Malware Analysis Report

2025-01-18 05:35

Sample ID 231015-sppydsae42
Target NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe
SHA256 c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery evasion infostealer persistence ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821

Threat Level: Known bad

The file NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery evasion infostealer persistence ransomware themida trojan

Djvu Ransomware

Amadey

RedLine payload

RedLine

SmokeLoader

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Deletes itself

Modifies file permissions

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

outlook_office_path

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

outlook_win_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 15:18

Reported

2023-10-15 15:22

Platform

win7-20230831-en

Max time kernel

161s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7E16.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7E16.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7E16.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\55da3b27-a4f3-4b88-866d-c0d399d44401\\5496.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5496.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7E16.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7E16.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BCAD.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 1264 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 1264 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 1264 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 2652 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\5496.exe C:\Users\Admin\AppData\Local\Temp\5496.exe
PID 1264 wrote to memory of 3012 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E16.exe
PID 1264 wrote to memory of 3012 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E16.exe
PID 1264 wrote to memory of 3012 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E16.exe
PID 1264 wrote to memory of 3012 N/A N/A C:\Users\Admin\AppData\Local\Temp\7E16.exe
PID 1264 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe
PID 1264 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe
PID 1264 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe
PID 1264 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe
PID 1264 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe
PID 1264 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe
PID 1264 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe
PID 1264 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe
PID 1516 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1516 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1516 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1516 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\C45B.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1812 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1812 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1812 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1812 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1812 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2840 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\SysWOW64\WerFault.exe
PID 2840 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\SysWOW64\WerFault.exe
PID 2840 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\SysWOW64\WerFault.exe
PID 2840 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BCAD.exe C:\Windows\SysWOW64\WerFault.exe
PID 2580 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE1C.exe
PID 1264 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE1C.exe
PID 1264 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE1C.exe
PID 1264 wrote to memory of 2256 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE1C.exe
PID 2580 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\5496.exe

C:\Users\Admin\AppData\Local\Temp\5496.exe

C:\Users\Admin\AppData\Local\Temp\5496.exe

C:\Users\Admin\AppData\Local\Temp\5496.exe

C:\Users\Admin\AppData\Local\Temp\7E16.exe

C:\Users\Admin\AppData\Local\Temp\7E16.exe

C:\Users\Admin\AppData\Local\Temp\BCAD.exe

C:\Users\Admin\AppData\Local\Temp\BCAD.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C45B.exe

C:\Users\Admin\AppData\Local\Temp\C45B.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 72

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D416.dll

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\55da3b27-a4f3-4b88-866d-c0d399d44401" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D416.dll

C:\Users\Admin\AppData\Local\Temp\E2A8.exe

C:\Users\Admin\AppData\Local\Temp\E2A8.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\5496.exe

"C:\Users\Admin\AppData\Local\Temp\5496.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {B2289E7D-EF8B-4B3C-85D0-3FAB8DC26EB4} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\5496.exe

"C:\Users\Admin\AppData\Local\Temp\5496.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015152202.log C:\Windows\Logs\CBS\CbsPersist_20231015152202.cab

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/2116-1-0x0000000000730000-0x0000000000830000-memory.dmp

memory/2116-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2116-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2116-4-0x0000000000730000-0x0000000000830000-memory.dmp

memory/2116-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2116-7-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1264-6-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/2116-10-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1264-15-0x000007FEF6190000-0x000007FEF62D3000-memory.dmp

memory/1264-16-0x000007FF44D10000-0x000007FF44D1A000-memory.dmp

memory/1264-17-0x000007FEF6190000-0x000007FEF62D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2652-27-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2652-28-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2652-29-0x0000000002E80000-0x0000000002F9B000-memory.dmp

\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2548-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2548-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2652-38-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2548-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-40-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7E16.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/3012-44-0x0000000000800000-0x0000000000F80000-memory.dmp

memory/3012-45-0x0000000076F40000-0x0000000077050000-memory.dmp

memory/3012-46-0x0000000075640000-0x0000000075687000-memory.dmp

memory/3012-47-0x0000000076F40000-0x0000000077050000-memory.dmp

memory/3012-48-0x0000000076F40000-0x0000000077050000-memory.dmp

memory/3012-49-0x0000000076F40000-0x0000000077050000-memory.dmp

memory/3012-52-0x0000000076F40000-0x0000000077050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\BCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\C45B.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\C45B.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1856-73-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-76-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-75-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1856-71-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-74-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-72-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-78-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\BCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2256-91-0x0000000004960000-0x0000000004D58000-memory.dmp

\Users\Admin\AppData\Local\Temp\BCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\BCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1856-83-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\D416.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

\Users\Admin\AppData\Local\Temp\D416.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

\Users\Admin\AppData\Local\Temp\BCAD.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3012-112-0x0000000000800000-0x0000000000F80000-memory.dmp

memory/2152-113-0x0000000010000000-0x00000000101E5000-memory.dmp

\Users\Admin\AppData\Local\Temp\E2A8.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\E2A8.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

C:\Users\Admin\AppData\Local\Temp\E2A8.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

\Users\Admin\AppData\Local\Temp\E2A8.exe

MD5 ef5c1e67c5a2aea56c8afb7146bd7978
SHA1 5679f7c9c606d476b4d0081972f8f6f6c568071b
SHA256 a4af405fc8b7374f1c03f1757191ec30893a6ac0f1aea1084cd63d3088cfef5b
SHA512 29ee149cb720f0118abdbd1572e5cfea16cd9643313594f0076f481f4a824a1ca4d2c8f35848e9d638a213a0f23ce1a0b9e9a282c69f39936b676cd63397f8c6

memory/764-124-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2992-125-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2992-126-0x0000000000060000-0x000000000006C000-memory.dmp

C:\Users\Admin\AppData\Local\55da3b27-a4f3-4b88-866d-c0d399d44401\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/764-140-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2152-141-0x0000000002300000-0x0000000002423000-memory.dmp

memory/2152-142-0x0000000002430000-0x0000000002538000-memory.dmp

memory/2152-143-0x0000000002430000-0x0000000002538000-memory.dmp

memory/2152-145-0x0000000002430000-0x0000000002538000-memory.dmp

memory/2152-146-0x0000000002430000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE1C.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2152-148-0x0000000000190000-0x0000000000196000-memory.dmp

\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2548-152-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2000-154-0x0000000000220000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\5496.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2000-162-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2d8f58b5294a80cfa88d5d0622920e9d
SHA1 f6e199ef5584979b0f13e8078c22b223008f1c49
SHA256 798e672585e796a91edc8447e74d8d411c70285ad489159724383c526c34572e
SHA512 f5bb870fcee960953e919b737b0f4dd744f3f49642402325efdc043683eb682ba0b0299dc0b610f3468f90b780aa3e804250ed64cd47e7c9f021fa47ae4c6f30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3cc1eab5e14e2d7a01804b22ecf4043
SHA1 1883aeaac8649c5b6848f2131ec56464b964f8fc
SHA256 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512 adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f88fd901816b3110ccbf28e055ad1257
SHA1 ca9c81b61d9d28ff0f68673b5d9a86499a398f88
SHA256 2c658b6fcdb56d010bed0a386fa7e1ea09ea9ce685c990f9c0a9fe996f29fa32
SHA512 90c635f9394b0e1527b17c344ffd5a04ce8636e61914657da125d46243972972e133730b2acf42c6e31fe739bfc297b4ff6bac69e8f41ab68d687b6477203c09

C:\Users\Admin\AppData\Local\Temp\CabB25E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2296d2a20d2aa7ec4d3838d0b6689a9b
SHA1 3d36f3edb9cbf46e3e66b68be64bedb2a0113f64
SHA256 23da355cad89af3f6023b0f6420142ca52fd159efaaa23a8515d20f38c6b47f5
SHA512 e14e3fe82f9c08b5b74bcf34b062293895c65a20fd265a9fa361404b1ba91b2d97e3152b6ddf06acd3c117979f0db62485b7c819620994aef04c12891737ac6c

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 15:18

Reported

2023-10-15 15:23

Platform

win10v2004-20230915-en

Max time kernel

163s

Max time network

215s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\Temp\8090.exe
PID 2280 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\Temp\8090.exe
PID 2280 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\Temp\8090.exe
PID 2280 wrote to memory of 4076 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB0C.exe
PID 2280 wrote to memory of 4076 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB0C.exe
PID 2280 wrote to memory of 4076 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB0C.exe
PID 2280 wrote to memory of 536 N/A N/A C:\Users\Admin\AppData\Local\Temp\C174.exe
PID 2280 wrote to memory of 536 N/A N/A C:\Users\Admin\AppData\Local\Temp\C174.exe
PID 2280 wrote to memory of 536 N/A N/A C:\Users\Admin\AppData\Local\Temp\C174.exe
PID 2280 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\Temp\E306.exe
PID 2280 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\Temp\E306.exe
PID 2280 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\Temp\E306.exe
PID 2280 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\Temp\E9ED.exe
PID 2280 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\Temp\E9ED.exe
PID 2280 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\Temp\E9ED.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.c7a4a9461d04291e8efee8c52ed3b2897b61e2fc3a639296c60afc307db7a821exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\8090.exe

C:\Users\Admin\AppData\Local\Temp\8090.exe

C:\Users\Admin\AppData\Local\Temp\AB0C.exe

C:\Users\Admin\AppData\Local\Temp\AB0C.exe

C:\Users\Admin\AppData\Local\Temp\C174.exe

C:\Users\Admin\AppData\Local\Temp\C174.exe

C:\Users\Admin\AppData\Local\Temp\E306.exe

C:\Users\Admin\AppData\Local\Temp\E306.exe

C:\Users\Admin\AppData\Local\Temp\E9ED.exe

C:\Users\Admin\AppData\Local\Temp\E9ED.exe

C:\Users\Admin\AppData\Local\Temp\8090.exe

C:\Users\Admin\AppData\Local\Temp\8090.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp

Files

memory/2492-1-0x0000000000730000-0x0000000000830000-memory.dmp

memory/2492-3-0x0000000000720000-0x000000000072B000-memory.dmp

memory/2492-2-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2280-4-0x00000000071B0000-0x00000000071C6000-memory.dmp

memory/2492-5-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8090.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\8090.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1776-19-0x0000000002DD0000-0x0000000002E6A000-memory.dmp

memory/1776-20-0x0000000004A40000-0x0000000004B5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB0C.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/4076-24-0x0000000000250000-0x00000000009D0000-memory.dmp

memory/1776-25-0x0000000002DD0000-0x0000000002E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB0C.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

C:\Users\Admin\AppData\Local\Temp\C174.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\E306.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E306.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E9ED.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\C174.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\E9ED.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a