Analysis Overview
SHA256
afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceeb
Threat Level: Known bad
The file NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Amadey
Glupteba payload
RedLine payload
Vidar
Djvu Ransomware
Glupteba
Detected Djvu ransomware
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Checks BIOS information in registry
Themida packer
Executes dropped EXE
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Creates scheduled task(s)
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-15 15:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-15 15:05
Reported
2023-10-15 15:09
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\34AA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1EED.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1EED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2C0E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1EED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34AA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\665D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1EED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1EED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8112e5cb-f2bd-480c-bcd8-bad8e34e8620\\1EED.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1EED.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3400 set thread context of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\1EED.exe | C:\Users\Admin\AppData\Local\Temp\1EED.exe |
| PID 1372 set thread context of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\2C0E.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3560 set thread context of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\1EED.exe | C:\Users\Admin\AppData\Local\Temp\1EED.exe |
| PID 3460 set thread context of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\22A7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2C0E.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1EED.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3E02.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3E02.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3E02.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E02.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\22A7.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5748.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\1EED.exe
C:\Users\Admin\AppData\Local\Temp\1EED.exe
C:\Users\Admin\AppData\Local\Temp\22A7.exe
C:\Users\Admin\AppData\Local\Temp\22A7.exe
C:\Users\Admin\AppData\Local\Temp\2C0E.exe
C:\Users\Admin\AppData\Local\Temp\2C0E.exe
C:\Users\Admin\AppData\Local\Temp\1EED.exe
C:\Users\Admin\AppData\Local\Temp\1EED.exe
C:\Users\Admin\AppData\Local\Temp\34AA.exe
C:\Users\Admin\AppData\Local\Temp\34AA.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\3E02.exe
C:\Users\Admin\AppData\Local\Temp\3E02.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1372 -ip 1372
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 140
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Users\Admin\AppData\Local\Temp\5748.exe
C:\Users\Admin\AppData\Local\Temp\5748.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8112e5cb-f2bd-480c-bcd8-bad8e34e8620" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5A66.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5A66.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\665D.exe
C:\Users\Admin\AppData\Local\Temp\665D.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\1EED.exe
"C:\Users\Admin\AppData\Local\Temp\1EED.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1EED.exe
"C:\Users\Admin\AppData\Local\Temp\1EED.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 568
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\5748.exe
"C:\Users\Admin\AppData\Local\Temp\5748.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.23.238.8.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| FR | 146.59.161.13:39199 | tcp | |
| US | 8.8.8.8:53 | 13.161.59.146.in-addr.arpa | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 133.250.139.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| AR | 190.139.250.133:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/1032-1-0x0000000000930000-0x0000000000A30000-memory.dmp
memory/1032-2-0x0000000000860000-0x000000000086B000-memory.dmp
memory/1032-3-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/3152-4-0x0000000007000000-0x0000000007016000-memory.dmp
memory/1032-5-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/1032-8-0x0000000000860000-0x000000000086B000-memory.dmp
memory/3152-9-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-10-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-11-0x00000000070B0000-0x00000000070C0000-memory.dmp
memory/3152-12-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-13-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-14-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-15-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-16-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-18-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-20-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-21-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-22-0x00000000070D0000-0x00000000070E0000-memory.dmp
memory/3152-23-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-25-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-27-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-29-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-26-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-33-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-31-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-34-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-24-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-36-0x00000000070B0000-0x00000000070C0000-memory.dmp
memory/3152-39-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-38-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-37-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-35-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-40-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-42-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-43-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-47-0x00000000070D0000-0x00000000070E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1EED.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\1EED.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/3152-56-0x00000000070A0000-0x00000000070B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\22A7.exe
| MD5 | df26dcbc3c8289a50c8c1857a0640366 |
| SHA1 | 298582ef0a1c2773c973d761e0a7f93db74b9397 |
| SHA256 | a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d |
| SHA512 | de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c |
memory/3152-61-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-63-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-65-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-68-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3460-64-0x0000000000C30000-0x00000000013B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\22A7.exe
| MD5 | df26dcbc3c8289a50c8c1857a0640366 |
| SHA1 | 298582ef0a1c2773c973d761e0a7f93db74b9397 |
| SHA256 | a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d |
| SHA512 | de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c |
C:\Users\Admin\AppData\Local\Temp\2C0E.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3460-74-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3460-75-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3152-73-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-80-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3460-81-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/768-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3152-89-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3400-88-0x0000000004860000-0x00000000048F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1EED.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/3460-84-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3152-83-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/768-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3152-79-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3460-78-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3460-77-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3152-76-0x00000000070A0000-0x00000000070B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2C0E.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3152-94-0x0000000007870000-0x0000000007873000-memory.dmp
memory/3152-97-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-98-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3460-99-0x0000000077E14000-0x0000000077E16000-memory.dmp
memory/768-100-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3152-104-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-108-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/768-105-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3152-102-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-93-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-91-0x0000000007860000-0x0000000007861000-memory.dmp
memory/3400-90-0x0000000004A00000-0x0000000004B1B000-memory.dmp
memory/3152-71-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-110-0x00000000070A0000-0x00000000070B0000-memory.dmp
memory/3152-113-0x00000000070A0000-0x00000000070B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\34AA.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3460-112-0x0000000000C30000-0x00000000013B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\34AA.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3460-118-0x0000000005CC0000-0x0000000006264000-memory.dmp
memory/2408-119-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3460-120-0x00000000057B0000-0x0000000005842000-memory.dmp
memory/3460-122-0x0000000000C30000-0x00000000013B0000-memory.dmp
memory/3460-123-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3460-125-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3460-126-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3460-124-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3152-127-0x0000000007870000-0x0000000007873000-memory.dmp
memory/3460-128-0x0000000075E10000-0x0000000075F00000-memory.dmp
memory/3460-129-0x0000000075E10000-0x0000000075F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3E02.exe
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |
memory/3460-132-0x0000000005950000-0x00000000059EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3E02.exe
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2408-135-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/2408-141-0x0000000007930000-0x0000000007940000-memory.dmp
memory/3460-146-0x0000000005760000-0x000000000576A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3928-145-0x0000000000660000-0x0000000000760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5748.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\5748.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/768-161-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5A66.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
C:\Users\Admin\AppData\Local\Temp\5A66.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
memory/3708-171-0x0000000010000000-0x00000000101E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\665D.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
C:\Users\Admin\AppData\Local\Temp\665D.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
memory/3152-181-0x0000000007820000-0x0000000007836000-memory.dmp
memory/1668-182-0x0000000000400000-0x000000000046B000-memory.dmp
memory/3928-187-0x0000000000400000-0x00000000005B5000-memory.dmp
C:\Users\Admin\AppData\Local\8112e5cb-f2bd-480c-bcd8-bad8e34e8620\1EED.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2960-189-0x0000000000320000-0x000000000032C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1EED.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/768-215-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3708-218-0x0000000002630000-0x0000000002753000-memory.dmp
memory/3708-219-0x0000000002760000-0x0000000002868000-memory.dmp
memory/3708-221-0x0000000002760000-0x0000000002868000-memory.dmp
memory/3708-224-0x0000000002760000-0x0000000002868000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1EED.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/4344-228-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4344-231-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4344-234-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3708-235-0x0000000002760000-0x0000000002868000-memory.dmp
memory/3988-236-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3988-252-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\hsuvbsc
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duupbfz2.dk4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | c671d50d589ce7be9ad3ff4035e6ad63 |
| SHA1 | 88cdc154077c8264149cb8b19e16ba07901e1dd6 |
| SHA256 | fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568 |
| SHA512 | a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9 |
C:\Users\Admin\AppData\Local\Temp\5748.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c01b17e75622660377f1b5f94e9bbf01 |
| SHA1 | 2073ccaa9ef35aef12d39021521759c976008c52 |
| SHA256 | fa03cf73b40caecd17809e02592ea04909e1744d4740247a7ad3c4b79a55bd45 |
| SHA512 | 3676b7d32771b1f9b5cee807269b0a4c454df503d0b9d7c4634190c163e0894212aefa2cda5e9aaa92d81d266a71eea19fbf9ccf0e1136ababff82fbbc923361 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | de6559b70e6b911a13e57128260e5064 |
| SHA1 | c122df8c88f0496ca80aba7d6558a3225d2050fe |
| SHA256 | 6c3616824742e110a2075960f62fa6427f11147ab9cf39dcb7a201c9c4a0de6e |
| SHA512 | 3d27ba4d82cc92e707b3ab787be6cdc6c6237db523548907070855c729483d9dbdd286e4956b08af4d65b70631ea19145aac1cc720b731365f9b88dda56ba7e9 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-15 15:05
Reported
2023-10-15 15:10
Platform
win7-20230831-en
Max time kernel
44s
Max time network
152s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\E6F6.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\E6F6.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\E6F6.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E6F6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA51.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF1A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ACE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF1A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eb114921-e403-45c7-92da-e4bcfebb335c\\E1B8.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\E6F6.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E6F6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 620 set thread context of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | C:\Users\Admin\AppData\Local\Temp\E1B8.exe |
| PID 2900 set thread context of 576 | N/A | C:\Users\Admin\AppData\Local\Temp\EA51.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1060 set thread context of 1072 | N/A | C:\Users\Admin\AppData\Local\Temp\E1B8.exe | C:\Users\Admin\AppData\Local\Temp\E1B8.exe |
| PID 2332 set thread context of 1492 | N/A | C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe | C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\EA51.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceebexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
C:\Users\Admin\AppData\Local\Temp\E6F6.exe
C:\Users\Admin\AppData\Local\Temp\E6F6.exe
C:\Users\Admin\AppData\Local\Temp\EA51.exe
C:\Users\Admin\AppData\Local\Temp\EA51.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 72
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\eb114921-e403-45c7-92da-e4bcfebb335c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
"C:\Users\Admin\AppData\Local\Temp\E1B8.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\FF1A.exe
C:\Users\Admin\AppData\Local\Temp\FF1A.exe
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
"C:\Users\Admin\AppData\Local\Temp\E1B8.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\ACE.exe
C:\Users\Admin\AppData\Local\Temp\ACE.exe
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
"C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {14EA78BB-7F4F-4D2F-84B6-1F1237AC5AF3} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2052.dll
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
"C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2052.dll
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe
"C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\A309.exe
C:\Users\Admin\AppData\Local\Temp\A309.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\wffewjf
C:\Users\Admin\AppData\Roaming\wffewjf
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 175.119.10.231:80 | zexeq.com | tcp |
| KR | 211.104.254.139:80 | zexeq.com | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| KR | 175.119.10.231:80 | zexeq.com | tcp |
| FR | 146.59.161.13:39199 | tcp | |
| RU | 31.41.244.27:41140 | tcp |
Files
memory/2804-1-0x0000000000630000-0x0000000000730000-memory.dmp
memory/2804-2-0x00000000002A0000-0x00000000002AB000-memory.dmp
memory/2804-3-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/1268-4-0x0000000002AB0000-0x0000000002AC6000-memory.dmp
memory/2804-8-0x00000000002A0000-0x00000000002AB000-memory.dmp
memory/2804-5-0x0000000000400000-0x00000000005B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/620-21-0x0000000000230000-0x00000000002C1000-memory.dmp
memory/620-22-0x0000000000230000-0x00000000002C1000-memory.dmp
memory/620-23-0x00000000045C0000-0x00000000046DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2792-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2792-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/620-30-0x0000000000230000-0x00000000002C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2792-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2792-33-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E6F6.exe
| MD5 | df26dcbc3c8289a50c8c1857a0640366 |
| SHA1 | 298582ef0a1c2773c973d761e0a7f93db74b9397 |
| SHA256 | a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d |
| SHA512 | de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c |
memory/2416-38-0x00000000008F0000-0x0000000001070000-memory.dmp
memory/2416-39-0x00000000761D0000-0x00000000762E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA51.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\EA51.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/2416-43-0x0000000075600000-0x0000000075647000-memory.dmp
memory/2416-49-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-50-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-51-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-53-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-54-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-55-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-56-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-57-0x0000000075600000-0x0000000075647000-memory.dmp
memory/2416-58-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-59-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-60-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-61-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-62-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-63-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-64-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-65-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-66-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-67-0x0000000077750000-0x0000000077752000-memory.dmp
memory/576-68-0x0000000000400000-0x000000000043E000-memory.dmp
memory/576-69-0x0000000000400000-0x000000000043E000-memory.dmp
memory/576-70-0x0000000000400000-0x000000000043E000-memory.dmp
memory/576-71-0x0000000000400000-0x000000000043E000-memory.dmp
memory/576-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/576-73-0x0000000000400000-0x000000000043E000-memory.dmp
memory/576-77-0x0000000000400000-0x000000000043E000-memory.dmp
memory/576-75-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Local\Temp\EA51.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
\Users\Admin\AppData\Local\Temp\EA51.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
\Users\Admin\AppData\Local\Temp\EA51.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/2416-81-0x00000000008F0000-0x0000000001070000-memory.dmp
memory/2416-82-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/576-83-0x00000000744D0000-0x0000000074BBE000-memory.dmp
\Users\Admin\AppData\Local\Temp\EA51.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\eb114921-e403-45c7-92da-e4bcfebb335c\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/576-103-0x00000000043B0000-0x00000000043F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2416-102-0x00000000053F0000-0x0000000005430000-memory.dmp
memory/2792-107-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/1060-109-0x0000000000310000-0x00000000003A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\FF1A.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1060-110-0x0000000000310000-0x00000000003A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\E1B8.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/1072-125-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1060-124-0x0000000000310000-0x00000000003A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FF1A.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1072-127-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2416-128-0x00000000008F0000-0x0000000001070000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2416-133-0x00000000761D0000-0x00000000762E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3ba0f25b45573475072812e3e6be96d2 |
| SHA1 | f5c62c1b154c665c2aaf9b6c62f45e5fb57cf2fc |
| SHA256 | 57abed2dc76d897fe9c0496e2078deefcc488bfdd3cdf5899ae5d0b3a4bf5dd0 |
| SHA512 | efdcbd2240dd4b01c3a8694a814ba6d878d8b887f04c7f7d968fc396aa0b5b533ea42aab9ad6e18f5c390c797211859fa0d5d3acb23ac3589943d0b499b45eca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | e3dd3b18ee77c1cd3c710e84c991febd |
| SHA1 | 0bd43c01acc5ff803d5f0acbb185d526f0b09740 |
| SHA256 | caf85d004b2908c3a32939d6273a1b751fce0a48ff17f1d0f8f3a8a03d493037 |
| SHA512 | 7c056952badf383a10502ffb8828a6dcdec5ff1d2c1b13f7ad4f15df4f79f7ed38aacc12506fc686f0783d08b5ee09dfea6926c9854e9eb090278ad896e0b7a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b3cc1eab5e14e2d7a01804b22ecf4043 |
| SHA1 | 1883aeaac8649c5b6848f2131ec56464b964f8fc |
| SHA256 | 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324 |
| SHA512 | adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 077e9c180155af4ff27627e6486a8cf8 |
| SHA1 | 6b85fd3025fe7ae9d16b54be39904400847b4715 |
| SHA256 | cfa792bed5643bb98f5f828fe2e45f3673fdfa273ffe86aecff4c536f795c035 |
| SHA512 | 10c4006a87b7492f1a6d7a03ff1aa3104a41b7405d0b74aa5a87b4dc68285571174dac9f0042202172e246127bd808a55816e7153d8f78db8c464b30ab7852ab |
C:\Users\Admin\AppData\Local\Temp\Cab223.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1072-147-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-148-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2416-149-0x0000000075600000-0x0000000075647000-memory.dmp
memory/2416-150-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-151-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-152-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-153-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-154-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-155-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/320-166-0x0000000004920000-0x0000000004D18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ACE.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2416-168-0x00000000761D0000-0x00000000762E0000-memory.dmp
memory/2416-169-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/320-170-0x0000000004920000-0x0000000004D18000-memory.dmp
memory/576-171-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/320-172-0x0000000004D20000-0x000000000560B000-memory.dmp
memory/320-176-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ACE.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1072-159-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1072-179-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/1072-180-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2416-197-0x00000000053F0000-0x0000000005430000-memory.dmp
memory/2332-198-0x00000000022B0000-0x0000000002301000-memory.dmp
memory/576-199-0x00000000043B0000-0x00000000043F0000-memory.dmp
memory/2332-195-0x00000000002B4000-0x00000000002E3000-memory.dmp
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
memory/1492-193-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2052.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
memory/1492-191-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build2.exe
| MD5 | 22f2fd94f57b71f36a31ea18be7d4b34 |
| SHA1 | a8dc0a1af7978fea291f5306f1937a90ac9b6b5b |
| SHA256 | bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454 |
| SHA512 | 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173 |
\Users\Admin\AppData\Local\Temp\2052.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
memory/2660-204-0x0000000010000000-0x00000000101E5000-memory.dmp
memory/2660-203-0x00000000001A0000-0x00000000001A6000-memory.dmp
memory/1072-206-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ACE.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1072-219-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\b2f324f1-8f5e-4dea-bd57-eebf003384b7\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/320-222-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2416-223-0x00000000004E0000-0x00000000004FC000-memory.dmp
memory/2416-225-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-224-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-227-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-229-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-231-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-236-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-234-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-238-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-242-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-240-0x00000000004E0000-0x00000000004F5000-memory.dmp
memory/2416-251-0x0000000000500000-0x0000000000501000-memory.dmp
memory/2780-268-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/2416-274-0x00000000053F0000-0x0000000005430000-memory.dmp
memory/2780-275-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2780-276-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/2780-277-0x0000000000770000-0x00000000007B0000-memory.dmp
\Users\Admin\AppData\Local\Temp\A309.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
\Users\Admin\AppData\Local\Temp\A309.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
C:\Users\Admin\AppData\Local\Temp\A309.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
C:\Users\Admin\AppData\Local\Temp\A309.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
C:\Users\Admin\AppData\Roaming\wffewjf
| MD5 | 9b9f7d15b36027928f3bf3397139eca3 |
| SHA1 | cc3816b1ab8a4fb9518aa28550bf2fe718d1c305 |
| SHA256 | afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceeb |
| SHA512 | 6051df3dcee86f2a609440f30d56dd78f0b45ade920173773e08966fb5a1b0796dac86a43702fe7a3185a5de78ecac51bc80ac6f59c200c14d138711b14f85f8 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\wffewjf
| MD5 | 9b9f7d15b36027928f3bf3397139eca3 |
| SHA1 | cc3816b1ab8a4fb9518aa28550bf2fe718d1c305 |
| SHA256 | afbd517384e9adfd9bce9acc13e9096ba0e5212a64c50a0b0e02b542d67eceeb |
| SHA512 | 6051df3dcee86f2a609440f30d56dd78f0b45ade920173773e08966fb5a1b0796dac86a43702fe7a3185a5de78ecac51bc80ac6f59c200c14d138711b14f85f8 |