Analysis Overview
SHA256
57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Djvu Ransomware
Detected Djvu ransomware
Glupteba payload
Amadey
Glupteba
RedLine
RedLine payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Loads dropped DLL
Checks BIOS information in registry
Modifies file permissions
Executes dropped EXE
Deletes itself
Themida packer
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
outlook_win_path
Checks SCSI registry key(s)
outlook_office_path
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-16 16:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-16 16:08
Reported
2023-10-16 16:11
Platform
win7-20230831-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\C534.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\C534.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\C534.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C534.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D5B8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F377.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\149F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gdabdaj | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\149F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F377.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d868daea-8dfc-4491-ae36-2b8fd474906a\\C19A.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\C19A.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\C534.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C534.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2616 set thread context of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | C:\Users\Admin\AppData\Local\Temp\C19A.exe |
| PID 2584 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\D5B8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1728 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\C19A.exe | C:\Users\Admin\AppData\Local\Temp\C19A.exe |
| PID 3000 set thread context of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\C534.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20231016161010.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\D5B8.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gdabdaj | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gdabdaj | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\gdabdaj | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gdabdaj | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\149F.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\149F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C534.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\C19A.exe
C:\Users\Admin\AppData\Local\Temp\C19A.exe
C:\Users\Admin\AppData\Local\Temp\C19A.exe
C:\Users\Admin\AppData\Local\Temp\C19A.exe
C:\Users\Admin\AppData\Local\Temp\C534.exe
C:\Users\Admin\AppData\Local\Temp\C534.exe
C:\Users\Admin\AppData\Local\Temp\D5B8.exe
C:\Users\Admin\AppData\Local\Temp\D5B8.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E257.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E257.dll
C:\Users\Admin\AppData\Local\Temp\F377.exe
C:\Users\Admin\AppData\Local\Temp\F377.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 72
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\149F.exe
C:\Users\Admin\AppData\Local\Temp\149F.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d868daea-8dfc-4491-ae36-2b8fd474906a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\system32\taskeng.exe
taskeng.exe {88B1D77F-01D7-4A08-B0E0-1D3BF23F6EF4} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\gdabdaj
C:\Users\Admin\AppData\Roaming\gdabdaj
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\C19A.exe
"C:\Users\Admin\AppData\Local\Temp\C19A.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016161010.log C:\Windows\Logs\CBS\CbsPersist_20231016161010.cab
C:\Users\Admin\AppData\Local\Temp\C19A.exe
"C:\Users\Admin\AppData\Local\Temp\C19A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\149F.exe
"C:\Users\Admin\AppData\Local\Temp\149F.exe"
C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe
"C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe"
C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe
"C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| UZ | 195.158.3.162:80 | colisumy.com | tcp |
| ET | 196.188.169.138:80 | zexeq.com | tcp |
| RU | 31.41.244.27:41140 | tcp |
Files
memory/2800-1-0x00000000008B0000-0x00000000009B0000-memory.dmp
memory/2800-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2800-2-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/2800-5-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/1200-4-0x0000000002AC0000-0x0000000002AD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
C:\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/2616-21-0x0000000000250000-0x00000000002E2000-memory.dmp
memory/2616-22-0x0000000000250000-0x00000000002E2000-memory.dmp
memory/2616-23-0x00000000020A0000-0x00000000021BB000-memory.dmp
\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
C:\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/2728-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2728-28-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/1200-31-0x000007FEF58D0000-0x000007FEF5A13000-memory.dmp
memory/1200-32-0x000007FF2D410000-0x000007FF2D41A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C534.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3000-36-0x00000000008D0000-0x0000000001078000-memory.dmp
memory/2728-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D5B8.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3000-45-0x00000000756D0000-0x00000000757E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D5B8.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3000-39-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-46-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-47-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-48-0x0000000074F90000-0x0000000074FD7000-memory.dmp
memory/3000-49-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-53-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-51-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-54-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-56-0x0000000074F90000-0x0000000074FD7000-memory.dmp
memory/3000-55-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-57-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/2648-59-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2648-61-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3000-60-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-58-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-62-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/2648-64-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3000-68-0x00000000756D0000-0x00000000757E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E257.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/2648-66-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3000-65-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-70-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/2648-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\E257.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/3000-71-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/2880-75-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/2880-77-0x0000000000200000-0x0000000000206000-memory.dmp
memory/3000-74-0x00000000773A0000-0x00000000773A2000-memory.dmp
memory/2728-73-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2880-82-0x00000000023D0000-0x00000000024D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\F377.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\F377.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2880-87-0x0000000000D00000-0x0000000000DF0000-memory.dmp
memory/2880-88-0x0000000000D00000-0x0000000000DF0000-memory.dmp
memory/2880-90-0x0000000000D00000-0x0000000000DF0000-memory.dmp
memory/2880-91-0x0000000000D00000-0x0000000000DF0000-memory.dmp
memory/2648-99-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2648-92-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Local\Temp\D5B8.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
\Users\Admin\AppData\Local\Temp\D5B8.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
\Users\Admin\AppData\Local\Temp\D5B8.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\149F.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/552-115-0x00000000048E0000-0x0000000004CD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\149F.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1756-127-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/1128-137-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1128-144-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1756-145-0x00000000000C0000-0x000000000012B000-memory.dmp
memory/3000-146-0x00000000008D0000-0x0000000001078000-memory.dmp
\Users\Admin\AppData\Local\Temp\D5B8.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3000-148-0x0000000074210000-0x00000000748FE000-memory.dmp
memory/2728-149-0x0000000000400000-0x0000000000537000-memory.dmp
memory/552-151-0x00000000048E0000-0x0000000004CD8000-memory.dmp
memory/552-152-0x0000000004CE0000-0x00000000055CB000-memory.dmp
memory/552-153-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\d868daea-8dfc-4491-ae36-2b8fd474906a\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
C:\Users\Admin\AppData\Local\Temp\149F.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/3000-156-0x00000000008D0000-0x0000000001078000-memory.dmp
C:\Users\Admin\AppData\Roaming\gdabdaj
| MD5 | 40c62fd363e36623ea72fde545ad157f |
| SHA1 | a7df4bb08f97f46f3496bf5deb38423627f222e1 |
| SHA256 | 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29 |
| SHA512 | 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\gdabdaj
| MD5 | 40c62fd363e36623ea72fde545ad157f |
| SHA1 | a7df4bb08f97f46f3496bf5deb38423627f222e1 |
| SHA256 | 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29 |
| SHA512 | 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee |
memory/3000-161-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/552-162-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3000-163-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/2728-164-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3000-165-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/2044-166-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/3000-167-0x0000000074F90000-0x0000000074FD7000-memory.dmp
memory/3000-168-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-169-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-170-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-171-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-172-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-174-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-175-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-176-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-177-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/3000-178-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/2044-179-0x00000000008B0000-0x00000000009B0000-memory.dmp
memory/3000-180-0x00000000756D0000-0x00000000757E0000-memory.dmp
memory/1200-181-0x0000000003A00000-0x0000000003A16000-memory.dmp
memory/2044-182-0x0000000000400000-0x00000000007CB000-memory.dmp
\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
C:\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/2728-187-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3000-190-0x0000000074210000-0x00000000748FE000-memory.dmp
memory/1728-191-0x0000000000250000-0x00000000002E2000-memory.dmp
\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/552-196-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1728-199-0x0000000000250000-0x00000000002E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C19A.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/3000-200-0x0000000000370000-0x00000000003B0000-memory.dmp
memory/2624-201-0x0000000000400000-0x0000000000537000-memory.dmp
memory/552-202-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2624-203-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e29407f7eb0a3ca9519de1f9d4dd5d3b |
| SHA1 | 323fce8d47a1480b0c9f3a3c4466c044a9786540 |
| SHA256 | fad6ef9d7383f47be968eb781f6e06deb3c43a02f64f4bffec7adaaa94587e30 |
| SHA512 | 4e83ab56848f8f241ef3f2b9177d33bba2d1af37b0508ab12e6027ddf53445ad776febc4298bdbc8a6926c98f97e038986e657cff42ebdc717497052f6f619ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 7ccf2a63365d0eee235515ed4b6e016f |
| SHA1 | 02c09e598966b21fc543b8d1aeff7ee8069ea0d9 |
| SHA256 | 57f2965ab4246734da13cf26f7d691eb6c7fd2aa63ae6b479006ceef981fa289 |
| SHA512 | 7e3c396f43002181a74c7c43218c575e9d931ce4ed3ad0d1b10eacaec7c951ec95dff008f7a01f86fbc882424a200bf06e2623d6374ba8ba8486ed272acd142b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 246f80d949cf1501a4fed042cee5eaec |
| SHA1 | d8bdf961bd8bac3751f4adf44cfe1d2868f62433 |
| SHA256 | a5201f640b532758a362730f2cf3f4149490c533e9735d354fd668e681a4eb1c |
| SHA512 | f2c9a7dbe9c9dc039a6f9c468ec36d85cb26ad725744a0731d32916a67f8ae67f77306cefacfd249b6b692e45d68620da5c708c5b85b42eb43a33357d182020c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | bf75e238ed085811333bd26b7e256f11 |
| SHA1 | ea96c288d6e2f61a4e0838cbe1870990a583adae |
| SHA256 | 7e6098bd0ef30d68efff8a483122dab018ef4ba62dad8b4f5064efd31832ff80 |
| SHA512 | ee8de8d5c215bdbb61459bec997b5bd6ca38a155584d0e63f85a21785b15218cc416c8f798c5bcb2f2d5e256990a1ba8edd1bd75011a421937458299f2af2d36 |
C:\Users\Admin\AppData\Local\Temp\Cab6C0C.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2624-217-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2624-218-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2624-225-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2976-221-0x00000000049B0000-0x0000000004DA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\149F.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2624-238-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2624-242-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/552-220-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3000-247-0x00000000003B0000-0x00000000003CC000-memory.dmp
\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2624-267-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2976-270-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2624-272-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2976-273-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2976-275-0x00000000049B0000-0x0000000004DA8000-memory.dmp
memory/3000-277-0x0000000000370000-0x00000000003B0000-memory.dmp
memory/3000-278-0x00000000003B0000-0x00000000003C5000-memory.dmp
memory/3000-302-0x0000000000450000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-16 16:08
Reported
2023-10-16 16:11
Platform
win10v2004-20230915-en
Max time kernel
51s
Max time network
83s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3CF5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jivatab | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4B8D.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3180 wrote to memory of 4612 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812.exe |
| PID 3180 wrote to memory of 4612 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812.exe |
| PID 3180 wrote to memory of 4612 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3812.exe |
| PID 3180 wrote to memory of 3176 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3CF5.exe |
| PID 3180 wrote to memory of 3176 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3CF5.exe |
| PID 3180 wrote to memory of 3176 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3CF5.exe |
| PID 3180 wrote to memory of 3920 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4B8D.exe |
| PID 3180 wrote to memory of 3920 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4B8D.exe |
| PID 3180 wrote to memory of 3920 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4B8D.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\3812.exe
C:\Users\Admin\AppData\Local\Temp\3812.exe
C:\Users\Admin\AppData\Local\Temp\3CF5.exe
C:\Users\Admin\AppData\Local\Temp\3CF5.exe
C:\Users\Admin\AppData\Roaming\jivatab
C:\Users\Admin\AppData\Roaming\jivatab
C:\Users\Admin\AppData\Local\Temp\4B8D.exe
C:\Users\Admin\AppData\Local\Temp\4B8D.exe
C:\Users\Admin\AppData\Local\Temp\3812.exe
C:\Users\Admin\AppData\Local\Temp\3812.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
Files
memory/2732-1-0x0000000000A90000-0x0000000000B90000-memory.dmp
memory/2732-2-0x0000000000A70000-0x0000000000A7B000-memory.dmp
memory/2732-3-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/3180-4-0x0000000002E60000-0x0000000002E76000-memory.dmp
memory/2732-5-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/2732-8-0x0000000000A70000-0x0000000000A7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3812.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
C:\Users\Admin\AppData\Local\Temp\3812.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/4612-21-0x00000000024B0000-0x0000000002550000-memory.dmp
memory/4612-22-0x0000000002630000-0x000000000274B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3CF5.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\3CF5.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3176-26-0x0000000000250000-0x00000000009F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\jivatab
| MD5 | 40c62fd363e36623ea72fde545ad157f |
| SHA1 | a7df4bb08f97f46f3496bf5deb38423627f222e1 |
| SHA256 | 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29 |
| SHA512 | 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee |
C:\Users\Admin\AppData\Roaming\jivatab
| MD5 | 40c62fd363e36623ea72fde545ad157f |
| SHA1 | a7df4bb08f97f46f3496bf5deb38423627f222e1 |
| SHA256 | 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29 |
| SHA512 | 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee |
C:\Users\Admin\AppData\Local\Temp\4B8D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
C:\Users\Admin\AppData\Local\Temp\4B8D.exe
| MD5 | 23aca9b594e0ec61e744a486c34ed0ef |
| SHA1 | 44d7b53c310732634fbf48c2f313505cdb62c6a8 |
| SHA256 | 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61 |
| SHA512 | dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33 |
memory/3176-35-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4632-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3176-38-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4632-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3812.exe
| MD5 | 35cff29d9d8a4004b5cd02443932456e |
| SHA1 | cc644ff8c456c53ac62c503f1219df92d70591b9 |
| SHA256 | 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c |
| SHA512 | 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06 |
memory/3176-39-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/4632-41-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3176-40-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/3176-43-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/3176-44-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/3176-45-0x0000000076C50000-0x0000000076D40000-memory.dmp
memory/3176-42-0x0000000076C50000-0x0000000076D40000-memory.dmp