Malware Analysis Report

2025-01-18 05:37

Sample ID 231015-sgw2qsge2t
Target NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe
SHA256 b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer persistence ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904

Threat Level: Known bad

The file NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery evasion infostealer persistence ransomware themida trojan

SmokeLoader

RedLine

RedLine payload

Amadey

Detected Djvu ransomware

Djvu Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Themida packer

Deletes itself

Checks BIOS information in registry

Executes dropped EXE

Modifies file permissions

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 15:06

Reported

2023-10-15 15:11

Platform

win7-20230831-en

Max time kernel

79s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8067.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8067.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8067.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\230bf938-49dd-4a6a-8444-4a7d56731524\\7B77.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7B77.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8067.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8067.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\827B.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 1216 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 1216 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 1216 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 2812 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Users\Admin\AppData\Local\Temp\7B77.exe
PID 1216 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\8067.exe
PID 1216 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\8067.exe
PID 1216 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\8067.exe
PID 1216 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\8067.exe
PID 1216 wrote to memory of 1512 N/A N/A C:\Users\Admin\AppData\Local\Temp\827B.exe
PID 1216 wrote to memory of 1512 N/A N/A C:\Users\Admin\AppData\Local\Temp\827B.exe
PID 1216 wrote to memory of 1512 N/A N/A C:\Users\Admin\AppData\Local\Temp\827B.exe
PID 1216 wrote to memory of 1512 N/A N/A C:\Users\Admin\AppData\Local\Temp\827B.exe
PID 1216 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\Temp\896E.exe
PID 1216 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\Temp\896E.exe
PID 1216 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\Temp\896E.exe
PID 1216 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\Temp\896E.exe
PID 2604 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Windows\SysWOW64\icacls.exe
PID 2604 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7B77.exe C:\Windows\SysWOW64\icacls.exe
PID 1560 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\896E.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1560 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\896E.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1560 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\896E.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1560 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\896E.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1692 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1512 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\827B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 912 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 912 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 912 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\7B77.exe

C:\Users\Admin\AppData\Local\Temp\7B77.exe

C:\Users\Admin\AppData\Local\Temp\7B77.exe

C:\Users\Admin\AppData\Local\Temp\7B77.exe

C:\Users\Admin\AppData\Local\Temp\8067.exe

C:\Users\Admin\AppData\Local\Temp\8067.exe

C:\Users\Admin\AppData\Local\Temp\827B.exe

C:\Users\Admin\AppData\Local\Temp\827B.exe

C:\Users\Admin\AppData\Local\Temp\896E.exe

C:\Users\Admin\AppData\Local\Temp\896E.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\230bf938-49dd-4a6a-8444-4a7d56731524" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 80

C:\Users\Admin\AppData\Local\Temp\7B77.exe

"C:\Users\Admin\AppData\Local\Temp\7B77.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\7B77.exe

"C:\Users\Admin\AppData\Local\Temp\7B77.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {CDFAB6F5-D636-4A85-82D1-EBE595233101} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\CC58.exe

C:\Users\Admin\AppData\Local\Temp\CC58.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CFA3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CFA3.dll

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\wdefsrv

C:\Users\Admin\AppData\Roaming\wdefsrv

C:\Users\Admin\AppData\Local\Temp\20A.exe

C:\Users\Admin\AppData\Local\Temp\20A.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\bf95eade-857d-4158-b937-6eb5c8ae29e5\build3.exe

"C:\Users\Admin\AppData\Local\bf95eade-857d-4158-b937-6eb5c8ae29e5\build3.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 107.178.223.183:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
KR 175.120.254.9:80 zexeq.com tcp
KR 175.120.254.9:80 zexeq.com tcp
FR 146.59.161.13:39199 tcp

Files

memory/1572-1-0x0000000000250000-0x0000000000350000-memory.dmp

memory/1572-3-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1572-2-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1572-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1216-4-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

memory/1216-12-0x000007FEC1EC0000-0x000007FEC1ECA000-memory.dmp

memory/1216-11-0x000007FEF5F70000-0x000007FEF60B3000-memory.dmp

memory/1216-13-0x000007FEF5F70000-0x000007FEF60B3000-memory.dmp

memory/1216-14-0x000007FEC1EC0000-0x000007FEC1ECA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2812-24-0x00000000002D0000-0x0000000000361000-memory.dmp

memory/2812-25-0x00000000002D0000-0x0000000000361000-memory.dmp

memory/2812-28-0x0000000004580000-0x000000000469B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2604-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2604-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2812-33-0x00000000002D0000-0x0000000000361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2604-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2604-36-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8067.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/2612-41-0x0000000001370000-0x0000000001AF0000-memory.dmp

memory/2612-42-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-43-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-45-0x0000000076570000-0x0000000076680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\827B.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2612-55-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-54-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-61-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-60-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-64-0x00000000778B0000-0x00000000778B2000-memory.dmp

memory/2612-63-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-62-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-59-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-58-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-57-0x0000000076110000-0x0000000076157000-memory.dmp

memory/2612-56-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-53-0x0000000076570000-0x0000000076680000-memory.dmp

memory/2612-46-0x0000000076570000-0x0000000076680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\827B.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2612-44-0x0000000076110000-0x0000000076157000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2612-89-0x0000000001370000-0x0000000001AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\896E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\896E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2612-97-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/944-103-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/944-102-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/944-108-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/944-104-0x0000000000400000-0x000000000043E000-memory.dmp

memory/944-101-0x0000000000400000-0x000000000043E000-memory.dmp

memory/944-100-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/944-98-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\230bf938-49dd-4a6a-8444-4a7d56731524\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2604-110-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2052-112-0x0000000002C60000-0x0000000002CF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2052-124-0x0000000002C60000-0x0000000002CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B77.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\827B.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/944-126-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\827B.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\827B.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\CC58.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\CC58.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1724-157-0x0000000004920000-0x0000000004D18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CFA3.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

\Users\Admin\AppData\Local\Temp\827B.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\CFA3.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

C:\Users\Admin\AppData\Roaming\wdefsrv

MD5 12f93bf8533a3785b8a086f1a2290601
SHA1 2a2cf9109da07a60db6adc7c9d907a16ee348bad
SHA256 b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904
SHA512 143c829384147d77268bfc9d7c8c1c6d062e88e80a0eddc3d52a22490ccf622ecd8414147afb68ec355f03d36ae084991aff3a6ffe4c7670864d765245591b70

C:\Users\Admin\AppData\Roaming\wdefsrv

MD5 12f93bf8533a3785b8a086f1a2290601
SHA1 2a2cf9109da07a60db6adc7c9d907a16ee348bad
SHA256 b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904
SHA512 143c829384147d77268bfc9d7c8c1c6d062e88e80a0eddc3d52a22490ccf622ecd8414147afb68ec355f03d36ae084991aff3a6ffe4c7670864d765245591b70

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 724f92d17ca117a75cd3fcd0d948bb77
SHA1 8ca526c071bfcc84b0f6bd8772b47fa30f78f7a0
SHA256 5e7b0251723847139c12327c87e5d656372f4579d0a94f0615ae086794bb98ac
SHA512 a8ff4cbc219ff5b7accc247c73f0979d89d05b13e0609b29deee1d3ff72ececd172c6b5095d552242a9bad9c8dd317bbe3ff3286787a547446352538d7a0f585

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 634f89612062a002fea08f160742f940
SHA1 faf9132da2927721e2c7a1f28b70be0ecd117209
SHA256 c2529c484ff9d0af13f040b9eb440702ca56cde9f96ce956dce206a64418da8c
SHA512 2bdeed8e9505269c791f82966b36a90c04813ac12b0627bf6b12a8620bd13af9553f90d1201755bd099c8acdd5bfbb0a5b7a318dbdcca88cac5341f428654c65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 ebc42a433732e5af927379c6ffea12dc
SHA1 940947ca5b9a6b1f53b4760b1a55df70032f7ca0
SHA256 3bc8e19e780175041b75ce2414d8094ff3d620a7917c571eafc0db1cc3c1adea
SHA512 53e21e6acd62417b639f151fdf79f74bf8239657fb71119732740540ecd44902bc140cca144adaf20cfc96f3a5fcf2e4ddb9b3f5335f6dcf4675035937902bc6

C:\Users\Admin\AppData\Local\Temp\CabD7F8.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3cc1eab5e14e2d7a01804b22ecf4043
SHA1 1883aeaac8649c5b6848f2131ec56464b964f8fc
SHA256 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512 adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2

memory/2244-178-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2100-180-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2100-181-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2100-190-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2100-189-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2612-187-0x00000000008E0000-0x00000000008FC000-memory.dmp

memory/2244-186-0x0000000001E40000-0x0000000001F63000-memory.dmp

memory/2100-185-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-192-0x0000000001FC0000-0x00000000020C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20A.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

memory/2244-202-0x0000000001FC0000-0x00000000020C8000-memory.dmp

memory/2532-204-0x0000000000190000-0x00000000001FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20A.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

memory/2244-193-0x0000000001FC0000-0x00000000020C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\20A.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

\Users\Admin\AppData\Local\Temp\20A.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

memory/2512-217-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2532-218-0x0000000000190000-0x00000000001FB000-memory.dmp

memory/2512-219-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2100-220-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2244-221-0x0000000001FC0000-0x00000000020C8000-memory.dmp

memory/2612-222-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-223-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2244-224-0x00000000001D0000-0x00000000001D6000-memory.dmp

memory/2612-226-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-228-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-230-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-232-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-234-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-236-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-238-0x00000000008E0000-0x00000000008F5000-memory.dmp

memory/2612-240-0x00000000008E0000-0x00000000008F5000-memory.dmp

C:\Users\Admin\AppData\Local\bf95eade-857d-4158-b937-6eb5c8ae29e5\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\bf95eade-857d-4158-b937-6eb5c8ae29e5\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\bf95eade-857d-4158-b937-6eb5c8ae29e5\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\bf95eade-857d-4158-b937-6eb5c8ae29e5\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\CC58.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 15:06

Reported

2023-10-15 15:12

Platform

win10v2004-20230915-en

Max time kernel

15s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.b21c893c9c411160bf2bfbd1df40247757aec2d9606a9a4e873ebd36ca2b7904exe_JC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp

Files

N/A