Malware Analysis Report

2025-01-18 05:11

Sample ID 231016-tk7s3saa9z
Target file.exe
SHA256 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan

SmokeLoader

Djvu Ransomware

Detected Djvu ransomware

Glupteba payload

Amadey

Glupteba

RedLine

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Modifies file permissions

Executes dropped EXE

Deletes itself

Themida packer

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

outlook_win_path

Checks SCSI registry key(s)

outlook_office_path

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 16:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 16:08

Reported

2023-10-16 16:11

Platform

win7-20230831-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\C534.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\C534.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\C534.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d868daea-8dfc-4491-ae36-2b8fd474906a\\C19A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C19A.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\C534.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C534.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231016161010.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D5B8.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gdabdaj N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gdabdaj N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gdabdaj N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gdabdaj N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\149F.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\149F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C534.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 1200 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 1200 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 1200 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 2616 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\C19A.exe C:\Users\Admin\AppData\Local\Temp\C19A.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\C534.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\C534.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\C534.exe
PID 1200 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\C534.exe
PID 1200 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe
PID 1200 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe
PID 1200 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe
PID 1200 wrote to memory of 2584 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1200 wrote to memory of 2816 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2816 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2816 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1200 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\F377.exe
PID 1200 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\F377.exe
PID 1200 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\F377.exe
PID 1200 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\F377.exe
PID 2584 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\F377.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\F377.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\F377.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1548 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\F377.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2584 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 2584 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\D5B8.exe C:\Windows\SysWOW64\WerFault.exe
PID 1072 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1072 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1072 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1072 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1072 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\C19A.exe

C:\Users\Admin\AppData\Local\Temp\C19A.exe

C:\Users\Admin\AppData\Local\Temp\C19A.exe

C:\Users\Admin\AppData\Local\Temp\C19A.exe

C:\Users\Admin\AppData\Local\Temp\C534.exe

C:\Users\Admin\AppData\Local\Temp\C534.exe

C:\Users\Admin\AppData\Local\Temp\D5B8.exe

C:\Users\Admin\AppData\Local\Temp\D5B8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E257.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E257.dll

C:\Users\Admin\AppData\Local\Temp\F377.exe

C:\Users\Admin\AppData\Local\Temp\F377.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 72

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\149F.exe

C:\Users\Admin\AppData\Local\Temp\149F.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d868daea-8dfc-4491-ae36-2b8fd474906a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\taskeng.exe

taskeng.exe {88B1D77F-01D7-4A08-B0E0-1D3BF23F6EF4} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\gdabdaj

C:\Users\Admin\AppData\Roaming\gdabdaj

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\C19A.exe

"C:\Users\Admin\AppData\Local\Temp\C19A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016161010.log C:\Windows\Logs\CBS\CbsPersist_20231016161010.cab

C:\Users\Admin\AppData\Local\Temp\C19A.exe

"C:\Users\Admin\AppData\Local\Temp\C19A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\149F.exe

"C:\Users\Admin\AppData\Local\Temp\149F.exe"

C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe

"C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe"

C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe

"C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
ET 196.188.169.138:80 zexeq.com tcp
UZ 195.158.3.162:80 colisumy.com tcp
ET 196.188.169.138:80 zexeq.com tcp
RU 31.41.244.27:41140 tcp

Files

memory/2800-1-0x00000000008B0000-0x00000000009B0000-memory.dmp

memory/2800-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2800-2-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/2800-5-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/1200-4-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2616-21-0x0000000000250000-0x00000000002E2000-memory.dmp

memory/2616-22-0x0000000000250000-0x00000000002E2000-memory.dmp

memory/2616-23-0x00000000020A0000-0x00000000021BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2728-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/1200-31-0x000007FEF58D0000-0x000007FEF5A13000-memory.dmp

memory/1200-32-0x000007FF2D410000-0x000007FF2D41A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C534.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3000-36-0x00000000008D0000-0x0000000001078000-memory.dmp

memory/2728-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D5B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3000-45-0x00000000756D0000-0x00000000757E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D5B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3000-39-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-46-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-47-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-48-0x0000000074F90000-0x0000000074FD7000-memory.dmp

memory/3000-49-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-53-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-51-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-54-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-56-0x0000000074F90000-0x0000000074FD7000-memory.dmp

memory/3000-55-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-57-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/2648-59-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2648-61-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3000-60-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-58-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-62-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/2648-64-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3000-68-0x00000000756D0000-0x00000000757E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E257.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2648-66-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3000-65-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-70-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/2648-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\E257.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3000-71-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/2880-75-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/2880-77-0x0000000000200000-0x0000000000206000-memory.dmp

memory/3000-74-0x00000000773A0000-0x00000000773A2000-memory.dmp

memory/2728-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2880-82-0x00000000023D0000-0x00000000024D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F377.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F377.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2880-87-0x0000000000D00000-0x0000000000DF0000-memory.dmp

memory/2880-88-0x0000000000D00000-0x0000000000DF0000-memory.dmp

memory/2880-90-0x0000000000D00000-0x0000000000DF0000-memory.dmp

memory/2880-91-0x0000000000D00000-0x0000000000DF0000-memory.dmp

memory/2648-99-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2648-92-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\D5B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\D5B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\D5B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\149F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/552-115-0x00000000048E0000-0x0000000004CD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\149F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1756-127-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1128-137-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1128-144-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1756-145-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/3000-146-0x00000000008D0000-0x0000000001078000-memory.dmp

\Users\Admin\AppData\Local\Temp\D5B8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3000-148-0x0000000074210000-0x00000000748FE000-memory.dmp

memory/2728-149-0x0000000000400000-0x0000000000537000-memory.dmp

memory/552-151-0x00000000048E0000-0x0000000004CD8000-memory.dmp

memory/552-152-0x0000000004CE0000-0x00000000055CB000-memory.dmp

memory/552-153-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\d868daea-8dfc-4491-ae36-2b8fd474906a\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\149F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3000-156-0x00000000008D0000-0x0000000001078000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdabdaj

MD5 40c62fd363e36623ea72fde545ad157f
SHA1 a7df4bb08f97f46f3496bf5deb38423627f222e1
SHA256 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
SHA512 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\gdabdaj

MD5 40c62fd363e36623ea72fde545ad157f
SHA1 a7df4bb08f97f46f3496bf5deb38423627f222e1
SHA256 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
SHA512 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee

memory/3000-161-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/552-162-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3000-163-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/2728-164-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3000-165-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/2044-166-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/3000-167-0x0000000074F90000-0x0000000074FD7000-memory.dmp

memory/3000-168-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-169-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-170-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-171-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-172-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-174-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-175-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-176-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-177-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/3000-178-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/2044-179-0x00000000008B0000-0x00000000009B0000-memory.dmp

memory/3000-180-0x00000000756D0000-0x00000000757E0000-memory.dmp

memory/1200-181-0x0000000003A00000-0x0000000003A16000-memory.dmp

memory/2044-182-0x0000000000400000-0x00000000007CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2728-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3000-190-0x0000000074210000-0x00000000748FE000-memory.dmp

memory/1728-191-0x0000000000250000-0x00000000002E2000-memory.dmp

\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/552-196-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1728-199-0x0000000000250000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C19A.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3000-200-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/2624-201-0x0000000000400000-0x0000000000537000-memory.dmp

memory/552-202-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2624-203-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e29407f7eb0a3ca9519de1f9d4dd5d3b
SHA1 323fce8d47a1480b0c9f3a3c4466c044a9786540
SHA256 fad6ef9d7383f47be968eb781f6e06deb3c43a02f64f4bffec7adaaa94587e30
SHA512 4e83ab56848f8f241ef3f2b9177d33bba2d1af37b0508ab12e6027ddf53445ad776febc4298bdbc8a6926c98f97e038986e657cff42ebdc717497052f6f619ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7ccf2a63365d0eee235515ed4b6e016f
SHA1 02c09e598966b21fc543b8d1aeff7ee8069ea0d9
SHA256 57f2965ab4246734da13cf26f7d691eb6c7fd2aa63ae6b479006ceef981fa289
SHA512 7e3c396f43002181a74c7c43218c575e9d931ce4ed3ad0d1b10eacaec7c951ec95dff008f7a01f86fbc882424a200bf06e2623d6374ba8ba8486ed272acd142b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 246f80d949cf1501a4fed042cee5eaec
SHA1 d8bdf961bd8bac3751f4adf44cfe1d2868f62433
SHA256 a5201f640b532758a362730f2cf3f4149490c533e9735d354fd668e681a4eb1c
SHA512 f2c9a7dbe9c9dc039a6f9c468ec36d85cb26ad725744a0731d32916a67f8ae67f77306cefacfd249b6b692e45d68620da5c708c5b85b42eb43a33357d182020c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bf75e238ed085811333bd26b7e256f11
SHA1 ea96c288d6e2f61a4e0838cbe1870990a583adae
SHA256 7e6098bd0ef30d68efff8a483122dab018ef4ba62dad8b4f5064efd31832ff80
SHA512 ee8de8d5c215bdbb61459bec997b5bd6ca38a155584d0e63f85a21785b15218cc416c8f798c5bcb2f2d5e256990a1ba8edd1bd75011a421937458299f2af2d36

C:\Users\Admin\AppData\Local\Temp\Cab6C0C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2624-217-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2624-218-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2624-225-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-221-0x00000000049B0000-0x0000000004DA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\149F.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2624-238-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2624-242-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/552-220-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3000-247-0x00000000003B0000-0x00000000003CC000-memory.dmp

\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2624-267-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\90a1bf70-f11d-4715-b5d4-8dc54fcaa300\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2976-270-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2624-272-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2976-273-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2976-275-0x00000000049B0000-0x0000000004DA8000-memory.dmp

memory/3000-277-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/3000-278-0x00000000003B0000-0x00000000003C5000-memory.dmp

memory/3000-302-0x0000000000450000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 16:08

Reported

2023-10-16 16:11

Platform

win10v2004-20230915-en

Max time kernel

51s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\3812.exe
PID 3180 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\3812.exe
PID 3180 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\3812.exe
PID 3180 wrote to memory of 3176 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CF5.exe
PID 3180 wrote to memory of 3176 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CF5.exe
PID 3180 wrote to memory of 3176 N/A N/A C:\Users\Admin\AppData\Local\Temp\3CF5.exe
PID 3180 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B8D.exe
PID 3180 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B8D.exe
PID 3180 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\4B8D.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\3812.exe

C:\Users\Admin\AppData\Local\Temp\3812.exe

C:\Users\Admin\AppData\Local\Temp\3CF5.exe

C:\Users\Admin\AppData\Local\Temp\3CF5.exe

C:\Users\Admin\AppData\Roaming\jivatab

C:\Users\Admin\AppData\Roaming\jivatab

C:\Users\Admin\AppData\Local\Temp\4B8D.exe

C:\Users\Admin\AppData\Local\Temp\4B8D.exe

C:\Users\Admin\AppData\Local\Temp\3812.exe

C:\Users\Admin\AppData\Local\Temp\3812.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp

Files

memory/2732-1-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/2732-2-0x0000000000A70000-0x0000000000A7B000-memory.dmp

memory/2732-3-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/3180-4-0x0000000002E60000-0x0000000002E76000-memory.dmp

memory/2732-5-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/2732-8-0x0000000000A70000-0x0000000000A7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3812.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\3812.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/4612-21-0x00000000024B0000-0x0000000002550000-memory.dmp

memory/4612-22-0x0000000002630000-0x000000000274B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CF5.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\3CF5.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3176-26-0x0000000000250000-0x00000000009F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\jivatab

MD5 40c62fd363e36623ea72fde545ad157f
SHA1 a7df4bb08f97f46f3496bf5deb38423627f222e1
SHA256 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
SHA512 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee

C:\Users\Admin\AppData\Roaming\jivatab

MD5 40c62fd363e36623ea72fde545ad157f
SHA1 a7df4bb08f97f46f3496bf5deb38423627f222e1
SHA256 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
SHA512 9dd4cd5bd6e5566625e12b6eee1ddba66f8f4d50100432b46dd488c3fd156259fa5aecfd9d1261841f5264daffaae8f53621f8a5e27b66bb1fff593c6cfa14ee

C:\Users\Admin\AppData\Local\Temp\4B8D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\4B8D.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/3176-35-0x0000000076C50000-0x0000000076D40000-memory.dmp

memory/4632-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3176-38-0x0000000076C50000-0x0000000076D40000-memory.dmp

memory/4632-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3812.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3176-39-0x0000000076C50000-0x0000000076D40000-memory.dmp

memory/4632-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3176-40-0x0000000076C50000-0x0000000076D40000-memory.dmp

memory/3176-43-0x0000000076C50000-0x0000000076D40000-memory.dmp

memory/3176-44-0x0000000076C50000-0x0000000076D40000-memory.dmp

memory/3176-45-0x0000000076C50000-0x0000000076D40000-memory.dmp

memory/3176-42-0x0000000076C50000-0x0000000076D40000-memory.dmp