Malware Analysis Report

2025-01-18 05:57

Sample ID 231016-22laeaga9w
Target file
SHA256 a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery evasion infostealer persistence ransomware themida trojan glupteba pub1 dropper loader spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery evasion infostealer persistence ransomware themida trojan glupteba pub1 dropper loader spyware

Amadey

SmokeLoader

Djvu Ransomware

RedLine payload

Glupteba payload

Detected Djvu ransomware

RedLine

Glupteba

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Deletes itself

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

outlook_win_path

Enumerates system info in registry

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

outlook_office_path

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 23:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 23:04

Reported

2023-10-16 23:08

Platform

win7-20230831-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FBED.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FBED.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FBED.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6f0d67e1-d38a-43d9-80eb-bb009aaf50bf\\F509.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F509.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\FBED.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBED.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FBED.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 1280 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 1280 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 1280 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 2960 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Users\Admin\AppData\Local\Temp\F509.exe
PID 1280 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBED.exe
PID 1280 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBED.exe
PID 1280 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBED.exe
PID 1280 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBED.exe
PID 1280 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1280 wrote to memory of 2488 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2488 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2488 wrote to memory of 1936 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1280 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\754.exe
PID 1280 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\754.exe
PID 1280 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\754.exe
PID 1280 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\754.exe
PID 1280 wrote to memory of 1440 N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe
PID 1280 wrote to memory of 1440 N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe
PID 1280 wrote to memory of 1440 N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe
PID 1280 wrote to memory of 1440 N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe
PID 1280 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\23AC.exe
PID 1280 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\23AC.exe
PID 1280 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\23AC.exe
PID 1280 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\23AC.exe
PID 1280 wrote to memory of 2724 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2724 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2724 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2724 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1280 wrote to memory of 2724 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1440 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1440 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1440 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1440 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\12E9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2792 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Windows\SysWOW64\icacls.exe
PID 2792 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\F509.exe C:\Windows\SysWOW64\icacls.exe
PID 528 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 528 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 528 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 528 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 528 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\F509.exe

C:\Users\Admin\AppData\Local\Temp\F509.exe

C:\Users\Admin\AppData\Local\Temp\F509.exe

C:\Users\Admin\AppData\Local\Temp\F509.exe

C:\Users\Admin\AppData\Local\Temp\FBED.exe

C:\Users\Admin\AppData\Local\Temp\FBED.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\540.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\540.dll

C:\Users\Admin\AppData\Local\Temp\754.exe

C:\Users\Admin\AppData\Local\Temp\754.exe

C:\Users\Admin\AppData\Local\Temp\12E9.exe

C:\Users\Admin\AppData\Local\Temp\12E9.exe

C:\Users\Admin\AppData\Local\Temp\23AC.exe

C:\Users\Admin\AppData\Local\Temp\23AC.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6f0d67e1-d38a-43d9-80eb-bb009aaf50bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\F509.exe

"C:\Users\Admin\AppData\Local\Temp\F509.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F509.exe

"C:\Users\Admin\AppData\Local\Temp\F509.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016230736.log C:\Windows\Logs\CBS\CbsPersist_20231016230736.cab

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {903857C9-B962-4C45-8254-C4E90ACA5651} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 mikolyda.beget.tech udp
RU 91.106.207.50:80 mikolyda.beget.tech tcp
US 8.8.8.8:53 hoffmanlevi.space udp
RU 45.130.41.106:443 hoffmanlevi.space tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 95.214.27.254:80 95.214.27.254 tcp
GB 145.239.200.147:30225 tcp
US 188.114.96.0:443 api.2ip.ua tcp
RU 31.41.244.27:41140 tcp

Files

memory/1712-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/1712-2-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1712-3-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1712-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1280-4-0x00000000029D0000-0x00000000029E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2960-20-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2960-21-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2960-24-0x0000000000850000-0x000000000096B000-memory.dmp

memory/2792-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2792-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\FBED.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2536-34-0x0000000000170000-0x0000000000918000-memory.dmp

memory/2792-35-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2536-36-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-37-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-38-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-39-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-41-0x0000000076610000-0x0000000076657000-memory.dmp

memory/2536-43-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-44-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-45-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-47-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-48-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-46-0x00000000768B0000-0x00000000769C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\540.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2536-51-0x0000000000170000-0x0000000000918000-memory.dmp

\Users\Admin\AppData\Local\Temp\540.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\754.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\754.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/1936-59-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/1936-65-0x0000000002250000-0x0000000002358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1936-73-0x0000000002360000-0x0000000002450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12E9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1936-75-0x0000000002360000-0x0000000002450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12E9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1936-67-0x0000000002360000-0x0000000002450000-memory.dmp

memory/1936-76-0x0000000002360000-0x0000000002450000-memory.dmp

memory/1936-81-0x0000000000180000-0x0000000000186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23AC.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\23AC.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1644-88-0x0000000004900000-0x0000000004CF8000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2724-103-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2724-117-0x00000000000C0000-0x000000000012B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\6f0d67e1-d38a-43d9-80eb-bb009aaf50bf\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2860-120-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2860-121-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2860-122-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2860-125-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2860-124-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2860-123-0x0000000000400000-0x000000000043E000-memory.dmp

memory/832-126-0x0000000000060000-0x000000000006C000-memory.dmp

memory/832-127-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2860-129-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2860-131-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bf46331c40745f776a567fa58461593
SHA1 4ea22a4250fca4a75c354846fbb795fbb31548d4
SHA256 faea268fa3d6522ee776f8618a701985fd63d41446b0b683cd931956c19c7997
SHA512 567fc1621eedb223deddf5848f87df915f80448702488ae5ce2d205460cb41d8a7aeae3f9b5e46b852431ce5e3ff2f4d6ce12f4c0e890fb1e7ea8858e459cf66

C:\Users\Admin\AppData\Local\Temp\23AC.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\CabBE9E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarBEDF.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1cd6885c686a4f0e42ebb22b35a6f669
SHA1 089b48821cdebc8d6d64a132922293bace8b1797
SHA256 6107c15b9d7539fcd262c653ae6ded9d79b3143ebdf6c87f0344ed035a8fafd9
SHA512 5af9bec1b65a7d22fa75084826b05be10cf011cc1d033a45fbe34e812a43845d9b1408cfc5229d9ddd11466367b5525ea6948f0c15b2852d25a02dc2742bc496

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

memory/2536-261-0x0000000000BD0000-0x0000000000BEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2792-264-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2676-267-0x0000000000850000-0x00000000008E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\F509.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2676-275-0x0000000000850000-0x00000000008E2000-memory.dmp

memory/2536-276-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-277-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-279-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-281-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-283-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-285-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-287-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-289-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-293-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-291-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-295-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-297-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

memory/2536-299-0x0000000000BD0000-0x0000000000BE5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e85b8f81921bf0425178cbe86b5d98ca
SHA1 eac433f55925e8fc6732a2c2f43eb6fac08f6667
SHA256 47d067d5a8f3556518ddae859357f77fb11c9592df744eea589cff3e3b9ab1c7
SHA512 6b5b23206eed56ab0996686e9cc9b5a31845afc5f5cac495a7c0018bc9c2476d59e991c853f802c7ffe20e9896d870f2bfbcaacd86ffd634773b1aee1c905f55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 968df21bb5163962abca6122a78bcf73
SHA1 a753f6c5e199b21ed65f923fea6f8f18b9a58f62
SHA256 ccd822d027a984c057f1e692b25a284a3d695645e315e3f97e18f97b7881c8a3
SHA512 c71a183686748ebe017abffff9f2bc9acf1ad67293f810cc4dab0a23523c686ce79503bfab0300403b8cd8e2af36c617e2482f31539bff69eaa1a75fe3108282

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bd4a8190d63badf46cb492071bd13535
SHA1 591c7688d1aa236a73f836b4502e5d77437f1efe
SHA256 f19693a9f8ed8e5a239ee4a686ce281722736ae46fa6852ff685d4a884313a69
SHA512 5a1616cb341f5a5549323919971dd18ffe5e75bbfac1b1deb9371c3afc537ccec10b599276b70cd34a0a2ffbf6c8c3cb3435e39165ec33511c07bd2845db3259

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3b7a22c72dec1ca0828c3030d348f130
SHA1 13a4ca7b9abbb30830ec9fcaecb6229f12828fa9
SHA256 872fe02d5e9362b3c0c4c2ffbc2d406aba7f70b81ce5187d15c8f0e74735d694
SHA512 932d897badb8cddea7c50c7e9f09c63747f1a26ab41c6067dcf6032b683aace44be9c785e1cdc5800aaf439cf17710f56407535c8da936345e26869d0dc61fd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1cd6885c686a4f0e42ebb22b35a6f669
SHA1 089b48821cdebc8d6d64a132922293bace8b1797
SHA256 6107c15b9d7539fcd262c653ae6ded9d79b3143ebdf6c87f0344ed035a8fafd9
SHA512 5af9bec1b65a7d22fa75084826b05be10cf011cc1d033a45fbe34e812a43845d9b1408cfc5229d9ddd11466367b5525ea6948f0c15b2852d25a02dc2742bc496

memory/2380-316-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2380-330-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2536-332-0x0000000000170000-0x0000000000918000-memory.dmp

memory/2536-333-0x00000000768B0000-0x00000000769C0000-memory.dmp

memory/2536-334-0x0000000076610000-0x0000000076657000-memory.dmp

memory/2536-335-0x0000000074260000-0x000000007494E000-memory.dmp

memory/2536-336-0x0000000000BF5000-0x0000000000C2D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 23:04

Reported

2023-10-16 23:08

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3871.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3871.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3871.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSFF4A.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\341B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSFF4A.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\46BC.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0a6471ba-9bfc-418d-a68d-d245e56f5ae1\\341B.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\341B.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3871.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSFF4A.tmp\Install.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3871.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\341B.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4C8A.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4C8A.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4C8A.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSFF4A.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSFF4A.tmp\Install.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4C8A.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3871.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 3180 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 3180 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 3180 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\Temp\3871.exe
PID 3180 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\Temp\3871.exe
PID 3180 wrote to memory of 1176 N/A N/A C:\Users\Admin\AppData\Local\Temp\3871.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 2812 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Users\Admin\AppData\Local\Temp\341B.exe
PID 3180 wrote to memory of 3332 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3180 wrote to memory of 3332 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3180 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EDC.exe
PID 3180 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EDC.exe
PID 3180 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EDC.exe
PID 3332 wrote to memory of 4484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3332 wrote to memory of 4484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3332 wrote to memory of 4484 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3180 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\46BC.exe
PID 3180 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\46BC.exe
PID 3180 wrote to memory of 2308 N/A N/A C:\Users\Admin\AppData\Local\Temp\46BC.exe
PID 2308 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\46BC.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2308 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\46BC.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2308 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\46BC.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3180 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C8A.exe
PID 3180 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C8A.exe
PID 3180 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C8A.exe
PID 3632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Windows\SysWOW64\icacls.exe
PID 3632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Windows\SysWOW64\icacls.exe
PID 3632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\341B.exe C:\Windows\SysWOW64\icacls.exe
PID 2220 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 4304 N/A N/A C:\Users\Admin\AppData\Local\Temp\5390.exe
PID 3180 wrote to memory of 4304 N/A N/A C:\Users\Admin\AppData\Local\Temp\5390.exe
PID 3180 wrote to memory of 4304 N/A N/A C:\Users\Admin\AppData\Local\Temp\5390.exe
PID 3180 wrote to memory of 3060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3180 wrote to memory of 3060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3180 wrote to memory of 3060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3180 wrote to memory of 3060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3180 wrote to memory of 1856 N/A N/A C:\Windows\explorer.exe
PID 3180 wrote to memory of 1856 N/A N/A C:\Windows\explorer.exe
PID 3180 wrote to memory of 1856 N/A N/A C:\Windows\explorer.exe
PID 4836 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4836 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4836 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4836 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4836 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4836 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4836 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\341B.exe

C:\Users\Admin\AppData\Local\Temp\341B.exe

C:\Users\Admin\AppData\Local\Temp\3871.exe

C:\Users\Admin\AppData\Local\Temp\3871.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3C4B.dll

C:\Users\Admin\AppData\Local\Temp\341B.exe

C:\Users\Admin\AppData\Local\Temp\341B.exe

C:\Users\Admin\AppData\Local\Temp\3EDC.exe

C:\Users\Admin\AppData\Local\Temp\3EDC.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3C4B.dll

C:\Users\Admin\AppData\Local\Temp\46BC.exe

C:\Users\Admin\AppData\Local\Temp\46BC.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\4C8A.exe

C:\Users\Admin\AppData\Local\Temp\4C8A.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0a6471ba-9bfc-418d-a68d-d245e56f5ae1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\5390.exe

C:\Users\Admin\AppData\Local\Temp\5390.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\341B.exe

"C:\Users\Admin\AppData\Local\Temp\341B.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\341B.exe

"C:\Users\Admin\AppData\Local\Temp\341B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 568

C:\Users\Admin\AppData\Local\Temp\7zSEF5C.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSFF4A.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gCkrOepSz" /SC once /ST 09:32:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\5253.exe

C:\Users\Admin\AppData\Local\Temp\5253.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gCkrOepSz"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 mikolyda.beget.tech udp
RU 91.106.207.50:80 mikolyda.beget.tech tcp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 hoffmanlevi.space udp
RU 45.130.41.106:443 hoffmanlevi.space tcp
US 8.8.8.8:53 106.41.130.45.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 211.119.84.112:80 wirtshauspost.at tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
US 8.8.8.8:53 rummygoplay.in udp
IN 103.251.94.112:443 rummygoplay.in tcp
US 8.8.8.8:53 112.94.251.103.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
GB 145.239.200.147:30225 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 147.200.239.145.in-addr.arpa udp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp
KR 211.119.84.112:80 wirtshauspost.at tcp

Files

memory/2356-1-0x0000000000B50000-0x0000000000C50000-memory.dmp

memory/2356-2-0x0000000000920000-0x000000000092B000-memory.dmp

memory/2356-3-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3180-4-0x00000000012E0000-0x00000000012F6000-memory.dmp

memory/2356-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2356-8-0x0000000000920000-0x000000000092B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\341B.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\341B.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\3871.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\3871.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/1176-23-0x00000000008D0000-0x0000000001078000-memory.dmp

memory/1176-24-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-26-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-25-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-28-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-27-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-29-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-31-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/2812-32-0x00000000025E0000-0x00000000026FB000-memory.dmp

memory/1176-33-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/2812-34-0x00000000009C0000-0x0000000000A5D000-memory.dmp

memory/1176-35-0x0000000077314000-0x0000000077316000-memory.dmp

memory/3632-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3632-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\341B.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/3632-40-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C4B.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\3EDC.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\3EDC.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/3632-48-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C4B.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4484-50-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/4484-51-0x0000000000640000-0x0000000000646000-memory.dmp

memory/1176-53-0x00000000008D0000-0x0000000001078000-memory.dmp

memory/1176-54-0x0000000005CE0000-0x0000000006284000-memory.dmp

memory/1176-55-0x0000000005730000-0x00000000057C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46BC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1176-62-0x00000000058D0000-0x000000000596C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46BC.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4484-66-0x0000000002320000-0x0000000002428000-memory.dmp

memory/1176-63-0x0000000005690000-0x000000000569A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4C8A.exe

MD5 d683bddf6815f3ae95c3e47f14427fed
SHA1 a74475a8be5e7a2640e7542adb20e669df275bc4
SHA256 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e
SHA512 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591

C:\Users\Admin\AppData\Local\Temp\4C8A.exe

MD5 d683bddf6815f3ae95c3e47f14427fed
SHA1 a74475a8be5e7a2640e7542adb20e669df275bc4
SHA256 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e
SHA512 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591

memory/4484-79-0x0000000002430000-0x0000000002520000-memory.dmp

memory/4484-83-0x0000000002430000-0x0000000002520000-memory.dmp

memory/4484-88-0x0000000002430000-0x0000000002520000-memory.dmp

memory/1176-89-0x00000000008D0000-0x0000000001078000-memory.dmp

memory/1176-90-0x0000000076E40000-0x0000000076F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5390.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\5390.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1176-97-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-99-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/3060-100-0x0000000001450000-0x00000000014BB000-memory.dmp

memory/3060-98-0x0000000001450000-0x00000000014BB000-memory.dmp

memory/3060-102-0x00000000014C0000-0x0000000001540000-memory.dmp

memory/1176-103-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1856-105-0x0000000000300000-0x000000000030C000-memory.dmp

memory/1176-101-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1176-106-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1856-108-0x0000000000310000-0x0000000000317000-memory.dmp

memory/1176-109-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/1304-111-0x0000000000B80000-0x0000000000B8B000-memory.dmp

memory/4484-110-0x0000000002430000-0x0000000002520000-memory.dmp

memory/3632-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1856-114-0x0000000000300000-0x000000000030C000-memory.dmp

memory/4304-116-0x0000000004B80000-0x0000000004F79000-memory.dmp

memory/1304-117-0x0000000000BA0000-0x0000000000CA0000-memory.dmp

memory/1304-115-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4304-118-0x0000000005080000-0x000000000596B000-memory.dmp

memory/4304-120-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\0a6471ba-9bfc-418d-a68d-d245e56f5ae1\341B.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/3180-131-0x00000000030D0000-0x00000000030E6000-memory.dmp

memory/1304-133-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1176-135-0x00000000056F0000-0x000000000570C000-memory.dmp

memory/1176-142-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-146-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-157-0x00000000056F0000-0x0000000005705000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\341B.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1176-162-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/3632-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1176-164-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-166-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-168-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-170-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-172-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-174-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-176-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-178-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/1176-180-0x00000000056F0000-0x0000000005705000-memory.dmp

memory/4304-181-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\341B.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/3816-185-0x0000000002402000-0x0000000002494000-memory.dmp

memory/3060-187-0x0000000001450000-0x00000000014BB000-memory.dmp

memory/4304-188-0x0000000004B80000-0x0000000004F79000-memory.dmp

memory/3752-189-0x0000000000400000-0x0000000000537000-memory.dmp

memory/456-190-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3752-191-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3752-193-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\irtwvgv

MD5 d683bddf6815f3ae95c3e47f14427fed
SHA1 a74475a8be5e7a2640e7542adb20e669df275bc4
SHA256 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e
SHA512 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591

memory/3548-224-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1176-232-0x00000000008D0000-0x0000000001078000-memory.dmp

memory/456-233-0x0000000073620000-0x0000000073DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/1176-234-0x0000000076E40000-0x0000000076F30000-memory.dmp

memory/4304-239-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/456-245-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/3548-247-0x0000000073620000-0x0000000073DD0000-memory.dmp

memory/3548-248-0x0000000007C30000-0x0000000007C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSEF5C.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\7zSEF5C.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/456-253-0x0000000008AA0000-0x00000000090B8000-memory.dmp

memory/456-256-0x0000000007B50000-0x0000000007B62000-memory.dmp

memory/456-259-0x0000000008480000-0x000000000858A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSFF4A.tmp\Install.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

memory/456-262-0x0000000073620000-0x0000000073DD0000-memory.dmp

memory/456-263-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/3548-264-0x0000000073620000-0x0000000073DD0000-memory.dmp

memory/232-265-0x0000000000CC0000-0x00000000013AF000-memory.dmp

memory/456-266-0x0000000007E00000-0x0000000007E3C000-memory.dmp

memory/3548-267-0x0000000007C30000-0x0000000007C40000-memory.dmp

memory/456-268-0x0000000007E80000-0x0000000007ECC000-memory.dmp

memory/3104-275-0x0000000002CC0000-0x0000000002CF6000-memory.dmp

memory/3104-277-0x00000000054F0000-0x0000000005B18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfvv3kgr.ami.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5253.exe

MD5 607610e04c69c4745611af79dddf064a
SHA1 bb57da232ed752ebbbc60dc888f892d5fb197b49
SHA256 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345
SHA512 c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769

C:\Users\Admin\AppData\Local\Temp\5253.exe

MD5 607610e04c69c4745611af79dddf064a
SHA1 bb57da232ed752ebbbc60dc888f892d5fb197b49
SHA256 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345
SHA512 c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769