Analysis Overview
SHA256
c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821
Threat Level: Known bad
The file NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Amadey
RedLine payload
RedLine
SmokeLoader
Detected Djvu ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Loads dropped DLL
Checks BIOS information in registry
Deletes itself
Modifies file permissions
Executes dropped EXE
Themida packer
Checks whether UAC is enabled
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
outlook_office_path
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
outlook_win_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-15 15:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-15 15:18
Reported
2023-10-15 15:22
Platform
win7-20230831-en
Max time kernel
161s
Max time network
168s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7E16.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7E16.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7E16.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7E16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BCAD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C45B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CE1C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E2A8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C45B.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\55da3b27-a4f3-4b88-866d-c0d399d44401\\5496.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5496.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7E16.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7E16.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2652 set thread context of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | C:\Users\Admin\AppData\Local\Temp\5496.exe |
| PID 2840 set thread context of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\BCAD.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2000 set thread context of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\5496.exe | C:\Users\Admin\AppData\Local\Temp\5496.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BCAD.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\5496.exe
C:\Users\Admin\AppData\Local\Temp\5496.exe
C:\Users\Admin\AppData\Local\Temp\5496.exe
C:\Users\Admin\AppData\Local\Temp\5496.exe
C:\Users\Admin\AppData\Local\Temp\7E16.exe
C:\Users\Admin\AppData\Local\Temp\7E16.exe
C:\Users\Admin\AppData\Local\Temp\BCAD.exe
C:\Users\Admin\AppData\Local\Temp\BCAD.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\C45B.exe
C:\Users\Admin\AppData\Local\Temp\C45B.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 72
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D416.dll
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\55da3b27-a4f3-4b88-866d-c0d399d44401" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D416.dll
C:\Users\Admin\AppData\Local\Temp\E2A8.exe
C:\Users\Admin\AppData\Local\Temp\E2A8.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\5496.exe
"C:\Users\Admin\AppData\Local\Temp\5496.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\taskeng.exe
taskeng.exe {B2289E7D-EF8B-4B3C-85D0-3FAB8DC26EB4} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\5496.exe
"C:\Users\Admin\AppData\Local\Temp\5496.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015152202.log C:\Windows\Logs\CBS\CbsPersist_20231015152202.cab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
memory/2116-1-0x0000000000730000-0x0000000000830000-memory.dmp
memory/2116-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2116-3-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/2116-4-0x0000000000730000-0x0000000000830000-memory.dmp
memory/2116-5-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/2116-7-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/1264-6-0x00000000029A0000-0x00000000029B6000-memory.dmp
memory/2116-10-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1264-15-0x000007FEF6190000-0x000007FEF62D3000-memory.dmp
memory/1264-16-0x000007FF44D10000-0x000007FF44D1A000-memory.dmp
memory/1264-17-0x000007FEF6190000-0x000007FEF62D3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2652-27-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2652-28-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2652-29-0x0000000002E80000-0x0000000002F9B000-memory.dmp
\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2548-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2548-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2652-38-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2548-39-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2548-40-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7E16.exe
| MD5 | df26dcbc3c8289a50c8c1857a0640366 |
| SHA1 | 298582ef0a1c2773c973d761e0a7f93db74b9397 |
| SHA256 | a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d |
| SHA512 | de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c |
memory/3012-44-0x0000000000800000-0x0000000000F80000-memory.dmp
memory/3012-45-0x0000000076F40000-0x0000000077050000-memory.dmp
memory/3012-46-0x0000000075640000-0x0000000075687000-memory.dmp
memory/3012-47-0x0000000076F40000-0x0000000077050000-memory.dmp
memory/3012-48-0x0000000076F40000-0x0000000077050000-memory.dmp
memory/3012-49-0x0000000076F40000-0x0000000077050000-memory.dmp
memory/3012-52-0x0000000076F40000-0x0000000077050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCAD.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\BCAD.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\C45B.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\C45B.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1856-73-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1856-76-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1856-75-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1856-71-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1856-74-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1856-72-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1856-78-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Local\Temp\BCAD.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2256-91-0x0000000004960000-0x0000000004D58000-memory.dmp
\Users\Admin\AppData\Local\Temp\BCAD.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
\Users\Admin\AppData\Local\Temp\BCAD.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/1856-83-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\D416.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
\Users\Admin\AppData\Local\Temp\D416.dll
| MD5 | fe7facf5c1db2d17313299c58c6e1ca2 |
| SHA1 | 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5 |
| SHA256 | 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b |
| SHA512 | 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060 |
\Users\Admin\AppData\Local\Temp\BCAD.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3012-112-0x0000000000800000-0x0000000000F80000-memory.dmp
memory/2152-113-0x0000000010000000-0x00000000101E5000-memory.dmp
\Users\Admin\AppData\Local\Temp\E2A8.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
C:\Users\Admin\AppData\Local\Temp\E2A8.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
C:\Users\Admin\AppData\Local\Temp\E2A8.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
\Users\Admin\AppData\Local\Temp\E2A8.exe
| MD5 | ef5c1e67c5a2aea56c8afb7146bd7978 |
| SHA1 | 5679f7c9c606d476b4d0081972f8f6f6c568071b |
| SHA256 | a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b |
| SHA512 | 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6 |
memory/764-124-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2992-125-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2992-126-0x0000000000060000-0x000000000006C000-memory.dmp
C:\Users\Admin\AppData\Local\55da3b27-a4f3-4b88-866d-c0d399d44401\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/764-140-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2152-141-0x0000000002300000-0x0000000002423000-memory.dmp
memory/2152-142-0x0000000002430000-0x0000000002538000-memory.dmp
memory/2152-143-0x0000000002430000-0x0000000002538000-memory.dmp
memory/2152-145-0x0000000002430000-0x0000000002538000-memory.dmp
memory/2152-146-0x0000000002430000-0x0000000002538000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE1C.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2152-148-0x0000000000190000-0x0000000000196000-memory.dmp
\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2548-152-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2000-154-0x0000000000220000-0x00000000002B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\5496.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/2000-162-0x0000000000220000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2d8f58b5294a80cfa88d5d0622920e9d |
| SHA1 | f6e199ef5584979b0f13e8078c22b223008f1c49 |
| SHA256 | 798e672585e796a91edc8447e74d8d411c70285ad489159724383c526c34572e |
| SHA512 | f5bb870fcee960953e919b737b0f4dd744f3f49642402325efdc043683eb682ba0b0299dc0b610f3468f90b780aa3e804250ed64cd47e7c9f021fa47ae4c6f30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b3cc1eab5e14e2d7a01804b22ecf4043 |
| SHA1 | 1883aeaac8649c5b6848f2131ec56464b964f8fc |
| SHA256 | 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324 |
| SHA512 | adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f88fd901816b3110ccbf28e055ad1257 |
| SHA1 | ca9c81b61d9d28ff0f68673b5d9a86499a398f88 |
| SHA256 | 2c658b6fcdb56d010bed0a386fa7e1ea09ea9ce685c990f9c0a9fe996f29fa32 |
| SHA512 | 90c635f9394b0e1527b17c344ffd5a04ce8636e61914657da125d46243972972e133730b2acf42c6e31fe739bfc297b4ff6bac69e8f41ab68d687b6477203c09 |
C:\Users\Admin\AppData\Local\Temp\CabB25E.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2296d2a20d2aa7ec4d3838d0b6689a9b |
| SHA1 | 3d36f3edb9cbf46e3e66b68be64bedb2a0113f64 |
| SHA256 | 23da355cad89af3f6023b0f6420142ca52fd159efaaa23a8515d20f38c6b47f5 |
| SHA512 | e14e3fe82f9c08b5b74bcf34b062293895c65a20fd265a9fa361404b1ba91b2d97e3152b6ddf06acd3c117979f0db62485b7c819620994aef04c12891737ac6c |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-15 15:18
Reported
2023-10-15 15:23
Platform
win10v2004-20230915-en
Max time kernel
163s
Max time network
215s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8090.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB0C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C174.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E306.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E9ED.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 1776 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8090.exe |
| PID 2280 wrote to memory of 1776 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8090.exe |
| PID 2280 wrote to memory of 1776 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8090.exe |
| PID 2280 wrote to memory of 4076 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB0C.exe |
| PID 2280 wrote to memory of 4076 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB0C.exe |
| PID 2280 wrote to memory of 4076 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB0C.exe |
| PID 2280 wrote to memory of 536 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C174.exe |
| PID 2280 wrote to memory of 536 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C174.exe |
| PID 2280 wrote to memory of 536 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C174.exe |
| PID 2280 wrote to memory of 3708 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E306.exe |
| PID 2280 wrote to memory of 3708 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E306.exe |
| PID 2280 wrote to memory of 3708 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E306.exe |
| PID 2280 wrote to memory of 4412 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E9ED.exe |
| PID 2280 wrote to memory of 4412 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E9ED.exe |
| PID 2280 wrote to memory of 4412 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E9ED.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\8090.exe
C:\Users\Admin\AppData\Local\Temp\8090.exe
C:\Users\Admin\AppData\Local\Temp\AB0C.exe
C:\Users\Admin\AppData\Local\Temp\AB0C.exe
C:\Users\Admin\AppData\Local\Temp\C174.exe
C:\Users\Admin\AppData\Local\Temp\C174.exe
C:\Users\Admin\AppData\Local\Temp\E306.exe
C:\Users\Admin\AppData\Local\Temp\E306.exe
C:\Users\Admin\AppData\Local\Temp\E9ED.exe
C:\Users\Admin\AppData\Local\Temp\E9ED.exe
C:\Users\Admin\AppData\Local\Temp\8090.exe
C:\Users\Admin\AppData\Local\Temp\8090.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
Files
memory/2492-1-0x0000000000730000-0x0000000000830000-memory.dmp
memory/2492-3-0x0000000000720000-0x000000000072B000-memory.dmp
memory/2492-2-0x0000000000400000-0x00000000005B3000-memory.dmp
memory/2280-4-0x00000000071B0000-0x00000000071C6000-memory.dmp
memory/2492-5-0x0000000000400000-0x00000000005B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8090.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
C:\Users\Admin\AppData\Local\Temp\8090.exe
| MD5 | 7284de10c970ef4b23460ad9c8b125fe |
| SHA1 | 66c0712a8b92fdcf2a58951449828c70f7bdc1d9 |
| SHA256 | 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca |
| SHA512 | 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7 |
memory/1776-19-0x0000000002DD0000-0x0000000002E6A000-memory.dmp
memory/1776-20-0x0000000004A40000-0x0000000004B5B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB0C.exe
| MD5 | df26dcbc3c8289a50c8c1857a0640366 |
| SHA1 | 298582ef0a1c2773c973d761e0a7f93db74b9397 |
| SHA256 | a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d |
| SHA512 | de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c |
memory/4076-24-0x0000000000250000-0x00000000009D0000-memory.dmp
memory/1776-25-0x0000000002DD0000-0x0000000002E6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB0C.exe
| MD5 | df26dcbc3c8289a50c8c1857a0640366 |
| SHA1 | 298582ef0a1c2773c973d761e0a7f93db74b9397 |
| SHA256 | a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d |
| SHA512 | de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c |
C:\Users\Admin\AppData\Local\Temp\C174.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\E306.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\E306.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\E9ED.exe
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |
C:\Users\Admin\AppData\Local\Temp\C174.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\E9ED.exe
| MD5 | a9991493e536d974f42a70843dae6209 |
| SHA1 | 9f209dc03fbca602985e9f599732ebfc4b2a0cc3 |
| SHA256 | f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288 |
| SHA512 | 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a |