Malware Analysis Report

2025-01-18 06:37

Sample ID 231015-kmr1zadf2v
Target file.exe
SHA256 89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor collection discovery dropper evasion infostealer loader persistence ransomware trojan pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89797297ce145c9bb7885fbe2d79a482829e1d789e3112f785f6cc6348134db8

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor collection discovery dropper evasion infostealer loader persistence ransomware trojan pub1

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

Detected Djvu ransomware

Glupteba payload

RedLine

SmokeLoader

Djvu Ransomware

Amadey

RedLine payload

Stops running service(s)

Downloads MZ/PE file

Deletes itself

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 08:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 08:43

Reported

2023-10-15 08:46

Platform

win7-20230831-en

Max time kernel

56s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b858cfd4-49f4-4dc2-8577-2ed9980446b9\\6E4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6E4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 1200 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 1200 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 1200 wrote to memory of 2772 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 1200 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\899.exe
PID 1200 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\899.exe
PID 1200 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\899.exe
PID 1200 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\899.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 2772 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Users\Admin\AppData\Local\Temp\6E4.exe
PID 1200 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\208D.exe
PID 1200 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\208D.exe
PID 1200 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\208D.exe
PID 1200 wrote to memory of 2152 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2152 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2152 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2152 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2152 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2152 wrote to memory of 2976 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2152 wrote to memory of 2976 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2152 wrote to memory of 2976 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2152 wrote to memory of 2976 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2152 wrote to memory of 2976 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2152 wrote to memory of 2976 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2152 wrote to memory of 2976 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1040 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\899.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Windows\SysWOW64\icacls.exe
PID 2664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Windows\SysWOW64\icacls.exe
PID 2664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Windows\SysWOW64\icacls.exe
PID 2664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\6E4.exe C:\Windows\SysWOW64\icacls.exe
PID 1200 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\Temp\3769.exe
PID 1200 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\Temp\3769.exe
PID 1200 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\Temp\3769.exe
PID 1200 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\Temp\3769.exe
PID 1880 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3769.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1880 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3769.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1880 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3769.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1880 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\3769.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1648 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\6E4.exe

C:\Users\Admin\AppData\Local\Temp\6E4.exe

C:\Users\Admin\AppData\Local\Temp\899.exe

C:\Users\Admin\AppData\Local\Temp\899.exe

C:\Users\Admin\AppData\Local\Temp\6E4.exe

C:\Users\Admin\AppData\Local\Temp\6E4.exe

C:\Users\Admin\AppData\Local\Temp\208D.exe

C:\Users\Admin\AppData\Local\Temp\208D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\25DB.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\25DB.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b858cfd4-49f4-4dc2-8577-2ed9980446b9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\3769.exe

C:\Users\Admin\AppData\Local\Temp\3769.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4520.exe

C:\Users\Admin\AppData\Local\Temp\4520.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\6E4.exe

"C:\Users\Admin\AppData\Local\Temp\6E4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\6E4.exe

"C:\Users\Admin\AppData\Local\Temp\6E4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\620e036e-68d2-4128-8384-a193794d2446\build2.exe

"C:\Users\Admin\AppData\Local\620e036e-68d2-4128-8384-a193794d2446\build2.exe"

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {92AD9B21-1836-4C21-A364-630E09881543} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015084553.log C:\Windows\Logs\CBS\CbsPersist_20231015084553.cab

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {44C4434D-CB67-4782-98A1-168CD5FF12E8} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\4520.exe

"C:\Users\Admin\AppData\Local\Temp\4520.exe"

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 galandskiyher5.com udp
NL 194.169.175.127:80 galandskiyher5.com tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 parrotnight.com udp
US 188.114.96.0:443 parrotnight.com tcp
US 188.114.97.0:443 parrotnight.com tcp
US 8.8.8.8:53 unclejohny.com udp
US 172.67.187.91:443 unclejohny.com tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 colisumy.com udp
PE 190.12.87.61:80 zexeq.com tcp
PE 190.187.52.42:80 colisumy.com tcp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 host-file-host6.com udp
PE 190.12.87.61:80 zexeq.com tcp
US 8.8.8.8:53 host-host-file8.com udp
FR 51.255.152.132:36011 tcp
NL 194.169.175.127:80 host-host-file8.com tcp
FR 51.255.152.132:36011 tcp
RU 31.41.244.27:41140 tcp
FR 51.255.152.132:36011 tcp

Files

memory/2204-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2204-2-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2204-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2204-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1200-4-0x0000000002A00000-0x0000000002A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2772-20-0x00000000044E0000-0x0000000004572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\899.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

C:\Users\Admin\AppData\Local\Temp\899.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/2772-28-0x0000000004580000-0x000000000469B000-memory.dmp

memory/2772-27-0x00000000044E0000-0x0000000004572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2664-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-33-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2664-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2664-37-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\208D.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\208D.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

\Users\Admin\AppData\Local\Temp\25DB.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\25DB.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2976-46-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2976-45-0x0000000000140000-0x0000000000146000-memory.dmp

memory/328-48-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-49-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-51-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-56-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-55-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/328-58-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-64-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-74-0x0000000073330000-0x0000000073A1E000-memory.dmp

memory/2664-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-77-0x00000000071B0000-0x00000000071F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3769.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3769.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2976-76-0x00000000023B0000-0x00000000024CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\b858cfd4-49f4-4dc2-8577-2ed9980446b9\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2976-91-0x00000000024D0000-0x00000000025D1000-memory.dmp

memory/2976-92-0x00000000024D0000-0x00000000025D1000-memory.dmp

memory/2976-94-0x00000000024D0000-0x00000000025D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2976-95-0x00000000024D0000-0x00000000025D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4520.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\4520.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/584-103-0x0000000004980000-0x0000000004D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

memory/2444-128-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1996-130-0x0000000000272000-0x0000000000288000-memory.dmp

memory/1996-131-0x00000000003B0000-0x00000000003B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 dd1ea20cda85521bad514b1dcf2b409d
SHA1 e26d843e8849b95c4c3a8ce48ccdf18c6761d95a
SHA256 453054938097512b4df042496b11293b6438d23af3edafdb856b4e3ac0e21fc4
SHA512 ba4cd77f6dc5f632cd02a868f94c01b1bac0539b5ac5b7d2754ab084b447f21905dfd153efe7e4e2372d01e0eb6533a1dbda58c134e9e99d848acd97d9c8ab1b

memory/2904-132-0x00000000000D0000-0x000000000013B000-memory.dmp

memory/1200-133-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

memory/2444-134-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2664-114-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2080-139-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2056-141-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2504-113-0x000000013F6E0000-0x0000000140031000-memory.dmp

memory/2056-154-0x00000000071B0000-0x00000000071F0000-memory.dmp

memory/2056-156-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2904-155-0x00000000000D0000-0x000000000013B000-memory.dmp

memory/2080-157-0x0000000000220000-0x00000000002B2000-memory.dmp

\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/584-160-0x0000000004980000-0x0000000004D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E4.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/584-165-0x0000000004D80000-0x000000000566B000-memory.dmp

memory/320-166-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

memory/584-177-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/320-183-0x0000000000400000-0x0000000000537000-memory.dmp

memory/328-184-0x0000000073330000-0x0000000073A1E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a3368211e62a4b5e5b8e8a6b03705fe5
SHA1 6553fdaea087a6685ced9b8ec7b7284ec54bcd78
SHA256 73cc0a482562344b7b97ea37057485f18fc50af6afaac2b88a1ec3fadb0a3e35
SHA512 9b90d2f3d4b9d9a172d93bae338121391cc2f07cf1a5014679e0d0947c2a025e09c3c0cf8b67da266a7aae3ee968ac847516c57c6127dee3c06a189d3c3349aa

C:\Users\Admin\AppData\Local\Temp\Cab6CE6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 375f07f8ffbdf18e66ba493a99157785
SHA1 434fe2694df41ad818e5439667c81e672c7eb0c3
SHA256 54cdf24015cc2d37983bf49e809ce0a36797589c9f0b3409920a2251c1f19c36
SHA512 f30c250026ae454c60133075292315af4676e99f70d1ae4fbca2b99eeceff9419a3a95310aeb2faff2546b861d7d2a67f61832f9356666d2e178c5e4e6dd3289

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 18108bce155750f56ab7ffef24402f13
SHA1 4b6e144376e9080b62c2cc289873dfc3e9db6f8e
SHA256 24b2d6df38c410c6c33b668561bafd9889b0fa81e559dcf98f622d13ac32cf85
SHA512 f681f44aa10dc6519f6640eda50bfa0a7c9564435f864ee4c7392983fd57f374da428ac627116bc54917ebb3b103997b2937cbce9dbdc72940b29b38e42f77e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a51a95f23258ab655fb836cf896de3cf
SHA1 1627ca60565a2adb9071c3d5bab998211374aa74
SHA256 6d1af49a758eb07db8df0461400913c9f225b0d0a5c9e12bd851e8e4dc13c4d3
SHA512 2c43750afe389331ff51944dea1693011d83cecde5c747327f84420aa70fe4f52dc0bc3ba03463d479d9ef5d5366bca334100ca2f4f054852fb06d39b5d34d0b

C:\Users\Admin\AppData\Local\Temp\Tar6DF0.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/2504-210-0x000000013F6E0000-0x0000000140031000-memory.dmp

memory/320-213-0x0000000000400000-0x0000000000537000-memory.dmp

memory/320-214-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/2280-225-0x00000000047C0000-0x0000000004BB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/584-212-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/328-232-0x00000000071B0000-0x00000000071F0000-memory.dmp

memory/320-233-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2280-240-0x00000000047C0000-0x0000000004BB8000-memory.dmp

memory/2280-242-0x0000000004BC0000-0x00000000054AB000-memory.dmp

C:\Users\Admin\AppData\Local\620e036e-68d2-4128-8384-a193794d2446\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/320-271-0x0000000000400000-0x0000000000537000-memory.dmp

memory/320-273-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\620e036e-68d2-4128-8384-a193794d2446\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\620e036e-68d2-4128-8384-a193794d2446\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\620e036e-68d2-4128-8384-a193794d2446\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2280-256-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/320-246-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2504-274-0x000000013F6E0000-0x0000000140031000-memory.dmp

memory/584-278-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/320-279-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2280-286-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2504-287-0x000000013F6E0000-0x0000000140031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4520.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1372-309-0x0000000000210000-0x000000000026A000-memory.dmp

memory/1996-318-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

memory/1996-319-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/1996-324-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

memory/1996-326-0x0000000002514000-0x0000000002517000-memory.dmp

memory/1996-328-0x000000000251B000-0x0000000002582000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6c3e7ab11f17e88cf45131d8245c14bd
SHA1 3a7348170af0b7a62a18d7b727cb23314d2a1577
SHA256 cfabcf9c1f0dd7f4c5aeeef732d542b894f0782852a508f140a3983cce52648f
SHA512 957c2fc7358b7800dac82369d020686428802a5daf862aba36b24a2491298aa0787173269353bba32aab175d76b4d0c5d142c0449c99fb8999cad4a7e0494860

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TCSNSTAV8KWTURPIHZZC.temp

MD5 6c3e7ab11f17e88cf45131d8245c14bd
SHA1 3a7348170af0b7a62a18d7b727cb23314d2a1577
SHA256 cfabcf9c1f0dd7f4c5aeeef732d542b894f0782852a508f140a3983cce52648f
SHA512 957c2fc7358b7800dac82369d020686428802a5daf862aba36b24a2491298aa0787173269353bba32aab175d76b4d0c5d142c0449c99fb8999cad4a7e0494860

memory/2296-354-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

memory/2296-355-0x0000000002350000-0x0000000002358000-memory.dmp

memory/1372-356-0x0000000073330000-0x0000000073A1E000-memory.dmp

memory/2296-358-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

memory/2296-359-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/1372-360-0x0000000007280000-0x00000000072C0000-memory.dmp

memory/2296-361-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/2296-362-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/2296-363-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\4520.exe

MD5 c603b8b04e9cfd2d8588762173504735
SHA1 c998bf045cb9d64fc8fef516381b78d3119965af
SHA256 2a87b509508893436a6ae1006c6aff4195746f556d03308dd19c2dbb911625a9
SHA512 d421003cf0ac2cc097fbc72567a65d2ec1c2022ec7987d455996bcff318c894da102681def4e3b9be927e2bafea094911c5e14df3df52d6a63ea102a5d642a5c

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8cf3cf1f1015062960de432d91750695
SHA1 5e95faa51a21a62248f198a492a62fe5cdad0283
SHA256 1b009a46baa86b98d7d83840c9726511a085af163e51edfa066e2803ba27593c
SHA512 2f594d328c10ae2c1f326e7adab9fdff0425bb7e2bfbf18d0e136391612265ab621d7dfaf338e4986a8f9c74aac8e55796e0761eb580976f9585881f4c97cd67

memory/584-373-0x0000000004980000-0x0000000004D78000-memory.dmp

memory/1672-374-0x0000000004750000-0x0000000004B48000-memory.dmp

memory/1672-377-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2280-379-0x0000000000400000-0x0000000002FB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 08:43

Reported

2023-10-15 08:46

Platform

win10v2004-20230915-en

Max time kernel

145s

Max time network

167s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2232 created 3136 N/A C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3CCA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2621.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\60c125e7-1386-4a56-8354-55ac8d29be26\\2621.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\2621.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2621.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40A3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40A3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\40A3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 3136 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 3136 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 3136 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\294E.exe
PID 3136 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\294E.exe
PID 3136 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\294E.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4112 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Windows\SysWOW64\icacls.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Windows\SysWOW64\icacls.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Windows\SysWOW64\icacls.exe
PID 3136 wrote to memory of 1440 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\35C3.exe
PID 3136 wrote to memory of 1440 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\35C3.exe
PID 3136 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 3136 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 4752 wrote to memory of 2408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4752 wrote to memory of 2408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4752 wrote to memory of 2408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3136 wrote to memory of 3580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3CCA.exe
PID 3136 wrote to memory of 3580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3CCA.exe
PID 3136 wrote to memory of 3580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3CCA.exe
PID 2076 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 2076 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 2076 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 3580 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\3CCA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3580 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\3CCA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3580 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\3CCA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3136 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\40A3.exe
PID 3136 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\40A3.exe
PID 3136 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\40A3.exe
PID 2308 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 4812 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2621.exe C:\Users\Admin\AppData\Local\Temp\2621.exe
PID 3136 wrote to memory of 2788 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\474B.exe
PID 3136 wrote to memory of 2788 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\474B.exe
PID 3136 wrote to memory of 2788 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\474B.exe
PID 3136 wrote to memory of 4584 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 4584 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3136 wrote to memory of 4584 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2380 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 4584 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\2621.exe

C:\Users\Admin\AppData\Local\Temp\2621.exe

C:\Users\Admin\AppData\Local\Temp\294E.exe

C:\Users\Admin\AppData\Local\Temp\294E.exe

C:\Users\Admin\AppData\Local\Temp\2621.exe

C:\Users\Admin\AppData\Local\Temp\2621.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\60c125e7-1386-4a56-8354-55ac8d29be26" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\35C3.exe

C:\Users\Admin\AppData\Local\Temp\35C3.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\391F.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\391F.dll

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

C:\Users\Admin\AppData\Local\Temp\2621.exe

"C:\Users\Admin\AppData\Local\Temp\2621.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\40A3.exe

C:\Users\Admin\AppData\Local\Temp\40A3.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\2621.exe

"C:\Users\Admin\AppData\Local\Temp\2621.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\474B.exe

C:\Users\Admin\AppData\Local\Temp\474B.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2844 -ip 2844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 572

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 galandskiyher5.com udp
NL 194.169.175.127:80 galandskiyher5.com tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 unclejohny.com udp
US 172.67.187.91:443 unclejohny.com tcp
US 8.8.8.8:53 91.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
US 8.8.8.8:53 200.162.158.95.in-addr.arpa udp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
BG 95.158.162.200:80 wirtshauspost.at tcp
FR 51.255.152.132:36011 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

memory/3948-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/3948-2-0x0000000000700000-0x000000000070B000-memory.dmp

memory/3948-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3136-4-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

memory/3948-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3948-8-0x0000000000700000-0x000000000070B000-memory.dmp

memory/3136-9-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-11-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-10-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-12-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-13-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-14-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-15-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-16-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-18-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-20-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-21-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-22-0x0000000007550000-0x0000000007560000-memory.dmp

memory/3136-23-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-24-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-25-0x0000000007550000-0x0000000007560000-memory.dmp

memory/3136-26-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-28-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-30-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-29-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-32-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-34-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-35-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-36-0x0000000007550000-0x0000000007560000-memory.dmp

memory/3136-37-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-39-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-40-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-38-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-41-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-43-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-44-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2621.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\2621.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\294E.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/4112-59-0x0000000004910000-0x00000000049A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\294E.exe

MD5 5b293206e810d2871736e1ecbd9cc196
SHA1 47c0baadfba1876cb8ffdff6f057f16f2076197f
SHA256 f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628
SHA512 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32

memory/4112-61-0x00000000049B0000-0x0000000004ACB000-memory.dmp

memory/2076-65-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2621.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2076-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2076-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2076-67-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35C3.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\60c125e7-1386-4a56-8354-55ac8d29be26\2621.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

C:\Users\Admin\AppData\Local\Temp\391F.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3CCA.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\391F.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2408-89-0x00000000012B0000-0x00000000012B6000-memory.dmp

memory/2408-88-0x0000000010000000-0x0000000010251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\40A3.exe

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

C:\Users\Admin\AppData\Local\Temp\40A3.exe

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

C:\Users\Admin\AppData\Local\Temp\2621.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/2076-98-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2520-107-0x0000000000870000-0x0000000000970000-memory.dmp

memory/2520-108-0x00000000006D0000-0x00000000006DB000-memory.dmp

memory/2520-109-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2844-114-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2621.exe

MD5 b5a49d7c6a9c31248c0676d0fc921967
SHA1 e2226592e6cebf82f5de1e76380bbb01291344bb
SHA256 e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22
SHA512 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c

memory/4812-111-0x0000000004770000-0x0000000004804000-memory.dmp

memory/2844-116-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\474B.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2844-121-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\474B.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2788-123-0x0000000004BA0000-0x0000000004FA2000-memory.dmp

memory/2788-124-0x00000000050B0000-0x000000000599B000-memory.dmp

memory/2788-125-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4584-126-0x00000000012F0000-0x000000000135B000-memory.dmp

memory/4584-127-0x0000000001360000-0x00000000013D5000-memory.dmp

memory/4584-128-0x00000000012F0000-0x000000000135B000-memory.dmp

memory/4152-129-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4896-130-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

memory/3136-131-0x0000000007C20000-0x0000000007C36000-memory.dmp

memory/2520-134-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

memory/2408-140-0x0000000002E90000-0x0000000002FAB000-memory.dmp

memory/2408-141-0x0000000002FB0000-0x00000000030B1000-memory.dmp

memory/2408-142-0x0000000002FB0000-0x00000000030B1000-memory.dmp

memory/2408-144-0x0000000002FB0000-0x00000000030B1000-memory.dmp

memory/2408-150-0x0000000002FB0000-0x00000000030B1000-memory.dmp

memory/4896-156-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a3368211e62a4b5e5b8e8a6b03705fe5
SHA1 6553fdaea087a6685ced9b8ec7b7284ec54bcd78
SHA256 73cc0a482562344b7b97ea37057485f18fc50af6afaac2b88a1ec3fadb0a3e35
SHA512 9b90d2f3d4b9d9a172d93bae338121391cc2f07cf1a5014679e0d0947c2a025e09c3c0cf8b67da266a7aae3ee968ac847516c57c6127dee3c06a189d3c3349aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e5cfb74f7f11b31e3b31956eb1ffbb97
SHA1 52ab33395f5b0a1504a67d4f8d90a76db48dc820
SHA256 4bfce1feefb329efee86645515ed5ea3725ea60792cf9421979bf01e068035bf
SHA512 4196f079ce7cc3b411b332a57ba014e660643241b53971476c952e22615dc260267b079cf1390e948df2833e6af4c9d4a798234fafd7805e37747af37f1c57c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2522aa8e44553b8e81da9bf0ccd72bfd
SHA1 65bd1722fd4cfe13a07f6270690ee35b511cd94a
SHA256 a12f05c38bea4b2e8ba2e44a9015bbcecbef672b6ccb33952057d88908140c48
SHA512 8bf7a79ee6820da6a2289bf047efd6ccd45db3044931547ace867f6ea85e276bb5fcb09c16947b1fbf1904255889f16ebed531da914a2750bb9fe8a6afe079cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/4152-164-0x00000000719A0000-0x0000000072150000-memory.dmp

memory/1440-165-0x00007FF6CEE90000-0x00007FF6CF7E1000-memory.dmp

memory/2788-167-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1440-169-0x00007FF6CEE90000-0x00007FF6CF7E1000-memory.dmp

memory/2788-170-0x0000000004BA0000-0x0000000004FA2000-memory.dmp

memory/2788-171-0x00000000050B0000-0x000000000599B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Users\Admin\AppData\Roaming\heacivw

MD5 688bcddee8d887a70a70eb791b44abf5
SHA1 92cc959bb52a864820b438d82b9b17cc45d88ab4
SHA256 20c3c13c00a83d0add5a87d151506a28802bc08463efdede49d5dbe94fec1c80
SHA512 4ca4afa8bf7fb92042ff188800032c7badc3372bbd30739e7fd994c9aa75f8b2723175172927cd5d2500417755920fc8543a1822c3366d814f113e4f3e75628a

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1440-211-0x00007FF6CEE90000-0x00007FF6CF7E1000-memory.dmp

memory/3136-214-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-215-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-216-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-217-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-218-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-219-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-220-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-221-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-222-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/3136-223-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/3136-240-0x0000000002E00000-0x0000000002E02000-memory.dmp

memory/3136-239-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/2272-241-0x0000000004C30000-0x000000000502B000-memory.dmp

memory/2272-242-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4584-243-0x0000000001360000-0x00000000013D5000-memory.dmp

memory/4584-244-0x00000000012F0000-0x000000000135B000-memory.dmp

memory/4152-246-0x00000000719A0000-0x0000000072150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4152-260-0x0000000007A50000-0x0000000007FF4000-memory.dmp

memory/4584-273-0x00000000012F0000-0x000000000135B000-memory.dmp

memory/4152-274-0x0000000007590000-0x0000000007622000-memory.dmp

memory/2272-275-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2272-276-0x0000000004C30000-0x000000000502B000-memory.dmp

memory/2984-281-0x00000000719A0000-0x0000000072150000-memory.dmp

memory/4480-282-0x00000000719A0000-0x0000000072150000-memory.dmp

memory/2984-283-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/4480-285-0x0000000005300000-0x0000000005336000-memory.dmp

memory/2984-286-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/4480-288-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/4152-287-0x0000000007740000-0x0000000007750000-memory.dmp

memory/2984-289-0x0000000005100000-0x0000000005728000-memory.dmp

memory/4152-290-0x00000000076A0000-0x00000000076AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nyyprvb.4bc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4480-313-0x00000000060E0000-0x0000000006102000-memory.dmp

memory/2984-314-0x0000000005800000-0x0000000005866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4