Malware Analysis Report

2025-01-18 06:19

Sample ID 231016-x2wnxsgh22
Target 05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e
SHA256 05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e

Threat Level: Known bad

The file 05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1

Amadey

Djvu Ransomware

RedLine

RedLine payload

SmokeLoader

Detected Djvu ransomware

Glupteba payload

Glupteba

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Deletes itself

Themida packer

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 19:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 19:21

Reported

2023-10-17 00:26

Platform

win7-20230831-en

Max time kernel

146s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2128.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2128.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2128.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4025f875-5a38-4387-95d6-f664185de839\\1E5A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1E5A.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2128.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2128.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5824.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5824.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 1252 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 1252 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 1252 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 1252 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2128.exe
PID 1252 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2128.exe
PID 1252 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2128.exe
PID 1252 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\2128.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 2708 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Users\Admin\AppData\Local\Temp\1E5A.exe
PID 1252 wrote to memory of 2540 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2540 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2540 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2540 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2540 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2540 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2540 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1252 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DC7.exe
PID 1252 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DC7.exe
PID 1252 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DC7.exe
PID 1252 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\2DC7.exe
PID 1252 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\409D.exe
PID 1252 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\409D.exe
PID 1252 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\409D.exe
PID 1252 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\409D.exe
PID 1752 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Windows\SysWOW64\icacls.exe
PID 1752 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Windows\SysWOW64\icacls.exe
PID 1752 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Windows\SysWOW64\icacls.exe
PID 1752 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\1E5A.exe C:\Windows\SysWOW64\icacls.exe
PID 2156 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\409D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2156 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\409D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2156 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\409D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2156 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\409D.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1252 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\5824.exe
PID 1252 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\5824.exe
PID 1252 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\5824.exe
PID 1252 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\5824.exe
PID 1252 wrote to memory of 2880 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1252 wrote to memory of 2880 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1252 wrote to memory of 2880 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1252 wrote to memory of 2880 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1252 wrote to memory of 2880 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1252 wrote to memory of 2068 N/A N/A C:\Windows\explorer.exe
PID 1252 wrote to memory of 2068 N/A N/A C:\Windows\explorer.exe
PID 1252 wrote to memory of 2068 N/A N/A C:\Windows\explorer.exe
PID 1252 wrote to memory of 2068 N/A N/A C:\Windows\explorer.exe
PID 860 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 860 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

C:\Users\Admin\AppData\Local\Temp\2128.exe

C:\Users\Admin\AppData\Local\Temp\2128.exe

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2ABA.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2ABA.dll

C:\Users\Admin\AppData\Local\Temp\2DC7.exe

C:\Users\Admin\AppData\Local\Temp\2DC7.exe

C:\Users\Admin\AppData\Local\Temp\409D.exe

C:\Users\Admin\AppData\Local\Temp\409D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4025f875-5a38-4387-95d6-f664185de839" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\5824.exe

C:\Users\Admin\AppData\Local\Temp\5824.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

"C:\Users\Admin\AppData\Local\Temp\1E5A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

"C:\Users\Admin\AppData\Local\Temp\1E5A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {439A822F-B40D-4803-BD3C-818C10A6383A} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017002611.log C:\Windows\Logs\CBS\CbsPersist_20231017002611.cab

C:\Users\Admin\AppData\Local\Temp\5824.exe

"C:\Users\Admin\AppData\Local\Temp\5824.exe"

C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build2.exe

"C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build2.exe"

C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build3.exe

"C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
UZ 195.158.3.162:80 zexeq.com tcp
KR 211.40.39.251:80 colisumy.com tcp
UZ 195.158.3.162:80 zexeq.com tcp

Files

memory/3028-1-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/3028-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/3028-3-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3028-5-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1252-4-0x0000000002A50000-0x0000000002A66000-memory.dmp

memory/3028-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2696-25-0x0000000001200000-0x00000000019A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2128.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2708-26-0x0000000000360000-0x00000000003F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1752-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1752-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2708-34-0x00000000021A0000-0x00000000022BB000-memory.dmp

memory/2708-33-0x0000000000360000-0x00000000003F2000-memory.dmp

memory/2696-35-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-38-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-37-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-40-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-39-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-41-0x00000000751B0000-0x00000000751F7000-memory.dmp

memory/2696-43-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-42-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-45-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-47-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-49-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-50-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-51-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-52-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-53-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-54-0x0000000077740000-0x0000000077742000-memory.dmp

memory/1752-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-48-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/1752-56-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ABA.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

\Users\Admin\AppData\Local\Temp\2ABA.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2696-60-0x0000000001200000-0x00000000019A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2DC7.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/2696-66-0x0000000074690000-0x0000000074D7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2DC7.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/3016-69-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/3016-68-0x0000000000110000-0x0000000000116000-memory.dmp

memory/3016-71-0x0000000002230000-0x0000000002338000-memory.dmp

memory/3016-73-0x0000000002340000-0x0000000002430000-memory.dmp

memory/3016-74-0x0000000002340000-0x0000000002430000-memory.dmp

memory/3016-76-0x0000000002340000-0x0000000002430000-memory.dmp

memory/2696-77-0x0000000001200000-0x00000000019A8000-memory.dmp

memory/3016-78-0x0000000002340000-0x0000000002430000-memory.dmp

memory/2696-79-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-80-0x00000000751B0000-0x00000000751F7000-memory.dmp

memory/2696-82-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-83-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-85-0x00000000770C0000-0x00000000771D0000-memory.dmp

memory/2696-87-0x00000000770C0000-0x00000000771D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\409D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\409D.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2696-91-0x00000000770C0000-0x00000000771D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\4025f875-5a38-4387-95d6-f664185de839\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1752-111-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-112-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2696-114-0x00000000056C0000-0x0000000005700000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5824.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2780-125-0x00000000049F0000-0x0000000004DE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5824.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2068-129-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2068-130-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2780-131-0x00000000049F0000-0x0000000004DE8000-memory.dmp

memory/2780-132-0x0000000004DF0000-0x00000000056DB000-memory.dmp

memory/2780-133-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2696-134-0x00000000056C0000-0x0000000005700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1752-138-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-141-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1088-142-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-143-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-146-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-144-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-148-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1088-149-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-153-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1088-156-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2780-154-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2880-158-0x00000000001D0000-0x0000000000245000-memory.dmp

memory/2880-157-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1088-159-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2880-160-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2880-173-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1088-174-0x00000000075F0000-0x0000000007630000-memory.dmp

\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2696-179-0x00000000003B0000-0x00000000003CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1752-178-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2272-180-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2272-190-0x0000000000230000-0x00000000002C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E5A.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2780-183-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1600-192-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 842b1df1349e136881d02fededed6d61
SHA1 3d03811ebca3c0d251a46b8d5e26249986425201
SHA256 c932ea18ca7d3ba82ddcc0cc22b904c7f90cf402d9daad947d9b9d928bae83d7
SHA512 6a14afb9963e5a4773deb320b4e89529876708100b93979fd769acfb7445fea0dd2260c6c9ede6f640987f054b611ac0a80279f082c8e291b9e9fb1bc56be4f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 62912e7da7c7e03a73f43c50b3c70979
SHA1 a1514787753be0f3d9fd60e253fcdd4fd9805aea
SHA256 ca4e99a2fea0b8c21bcf8dd8333d3df6ff75727db82cb0efd86eefe09b9f2d85
SHA512 a24bcc548811162591a8c7c3379ac8536f2928de2a250f9ef867d201798621872aa961f4abc3449fa24ce78f3fbf9f88b92c2f63db99d1ef455da5fdf4b3bb75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f8b45e5984d9077784818bf4cd11a5b0
SHA1 b76a19d2e97e4c4916f7c81a3dd2074da4d61435
SHA256 721831c2880a6cf965fa072bbf1ff32676de9dd44d71428385c8cd375ea564bf
SHA512 34de03bbb98f82cc1058abf31db3cdff6567d201e15bc10fb9bb4e837c21dbdfe279798716af436a3390ba9158f6b36e10ba7e5f34b195c2574123feea0770e1

C:\Users\Admin\AppData\Local\Temp\Cab2FF6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9251c99fe083a2d7d500b915ba4e2f4
SHA1 236aae1cab948eb85017807172775e67ac701345
SHA256 9fa5dc0e35657ea87f140d08de232d189c9e5da13d93c0bbfbc003d07dce4e44
SHA512 b996738dff07ccde460f86b35c2eb480fa70f49760272a66a0b12efbcf42f2415b1357d1589e43a25de58ae0d8ebf909c5771074b2941dd878c9a1c286b5f917

memory/1088-209-0x0000000074690000-0x0000000074D7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5824.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1088-211-0x00000000075F0000-0x0000000007630000-memory.dmp

memory/1600-212-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-213-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2780-217-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1600-219-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1600-220-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1600-226-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1600-224-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1600-227-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1600-228-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5824.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2808-230-0x0000000004A30000-0x0000000004E28000-memory.dmp

C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/2780-231-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1600-243-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/2808-250-0x0000000004A30000-0x0000000004E28000-memory.dmp

C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\76d2a35f-67e0-4f0c-aba0-90fae8da9a04\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 19:21

Reported

2023-10-17 00:26

Platform

win10v2004-20230915-en

Max time kernel

160s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\EFFA.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EFFA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EFFA.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F79E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EB45.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\03a03d28-876d-43c4-b0a0-aa009927a278\\EB45.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EB45.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EFFA.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFA.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FBA6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FBA6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FBA6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBA6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EFFA.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 2420 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 2420 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 2420 wrote to memory of 3672 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFA.exe
PID 2420 wrote to memory of 3672 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFA.exe
PID 2420 wrote to memory of 3672 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFFA.exe
PID 2420 wrote to memory of 3224 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 3224 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2420 wrote to memory of 4256 N/A N/A C:\Users\Admin\AppData\Local\Temp\F53B.exe
PID 2420 wrote to memory of 4256 N/A N/A C:\Users\Admin\AppData\Local\Temp\F53B.exe
PID 2420 wrote to memory of 4256 N/A N/A C:\Users\Admin\AppData\Local\Temp\F53B.exe
PID 2420 wrote to memory of 3796 N/A N/A C:\Users\Admin\AppData\Local\Temp\F79E.exe
PID 2420 wrote to memory of 3796 N/A N/A C:\Users\Admin\AppData\Local\Temp\F79E.exe
PID 2420 wrote to memory of 3796 N/A N/A C:\Users\Admin\AppData\Local\Temp\F79E.exe
PID 2420 wrote to memory of 4084 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBA6.exe
PID 2420 wrote to memory of 4084 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBA6.exe
PID 2420 wrote to memory of 4084 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBA6.exe
PID 2420 wrote to memory of 2100 N/A N/A C:\Users\Admin\AppData\Local\Temp\442.exe
PID 2420 wrote to memory of 2100 N/A N/A C:\Users\Admin\AppData\Local\Temp\442.exe
PID 2420 wrote to memory of 2100 N/A N/A C:\Users\Admin\AppData\Local\Temp\442.exe
PID 3224 wrote to memory of 3252 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3224 wrote to memory of 3252 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3224 wrote to memory of 3252 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2420 wrote to memory of 1944 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2420 wrote to memory of 1944 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2420 wrote to memory of 1944 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2420 wrote to memory of 1944 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2420 wrote to memory of 4068 N/A N/A C:\Windows\explorer.exe
PID 2420 wrote to memory of 4068 N/A N/A C:\Windows\explorer.exe
PID 2420 wrote to memory of 4068 N/A N/A C:\Windows\explorer.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 4372 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Users\Admin\AppData\Local\Temp\EB45.exe
PID 3796 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\F79E.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3796 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\F79E.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3796 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\F79E.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2368 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2368 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2368 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2368 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2308 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2308 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2308 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2308 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2308 wrote to memory of 4660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2308 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Windows\SysWOW64\icacls.exe
PID 2032 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Windows\SysWOW64\icacls.exe
PID 2032 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\EB45.exe C:\Windows\SysWOW64\icacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

C:\Users\Admin\AppData\Local\Temp\EB45.exe

C:\Users\Admin\AppData\Local\Temp\EB45.exe

C:\Users\Admin\AppData\Local\Temp\EFFA.exe

C:\Users\Admin\AppData\Local\Temp\EFFA.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F431.dll

C:\Users\Admin\AppData\Local\Temp\F53B.exe

C:\Users\Admin\AppData\Local\Temp\F53B.exe

C:\Users\Admin\AppData\Local\Temp\F79E.exe

C:\Users\Admin\AppData\Local\Temp\F79E.exe

C:\Users\Admin\AppData\Local\Temp\FBA6.exe

C:\Users\Admin\AppData\Local\Temp\FBA6.exe

C:\Users\Admin\AppData\Local\Temp\442.exe

C:\Users\Admin\AppData\Local\Temp\442.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F431.dll

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\EB45.exe

C:\Users\Admin\AppData\Local\Temp\EB45.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\03a03d28-876d-43c4-b0a0-aa009927a278" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\EB45.exe

"C:\Users\Admin\AppData\Local\Temp\EB45.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EB45.exe

"C:\Users\Admin\AppData\Local\Temp\EB45.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9F89.exe

C:\Users\Admin\AppData\Local\Temp\9F89.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 972

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 138.19.156.187.in-addr.arpa udp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 rummygoplay.in udp
IN 103.251.94.112:443 rummygoplay.in tcp
US 8.8.8.8:53 112.94.251.103.in-addr.arpa udp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
MX 187.156.19.138:80 wirtshauspost.at tcp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
GB 145.239.200.147:30225 tcp

Files

memory/1232-1-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/1232-2-0x0000000002510000-0x000000000251B000-memory.dmp

memory/1232-3-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2420-4-0x0000000003710000-0x0000000003726000-memory.dmp

memory/1232-5-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1232-8-0x0000000002510000-0x000000000251B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB45.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\EB45.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\EFFA.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\EFFA.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3672-22-0x0000000000430000-0x0000000000BD8000-memory.dmp

memory/4372-28-0x0000000002370000-0x000000000240F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F53B.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/4372-31-0x0000000002670000-0x000000000278B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F53B.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\F79E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3672-36-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/3672-37-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/3672-38-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/3672-39-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBA6.exe

MD5 5b29d4dbdc68f1bdaadfdc9dc45cc8ea
SHA1 6114ec321ccbf2cfc296fc0561e2b2031033c2fa
SHA256 17cd8a3817b5f220fab56b210b3e8b9c11a96ed9148ced9baf75e67ea7f6634f
SHA512 07fba426172f02247f5efd6aee80f07199a0558956553d81278436edfa48772bde620cf15e9f87ee394326a5cdc144d0ffea70d9a653a87002662682a7e35158

memory/3672-42-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F79E.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3672-45-0x0000000000430000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBA6.exe

MD5 5b29d4dbdc68f1bdaadfdc9dc45cc8ea
SHA1 6114ec321ccbf2cfc296fc0561e2b2031033c2fa
SHA256 17cd8a3817b5f220fab56b210b3e8b9c11a96ed9148ced9baf75e67ea7f6634f
SHA512 07fba426172f02247f5efd6aee80f07199a0558956553d81278436edfa48772bde620cf15e9f87ee394326a5cdc144d0ffea70d9a653a87002662682a7e35158

memory/3672-46-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/3672-47-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/4372-49-0x0000000002370000-0x000000000240F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\442.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\442.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3672-55-0x0000000077B54000-0x0000000077B56000-memory.dmp

memory/3672-57-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/3672-58-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/4084-59-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/4084-60-0x0000000000810000-0x000000000081B000-memory.dmp

memory/4084-61-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F431.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3672-65-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/2100-66-0x0000000004CB0000-0x00000000050B0000-memory.dmp

memory/2100-69-0x00000000050B0000-0x000000000599B000-memory.dmp

memory/4068-70-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/2100-71-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4068-73-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/3672-74-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/2032-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2032-77-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB45.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2420-78-0x0000000003310000-0x0000000003326000-memory.dmp

memory/4084-81-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2032-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3672-83-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/3672-84-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F431.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3672-86-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

memory/2032-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1944-88-0x0000000000F40000-0x0000000000FAB000-memory.dmp

memory/2100-89-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1944-90-0x0000000000FB0000-0x0000000001030000-memory.dmp

memory/1944-91-0x0000000000F40000-0x0000000000FAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3252-93-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/3252-96-0x0000000001340000-0x0000000001346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3252-103-0x00000000030F0000-0x00000000031F8000-memory.dmp

memory/2100-105-0x0000000004CB0000-0x00000000050B0000-memory.dmp

memory/3252-106-0x0000000003200000-0x00000000032F0000-memory.dmp

memory/3252-107-0x0000000003200000-0x00000000032F0000-memory.dmp

memory/3252-109-0x0000000003200000-0x00000000032F0000-memory.dmp

memory/3252-132-0x0000000003200000-0x00000000032F0000-memory.dmp

memory/1944-139-0x0000000000F40000-0x0000000000FAB000-memory.dmp

C:\Users\Admin\AppData\Local\03a03d28-876d-43c4-b0a0-aa009927a278\EB45.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2100-142-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3672-144-0x0000000000430000-0x0000000000BD8000-memory.dmp

memory/2032-145-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Roaming\rdeiugh

MD5 5b29d4dbdc68f1bdaadfdc9dc45cc8ea
SHA1 6114ec321ccbf2cfc296fc0561e2b2031033c2fa
SHA256 17cd8a3817b5f220fab56b210b3e8b9c11a96ed9148ced9baf75e67ea7f6634f
SHA512 07fba426172f02247f5efd6aee80f07199a0558956553d81278436edfa48772bde620cf15e9f87ee394326a5cdc144d0ffea70d9a653a87002662682a7e35158

C:\Users\Admin\AppData\Local\Temp\EB45.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2032-149-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3672-152-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/4804-154-0x00000000024B0000-0x0000000002545000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB45.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1452-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1452-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1452-160-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2100-161-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3672-162-0x0000000005900000-0x0000000005992000-memory.dmp

memory/3672-164-0x0000000005B40000-0x0000000005BDC000-memory.dmp

memory/1100-165-0x00000000736E0000-0x0000000073E90000-memory.dmp

memory/1100-166-0x0000000003000000-0x0000000003010000-memory.dmp

memory/1100-167-0x0000000002F60000-0x0000000002F96000-memory.dmp

memory/1100-168-0x0000000003000000-0x0000000003010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F89.exe

MD5 127d9aa15745b8281f896ec39d7a38c3
SHA1 50fe9c2a7514614923409d74ee77ddc2be90ddf2
SHA256 bf208ca88ac059bbd01a06c624628d02bae92a68d46589bc9903f6c2a69a334c
SHA512 c67ead755ca2d71ad00843ba8b1ec7287975058c924c17f77ed94f50d67fa11541722735393daa255dacd3fd63dedc89dcb70b3b109f25763ea584c05b77ec08

C:\Users\Admin\AppData\Local\Temp\9F89.exe

MD5 127d9aa15745b8281f896ec39d7a38c3
SHA1 50fe9c2a7514614923409d74ee77ddc2be90ddf2
SHA256 bf208ca88ac059bbd01a06c624628d02bae92a68d46589bc9903f6c2a69a334c
SHA512 c67ead755ca2d71ad00843ba8b1ec7287975058c924c17f77ed94f50d67fa11541722735393daa255dacd3fd63dedc89dcb70b3b109f25763ea584c05b77ec08

memory/1100-175-0x00000000056A0000-0x0000000005CC8000-memory.dmp

memory/2100-174-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4384-177-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/1248-179-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1100-180-0x00000000736E0000-0x0000000073E90000-memory.dmp

memory/4384-181-0x00000000024D0000-0x0000000002561000-memory.dmp

memory/4384-182-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1248-183-0x00000000736E0000-0x0000000073E90000-memory.dmp

memory/1100-185-0x0000000003000000-0x0000000003010000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 127d9aa15745b8281f896ec39d7a38c3
SHA1 50fe9c2a7514614923409d74ee77ddc2be90ddf2
SHA256 bf208ca88ac059bbd01a06c624628d02bae92a68d46589bc9903f6c2a69a334c
SHA512 c67ead755ca2d71ad00843ba8b1ec7287975058c924c17f77ed94f50d67fa11541722735393daa255dacd3fd63dedc89dcb70b3b109f25763ea584c05b77ec08

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 127d9aa15745b8281f896ec39d7a38c3
SHA1 50fe9c2a7514614923409d74ee77ddc2be90ddf2
SHA256 bf208ca88ac059bbd01a06c624628d02bae92a68d46589bc9903f6c2a69a334c
SHA512 c67ead755ca2d71ad00843ba8b1ec7287975058c924c17f77ed94f50d67fa11541722735393daa255dacd3fd63dedc89dcb70b3b109f25763ea584c05b77ec08

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 127d9aa15745b8281f896ec39d7a38c3
SHA1 50fe9c2a7514614923409d74ee77ddc2be90ddf2
SHA256 bf208ca88ac059bbd01a06c624628d02bae92a68d46589bc9903f6c2a69a334c
SHA512 c67ead755ca2d71ad00843ba8b1ec7287975058c924c17f77ed94f50d67fa11541722735393daa255dacd3fd63dedc89dcb70b3b109f25763ea584c05b77ec08

memory/1100-191-0x0000000003000000-0x0000000003010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1248-193-0x0000000007670000-0x0000000007680000-memory.dmp

memory/1432-195-0x0000000000840000-0x0000000000940000-memory.dmp

memory/4384-196-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/1432-197-0x0000000000400000-0x000000000083B000-memory.dmp

memory/4384-199-0x0000000000400000-0x000000000083B000-memory.dmp

memory/1248-200-0x00000000736E0000-0x0000000073E90000-memory.dmp

memory/1100-202-0x00000000054A0000-0x00000000054C2000-memory.dmp

memory/1100-203-0x0000000005CD0000-0x0000000005D36000-memory.dmp

memory/1100-204-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/1248-205-0x00000000075E0000-0x00000000075EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bx3caijv.5sw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1248-213-0x0000000007670000-0x0000000007680000-memory.dmp

memory/3672-229-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-230-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-232-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-236-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-234-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-238-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-240-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-242-0x0000000006550000-0x0000000006565000-memory.dmp

memory/3672-244-0x0000000006550000-0x0000000006565000-memory.dmp