedb5dbf4238ee48117bb8dffe4 |
| SHA1 | b1fb84785da2144d90fadab99e27133dd5a89fe5 |
| SHA256 | bef3e23b669217dbd6c5fc14c9eb85072317d67bbe5f7422e1ce93b9aa3107b7 |
| SHA512 | 7bce160ce6cc6bd416894a574b2595e5eb75c63914e89d8654ee4f2c82dad053eea89e24bc2a8024a6f54ab4ff779aff9e8c19fe0e4f87d60f475f04fa33993e |
C:\Users\Admin\AppData\Local\Temp\CabED6B.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/1072-94-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\FCB8.exe
| MD5 | 22b5ba8e29ad46aea74520369763650a |
| SHA1 | 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec |
| SHA256 | ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec |
| SHA512 | 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead |
C:\Users\Admin\AppData\Local\Temp\FCB8.exe
| MD5 | 22b5ba8e29ad46aea74520369763650a |
| SHA1 | 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec |
| SHA256 | ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec |
| SHA512 | 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead |
C:\Users\Admin\AppData\Local\Temp\44E1.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\44E1.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\3F45.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
memory/2900-110-0x000000013F660000-0x000000013FFB1000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\590E.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1776-121-0x00000000049E0000-0x0000000004DD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\590E.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1776-123-0x00000000049E0000-0x0000000004DD8000-memory.dmp
memory/1776-124-0x0000000004DE0000-0x00000000056CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1776-126-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1072-129-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1968-130-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1968-128-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1072-127-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\3F45.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
memory/828-132-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/828-133-0x00000000001A0000-0x0000000000215000-memory.dmp
memory/1800-134-0x0000000010000000-0x0000000010251000-memory.dmp
memory/828-135-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/1800-137-0x0000000000190000-0x0000000000196000-memory.dmp
memory/828-150-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/1072-154-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-162-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-161-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/2900-172-0x000000013F660000-0x000000013FFB1000-memory.dmp
\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/1072-164-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1776-159-0x00000000049E0000-0x0000000004DD8000-memory.dmp
memory/1800-158-0x0000000000C80000-0x0000000000D9B000-memory.dmp
memory/1776-173-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1800-174-0x0000000002420000-0x0000000002521000-memory.dmp
memory/1800-175-0x0000000002420000-0x0000000002521000-memory.dmp
memory/1800-177-0x0000000002420000-0x0000000002521000-memory.dmp
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/2432-184-0x0000000002360000-0x0000000002460000-memory.dmp
memory/2696-183-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1800-182-0x0000000002420000-0x0000000002521000-memory.dmp
memory/2432-185-0x00000000002E0000-0x0000000000331000-memory.dmp
memory/1776-180-0x0000000004DE0000-0x00000000056CB000-memory.dmp
memory/2696-187-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1800-179-0x0000000010000000-0x0000000010251000-memory.dmp
memory/2696-190-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/2696-191-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1072-192-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1072-204-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\TarA2F4.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2900-240-0x000000013F660000-0x000000013FFB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\590E.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | dd75a805a05f98ee7fc97e7cc543f74f |
| SHA1 | 345b6f72214cb31911564d41387dac7f71601cb1 |
| SHA256 | df10eef395f9650d6a8a0ac692359f92238ac9c5c5675517b6ce87a5835c463a |
| SHA512 | b0db60e3e483f056e18ecc47864f0eff6f0d2d083fb03206a805545308e954e628bc8229a962d523d9be16f533167f11541ce0d7da17b213aa965488e1fd7924 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/2696-267-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1776-266-0x0000000000400000-0x0000000002FB8000-memory.dmp
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\d8a389ad-a7c2-44a7-bb76-dd831d1eba79\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2660-304-0x0000000000912000-0x0000000000923000-memory.dmp
memory/2660-306-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2156-307-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2696-308-0x0000000000400000-0x0000000000465000-memory.dmp
C:\ProgramData\14067607011940809247956307
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
memory/2696-332-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\590E.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1776-339-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1988-340-0x0000000004880000-0x0000000004C78000-memory.dmp
memory/1988-341-0x0000000000400000-0x0000000002FB8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-14 10:46
Reported
2023-10-15 00:36
Platform
win10v2004-20230915-en
Max time kernel
65s
Max time network
164s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8665.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53A9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5782.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53A9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\784A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8665.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8F7E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9C31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2092 set thread context of 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\53A9.exe | C:\Users\Admin\AppData\Local\Temp\53A9.exe |
| PID 3220 set thread context of 3088 | N/A | C:\Users\Admin\AppData\Local\Temp\5782.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\53A9.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8F7E.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8F7E.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8F7E.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8F7E.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a73ee8f46c7caf4da7ea6a92dc0a11d58757a83e1b5b9c3723b49690fc238271exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\53A9.exe
C:\Users\Admin\AppData\Local\Temp\53A9.exe
C:\Users\Admin\AppData\Local\Temp\5782.exe
C:\Users\Admin\AppData\Local\Temp\5782.exe
C:\Users\Admin\AppData\Local\Temp\53A9.exe
C:\Users\Admin\AppData\Local\Temp\53A9.exe
C:\Users\Admin\AppData\Local\Temp\784A.exe
C:\Users\Admin\AppData\Local\Temp\784A.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8470.dll
C:\Users\Admin\AppData\Local\Temp\8665.exe
C:\Users\Admin\AppData\Local\Temp\8665.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8470.dll
C:\Users\Admin\AppData\Local\Temp\8F7E.exe
C:\Users\Admin\AppData\Local\Temp\8F7E.exe
C:\Users\Admin\AppData\Local\Temp\9C31.exe
C:\Users\Admin\AppData\Local\Temp\9C31.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\afddb995-bf8e-476e-9b1a-1ea398658276" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\53A9.exe
"C:\Users\Admin\AppData\Local\Temp\53A9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\53A9.exe
"C:\Users\Admin\AppData\Local\Temp\53A9.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 396 -ip 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 568
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\9C31.exe
"C:\Users\Admin\AppData\Local\Temp\9C31.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | 57.21.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| FR | 51.255.152.132:36011 | tcp | |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| KR | 123.140.161.243:80 | wirtshauspost.at | tcp |
| FR | 51.255.152.132:36011 | tcp | |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp |
Files
memory/3856-1-0x0000000000710000-0x0000000000810000-memory.dmp
memory/3856-2-0x00000000021C0000-0x00000000021CB000-memory.dmp
memory/3856-3-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/3156-5-0x0000000003390000-0x00000000033A6000-memory.dmp
memory/3856-6-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/3856-9-0x00000000021C0000-0x00000000021CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\53A9.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\53A9.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/2092-22-0x00000000048A0000-0x0000000004934000-memory.dmp
memory/2092-23-0x0000000004A60000-0x0000000004B7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5782.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
C:\Users\Admin\AppData\Local\Temp\5782.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/1180-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1180-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\53A9.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/1180-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1180-32-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\784A.exe
| MD5 | 22b5ba8e29ad46aea74520369763650a |
| SHA1 | 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec |
| SHA256 | ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec |
| SHA512 | 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead |
memory/3088-37-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8665.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\8665.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\8470.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
C:\Users\Admin\AppData\Local\Temp\8F7E.exe
| MD5 | a0dc2db849379678c981ff38e6864db0 |
| SHA1 | df1684b25e0fe4af92b0cf0cf4e6dfcac795f458 |
| SHA256 | eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d |
| SHA512 | 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b |
C:\Users\Admin\AppData\Local\Temp\8F7E.exe
| MD5 | a0dc2db849379678c981ff38e6864db0 |
| SHA1 | df1684b25e0fe4af92b0cf0cf4e6dfcac795f458 |
| SHA256 | eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d |
| SHA512 | 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b |
C:\Users\Admin\AppData\Local\Temp\8470.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
memory/632-52-0x0000000000610000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/632-53-0x0000000000740000-0x000000000074B000-memory.dmp
memory/632-55-0x0000000000400000-0x00000000005B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C31.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\9C31.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/400-65-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/3156-66-0x0000000007CC0000-0x0000000007CD6000-memory.dmp
memory/632-67-0x0000000000400000-0x00000000005B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3088-73-0x0000000073DD0000-0x0000000074580000-memory.dmp
memory/472-75-0x0000000005130000-0x0000000005A1B000-memory.dmp
memory/1388-76-0x0000000000380000-0x000000000038C000-memory.dmp
memory/3680-77-0x0000000010000000-0x0000000010251000-memory.dmp
memory/1388-79-0x0000000000380000-0x000000000038C000-memory.dmp
memory/472-80-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2384-81-0x0000000000AE0000-0x0000000000B4B000-memory.dmp
memory/2384-82-0x0000000000B50000-0x0000000000BC5000-memory.dmp
memory/2384-84-0x0000000000AE0000-0x0000000000B4B000-memory.dmp
memory/3680-85-0x0000000002870000-0x0000000002876000-memory.dmp
memory/472-83-0x0000000004D20000-0x0000000005126000-memory.dmp
C:\Users\Admin\AppData\Local\afddb995-bf8e-476e-9b1a-1ea398658276\53A9.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\53A9.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/1180-115-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2384-119-0x0000000000AE0000-0x0000000000B4B000-memory.dmp
memory/400-120-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/3088-122-0x0000000007C20000-0x00000000081C4000-memory.dmp
memory/472-121-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/396-127-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2664-126-0x0000000004920000-0x00000000049B5000-memory.dmp
memory/396-129-0x0000000000400000-0x0000000000537000-memory.dmp
memory/396-125-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\53A9.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/3680-130-0x0000000010000000-0x0000000010251000-memory.dmp
memory/3680-131-0x0000000002CB0000-0x0000000002DCB000-memory.dmp
memory/3088-132-0x0000000007720000-0x00000000077B2000-memory.dmp
memory/3680-134-0x0000000002DD0000-0x0000000002ED1000-memory.dmp
memory/3680-133-0x0000000002DD0000-0x0000000002ED1000-memory.dmp
memory/3680-136-0x0000000002DD0000-0x0000000002ED1000-memory.dmp
memory/3680-139-0x0000000002DD0000-0x0000000002ED1000-memory.dmp
memory/472-140-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3088-141-0x0000000073DD0000-0x0000000074580000-memory.dmp
memory/3088-142-0x0000000007700000-0x0000000007710000-memory.dmp
memory/3088-143-0x0000000007830000-0x000000000783A000-memory.dmp
memory/472-144-0x0000000004D20000-0x0000000005126000-memory.dmp
memory/1480-145-0x0000000073DD0000-0x0000000074580000-memory.dmp
memory/1480-146-0x0000000005130000-0x0000000005140000-memory.dmp
memory/1480-147-0x0000000004FA0000-0x0000000004FD6000-memory.dmp
memory/400-148-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/3088-150-0x00000000087F0000-0x0000000008E08000-memory.dmp
C:\Users\Admin\AppData\Roaming\rgwfbvw
| MD5 | a0dc2db849379678c981ff38e6864db0 |
| SHA1 | df1684b25e0fe4af92b0cf0cf4e6dfcac795f458 |
| SHA256 | eafe43d5f59f732f56db205872cd55690916a0b26874bb080ab752d86704b97d |
| SHA512 | 6caaf092866e0a1c272adb6790042e0480b621c089701f16c3efd2cabd14874560180ee3d7fa460ee22074a3dfed3a88e72272b479978be85dfb7037cb01ad6b |
memory/1480-155-0x0000000005770000-0x0000000005D98000-memory.dmp
memory/1480-156-0x0000000005130000-0x0000000005140000-memory.dmp
memory/3088-158-0x0000000007A00000-0x0000000007A12000-memory.dmp
memory/3088-157-0x0000000007AF0000-0x0000000007BFA000-memory.dmp
memory/2664-154-0x0000000004920000-0x00000000049B5000-memory.dmp
memory/472-149-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3088-159-0x0000000007A60000-0x0000000007A9C000-memory.dmp
memory/1480-160-0x0000000005550000-0x0000000005572000-memory.dmp
memory/3088-161-0x0000000007AA0000-0x0000000007AEC000-memory.dmp
memory/1480-162-0x00000000056F0000-0x0000000005756000-memory.dmp
memory/1480-163-0x0000000005F10000-0x0000000005F76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fg2d53d.t5f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1480-169-0x0000000005F80000-0x00000000062D4000-memory.dmp
memory/1480-174-0x0000000006560000-0x000000000657E000-memory.dmp
memory/3088-175-0x0000000007700000-0x0000000007710000-memory.dmp
memory/1480-176-0x0000000006A10000-0x0000000006A54000-memory.dmp
memory/1480-177-0x0000000073DD0000-0x0000000074580000-memory.dmp
memory/1480-178-0x0000000005130000-0x0000000005140000-memory.dmp
memory/1480-179-0x0000000007670000-0x00000000076E6000-memory.dmp
memory/1480-180-0x0000000005130000-0x0000000005140000-memory.dmp
memory/400-181-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/1480-183-0x0000000005130000-0x0000000005140000-memory.dmp
memory/472-182-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1480-184-0x0000000007D70000-0x00000000083EA000-memory.dmp
memory/1480-185-0x00000000075F0000-0x000000000760A000-memory.dmp
memory/1480-186-0x000000007F3C0000-0x000000007F3D0000-memory.dmp
memory/1480-188-0x00000000747C0000-0x000000007480C000-memory.dmp
memory/1480-189-0x000000006C9F0000-0x000000006CD44000-memory.dmp
memory/1480-187-0x0000000007AD0000-0x0000000007B02000-memory.dmp
memory/1480-199-0x0000000007AB0000-0x0000000007ACE000-memory.dmp
memory/1480-200-0x0000000007B10000-0x0000000007BB3000-memory.dmp
memory/1480-201-0x0000000005130000-0x0000000005140000-memory.dmp
memory/1480-202-0x0000000007BF0000-0x0000000007BFA000-memory.dmp
memory/400-203-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/472-204-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1480-205-0x00000000083F0000-0x0000000008486000-memory.dmp
memory/1480-206-0x0000000007C40000-0x0000000007C51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1480-208-0x0000000007C70000-0x0000000007C7E000-memory.dmp
memory/1480-209-0x0000000007C80000-0x0000000007C94000-memory.dmp
memory/400-216-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/472-217-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C31.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/400-253-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/472-254-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4860-255-0x0000000000740000-0x000000000079A000-memory.dmp
memory/400-257-0x00007FF7BE840000-0x00007FF7BF191000-memory.dmp
memory/2812-256-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2812-264-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/2812-268-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 89ae6dfb9a06aa1ac901bf11d7f1e406 |
| SHA1 | 40684048404c32aeb5552d4ab17fd9a0da9d2287 |
| SHA256 | 019b153fbc41aadf849639257d54887cf007fd6c34ed3b7203f315c62e72d22e |
| SHA512 | 872e7c8a8217b702782f2667f4c7f03a39dfe5ff78cec00d63939efc67858cad2ba188afc5a7cbf54221785d297f1b7f04ac6ea5e6b6911b76206efcfd00bcc2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e764cfd6dd73b8f7adf1b85b8f0e6039 |
| SHA1 | 8b8958c3d0f51f095c408245c2fe8a882f2ed70a |
| SHA256 | 31b1efb7770c5f800d85441cb6702bbfc30c8f3d0efdc031b828b372cf7ceb66 |
| SHA512 | 5e16f343f9138527fee12cc7de21d77831363095bd4ef82d6f38d07f7fa504c345897be023a4c85c466de07371d9986634893efe44f66bb7c145905fa2d1ad53 |
C:\Windows\rss\csrss.exe
| MD5 | b01051f8eb90ae5fc37c53a3d27a3441 |
| SHA1 | ec02ec6b4837915a8faff482c767ba0481100802 |
| SHA256 | 5261e2aca080b71e486f4e2f7579203c5c2ed57d20b28ef8bbd6ab5dc2d7e20e |
| SHA512 | 7785b75521489ff3861d649e92f9e785976f1904f0fde40d58451215fc62965345ad38df6430a6c35615de6f06672e9a3c9a00d9fcd814120ea52678df272f13 |
C:\Windows\rss\csrss.exe
| MD5 | b01051f8eb90ae5fc37c53a3d27a3441 |
| SHA1 | ec02ec6b4837915a8faff482c767ba0481100802 |
| SHA256 | 5261e2aca080b71e486f4e2f7579203c5c2ed57d20b28ef8bbd6ab5dc2d7e20e |
| SHA512 | 7785b75521489ff3861d649e92f9e785976f1904f0fde40d58451215fc62965345ad38df6430a6c35615de6f06672e9a3c9a00d9fcd814120ea52678df272f13 |
memory/2812-339-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7e3e4ce569022c685be192cd7646b8a5 |
| SHA1 | b99383a1d7c77870098e3d8100ac3fa638b924c6 |
| SHA256 | db218b3a9906ada768161755daeff85ccff409abcc31e05fea32ea17f2420ee5 |
| SHA512 | ae1acea95a1904e8db80ac2c507efa7e08955a63042481ea7409f9a31a664ed276c87539e4e73647c7866cbdc4bdd6b668631c1cef0739f18a0312c8cc5abedc |