Analysis Overview
SHA256
779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Detected Djvu ransomware
Glupteba
Glupteba payload
RedLine payload
RedLine
SmokeLoader
Djvu Ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Checks computer location settings
Modifies file permissions
Themida packer
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates system info in registry
outlook_office_path
Suspicious use of UnmapMainImage
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 01:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 01:31
Reported
2023-10-17 01:34
Platform
win7-20230831-en
Max time kernel
46s
Max time network
154s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\28A7.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\28A7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\28A7.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\258A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28A7.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\28A7.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28A7.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 2776 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\258A.exe |
| PID 1192 wrote to memory of 2776 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\258A.exe |
| PID 1192 wrote to memory of 2776 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\258A.exe |
| PID 1192 wrote to memory of 2776 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\258A.exe |
| PID 1192 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28A7.exe |
| PID 1192 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28A7.exe |
| PID 1192 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28A7.exe |
| PID 1192 wrote to memory of 2560 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28A7.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\258A.exe
C:\Users\Admin\AppData\Local\Temp\258A.exe
C:\Users\Admin\AppData\Local\Temp\28A7.exe
C:\Users\Admin\AppData\Local\Temp\28A7.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3094.dll
C:\Users\Admin\AppData\Local\Temp\34C9.exe
C:\Users\Admin\AppData\Local\Temp\34C9.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\3094.dll
C:\Users\Admin\AppData\Local\Temp\258A.exe
C:\Users\Admin\AppData\Local\Temp\258A.exe
C:\Users\Admin\AppData\Local\Temp\4A7C.exe
C:\Users\Admin\AppData\Local\Temp\4A7C.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\765ead5c-f514-42b6-9a56-51e48c554f1c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\258A.exe
"C:\Users\Admin\AppData\Local\Temp\258A.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Users\Admin\AppData\Local\Temp\258A.exe
"C:\Users\Admin\AppData\Local\Temp\258A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\598A.exe
C:\Users\Admin\AppData\Local\Temp\598A.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017013328.log C:\Windows\Logs\CBS\CbsPersist_20231017013328.cab
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe"
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe"
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe"
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
"C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\598A.exe
"C:\Users\Admin\AppData\Local\Temp\598A.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\taskeng.exe
taskeng.exe {74637911-DF05-430D-9087-78A4B3D07055} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 79.137.192.18:80 | tcp | |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.181.24.132:80 | colisumy.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| KR | 211.168.53.110:80 | zexeq.com | tcp |
| JP | 23.207.106.113:443 | tcp | |
| DE | 49.12.118.149:80 | 49.12.118.149 | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| GB | 145.239.200.147:30225 | tcp | |
| US | 172.67.213.185:443 | tcp | |
| US | 8.8.8.8:53 | c4871c64-5aca-48fd-9d96-9d75c87b3245.uuid.thestatsfiles.ru | udp |
| US | 162.159.135.233:443 | tcp | |
| US | 20.150.79.68:443 | tcp |
Files
memory/2940-1-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/2940-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2940-2-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1192-4-0x0000000002A40000-0x0000000002A56000-memory.dmp
memory/2940-5-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1192-11-0x000007FEF5680000-0x000007FEF57C3000-memory.dmp
memory/1192-12-0x000007FE93520000-0x000007FE9352A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2560-26-0x0000000000280000-0x0000000000A28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\28A7.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/2560-27-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-33-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2468-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2560-30-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-41-0x0000000075980000-0x0000000075A90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2560-46-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-48-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-50-0x0000000075DE0000-0x0000000075E27000-memory.dmp
memory/2560-53-0x0000000075980000-0x0000000075A90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3094.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/2468-56-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2560-58-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-60-0x0000000075DE0000-0x0000000075E27000-memory.dmp
memory/2560-62-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-64-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-65-0x0000000075980000-0x0000000075A90000-memory.dmp
\Users\Admin\AppData\Local\Temp\3094.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/2560-67-0x00000000770E0000-0x00000000770E2000-memory.dmp
memory/1192-63-0x000007FEF5680000-0x000007FEF57C3000-memory.dmp
memory/2836-69-0x0000000010000000-0x00000000101E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\34C9.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
C:\Users\Admin\AppData\Local\Temp\34C9.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
memory/2560-76-0x0000000000280000-0x0000000000A28000-memory.dmp
memory/2560-61-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-59-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-57-0x0000000075DE0000-0x0000000075E27000-memory.dmp
memory/2560-54-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-52-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-49-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2776-47-0x00000000021D0000-0x00000000022EB000-memory.dmp
memory/2776-45-0x0000000000850000-0x00000000008E2000-memory.dmp
memory/2560-42-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-39-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2468-40-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2560-37-0x0000000075DE0000-0x0000000075E27000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2776-29-0x0000000000850000-0x00000000008E2000-memory.dmp
memory/2560-28-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2836-77-0x0000000002070000-0x0000000002178000-memory.dmp
memory/2836-78-0x0000000000580000-0x0000000000670000-memory.dmp
memory/2836-79-0x0000000000580000-0x0000000000670000-memory.dmp
memory/2836-81-0x0000000000580000-0x0000000000670000-memory.dmp
memory/2560-85-0x0000000073F80000-0x000000007466E000-memory.dmp
memory/2468-86-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2836-87-0x0000000000150000-0x0000000000156000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\4A7C.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\4A7C.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2836-95-0x0000000000580000-0x0000000000670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\765ead5c-f514-42b6-9a56-51e48c554f1c\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2560-115-0x0000000005480000-0x00000000054C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2468-120-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2316-126-0x00000000002A0000-0x0000000000332000-memory.dmp
memory/2316-123-0x00000000002A0000-0x0000000000332000-memory.dmp
memory/396-131-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\598A.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\598A.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2412-139-0x00000000048F0000-0x0000000004CE8000-memory.dmp
memory/396-138-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\258A.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2560-141-0x0000000000280000-0x0000000000A28000-memory.dmp
memory/2560-142-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-143-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2412-144-0x00000000048F0000-0x0000000004CE8000-memory.dmp
memory/1368-147-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2412-148-0x0000000004CF0000-0x00000000055DB000-memory.dmp
memory/2560-149-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-145-0x0000000075DE0000-0x0000000075E27000-memory.dmp
memory/1368-162-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2412-163-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2560-164-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-166-0x0000000075980000-0x0000000075A90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
memory/2560-173-0x0000000075980000-0x0000000075A90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab60D5.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2016-184-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2560-186-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-187-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-185-0x0000000073F80000-0x000000007466E000-memory.dmp
memory/2560-183-0x0000000075980000-0x0000000075A90000-memory.dmp
memory/2560-176-0x0000000075980000-0x0000000075A90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e117fecff42eeca55e661bd7cf454dd |
| SHA1 | 7359c1b18adab9baac2531eb8eb03b375eb0ebc5 |
| SHA256 | f91240011975ba308dc46c58b7cd24cddf0140283382fa2da34d68ea7a40c849 |
| SHA512 | 9d6b49f08374e94948761c049cb5a36f788fec3389f046e5ab3c0b84c0ccdc7b9a38af5ddc858c1f4bb2f4bf79e55d4c4b397cccbd489165b77b369660ce9264 |
memory/2560-172-0x0000000075980000-0x0000000075A90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | e0588e2b2e8bc1784c7107058c7558cb |
| SHA1 | cf471bbf888de7b6c7cb2ae94381dc5ab623ff59 |
| SHA256 | f2b0643174e934b4a43df8f9e94636e01fb9edc19913ee9d3692d5ad0621f7fb |
| SHA512 | 4fa6c70e84b845aa0927a8f27940e3c868b334d88b46a9f66363f9cc14f07d36ca4e512239634d208ea77126502cb0d098b5ba5bf65a12bb8a793c21bc475400 |
memory/2560-169-0x0000000075980000-0x0000000075A90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 62912e7da7c7e03a73f43c50b3c70979 |
| SHA1 | a1514787753be0f3d9fd60e253fcdd4fd9805aea |
| SHA256 | ca4e99a2fea0b8c21bcf8dd8333d3df6ff75727db82cb0efd86eefe09b9f2d85 |
| SHA512 | a24bcc548811162591a8c7c3379ac8536f2928de2a250f9ef867d201798621872aa961f4abc3449fa24ce78f3fbf9f88b92c2f63db99d1ef455da5fdf4b3bb75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f99ba2ef1fecd19b702f51ca216bcbb7 |
| SHA1 | a9c71a4b378e3e200e9f9e1c68dea34a203e0ee5 |
| SHA256 | 27ae0ac9eaeb292b5fad47f7cfc4016586db1ff8850a72329fcad64c0566ab40 |
| SHA512 | 2fd1fdf93cc052e4a59298b71ce821aad6a00d2c1969b0d979a09a016db8b4cbf765d5a1f0c346b361cd5384b50ea9d74fff1d41b137d11cab51a2f2523564d0 |
memory/2016-165-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2560-188-0x0000000005480000-0x00000000054C0000-memory.dmp
memory/396-190-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2412-191-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\598A.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2560-194-0x0000000002790000-0x00000000027AC000-memory.dmp
memory/396-196-0x0000000000400000-0x0000000000537000-memory.dmp
memory/396-195-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2120-198-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2120-204-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2560-210-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2560-213-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/396-212-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2560-228-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2560-226-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2560-224-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2560-222-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2560-220-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2560-218-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2120-216-0x0000000073F80000-0x000000007466E000-memory.dmp
memory/2560-215-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2560-208-0x0000000002790000-0x00000000027A5000-memory.dmp
memory/2120-207-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2560-206-0x0000000002790000-0x00000000027A5000-memory.dmp
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/2120-202-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2120-201-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2120-200-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2120-199-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2120-197-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\TarDE11.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\25e14570-637a-45ec-8b39-c1b710bb6f1c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\598A.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 5c8e85a496491e9e7f4c5610029ad4d1 |
| SHA1 | 27bf392543ce2d5729e085c5db914f371bf1212b |
| SHA256 | 578d10158e9f9865c7d244a536617d20add8a877c66f69dff766fceace3b6d77 |
| SHA512 | c7ce621e4b17945f93e8dab0337bbd10ad6dc97ba704b90d4fcf8e3d11d1805aed50687d96b99d90fa8740a2b906a8b40934c3a8199fabee459cc3688d053db9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\rss\csrss.exe
| MD5 | a1ad93f61113e492efa33579feef1d63 |
| SHA1 | 9516b2306478154b6a3ee83b37e7d03daee23098 |
| SHA256 | 7dd0973e29aac24a95fa30783a31a2c3bcd26c296f05f300dc111f6521101239 |
| SHA512 | f95260cab0b12a84f2c4ac47d58de984551145a9cbf6f28acec2378481a5706773f16b142a529ccf01848d42292396c4691231af744f82fbaa6bcb3ba6f76ebb |
C:\Windows\rss\csrss.exe
| MD5 | 2cea17f330d866200fdf17d5c994e18c |
| SHA1 | 608a69569522c165a76ffe4cee36041f8ac0ac08 |
| SHA256 | 8b6dab7877adfe5f5437d478fbc038b2432780ad84925d7ea4d7f8b15a106e67 |
| SHA512 | 446e179b913596a5ed5bdb67e7798b134719bce435df79272d0d05f24a8e620fdea181e89afdfb09717ff367d60cf86474ddc2f0a4983553f4fbff74485d0978 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 4afe1fb3fda9f03e5ff5abb28e802d50 |
| SHA1 | c4c5f1c41e1b6f9955393867a3037227fc324509 |
| SHA256 | 9faa27b56f58b6afe3d2a117540e5fd5f4073b92c0646ac4d03f1f36c417d643 |
| SHA512 | aa791362a74d885ead0b3252dc874b32235eac16521286fcacb3b6bf12a76dedf5b4e205c4c3041c95ccd67f8c327979a9d7555df073a6f2452c824e19e082ed |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 4afe1fb3fda9f03e5ff5abb28e802d50 |
| SHA1 | c4c5f1c41e1b6f9955393867a3037227fc324509 |
| SHA256 | 9faa27b56f58b6afe3d2a117540e5fd5f4073b92c0646ac4d03f1f36c417d643 |
| SHA512 | aa791362a74d885ead0b3252dc874b32235eac16521286fcacb3b6bf12a76dedf5b4e205c4c3041c95ccd67f8c327979a9d7555df073a6f2452c824e19e082ed |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 1be58c4386af214e23fd0b69a30fba0c |
| SHA1 | e039ba39e4839e3811c3a7ebb6ea5a212a3b9f44 |
| SHA256 | 5e2d16440da615b4f79cb26749bdeddb7bba176005fd709009955d733d19ecaf |
| SHA512 | 592bf5966903065f3511b9318cd959745f0d957a2ca86ba8c0b153b8d10fd3439ccc83b8275a4ca2088247afbf84f6195ffa409778e5781d6c16b9f96fd58f3b |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | a62a9d88309b5ab5f93b8421264625d4 |
| SHA1 | 7eacaabfd90218abdd960f8e654f1b014cf2c041 |
| SHA256 | 6495dee8b543e422e8b8532be40bd5b573a250d882c2fc515c29dd4e8a304161 |
| SHA512 | b91f46c6139034cee3b2a73598fcc17071aa88a2cb6fbdc2ba24b484bda47875368ddb1b9ced82537d8c956c4b25b2529c4974a6203d2b98018fcc38fcf2422f |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 549c507534224ca632ee2d4a0e291732 |
| SHA1 | 95baa4be0e2fe53d8e6f02ee74e86d73c459e613 |
| SHA256 | 245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57 |
| SHA512 | c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | a94af25447916bfa5277c778959f8c09 |
| SHA1 | af9116cc4160c6aadec9204e21bf1b961e1126b8 |
| SHA256 | 8d01fda2072e4bab44ad53d771bcccfdc5857387d885e0687dc726f7ce6d3ec4 |
| SHA512 | 201af07f61f72bac524cd8aadf34cc8a05ea301c0c6b153ee242910ee1012e247c919ea3e3d6278bc05cdf0e6c98ad5cbcf0f695e83a7b0926d18fe5e6a1c0e6 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 549c507534224ca632ee2d4a0e291732 |
| SHA1 | 95baa4be0e2fe53d8e6f02ee74e86d73c459e613 |
| SHA256 | 245c7f5db1cc4dae389d184dfdf390be83dca3a3278664e6ffc954bb5f2d2f57 |
| SHA512 | c2e52efa31a997e3bcb1929009160378c93c91f3137eb9757cd748049b666ad5236f81e4228b511e12cdc555c416fad45f5a12be82b443eac26187b3a5437101 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 5c8e85a496491e9e7f4c5610029ad4d1 |
| SHA1 | 27bf392543ce2d5729e085c5db914f371bf1212b |
| SHA256 | 578d10158e9f9865c7d244a536617d20add8a877c66f69dff766fceace3b6d77 |
| SHA512 | c7ce621e4b17945f93e8dab0337bbd10ad6dc97ba704b90d4fcf8e3d11d1805aed50687d96b99d90fa8740a2b906a8b40934c3a8199fabee459cc3688d053db9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47aee42b1cfb248fb2071c64dcf336bb |
| SHA1 | 45434066a8ae7aa09a9c52d1166405697428ae29 |
| SHA256 | 29b4357a1d58081205060687671de2f86993ec0706bc89016ab2f92f8f5d3abc |
| SHA512 | e6b82607eba38728999e8f6b7cba7a8b1ae7bc736f773d41818d27e2d7ab2c70eeb9cbf1eeda142d898a2c519013e4c6c3e5c64e2025768b6725a846507d179a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bebf724794192028b7b017ded1eef80f |
| SHA1 | 9b5d15cadf81b92e49484a698c71b66c92d55e84 |
| SHA256 | 130286a9df4a1c59ddff54d9087937c6d0ff125759bd4895289c19f5156fb7ab |
| SHA512 | 4a47f26e924102f3c41f9d55826c4b68ab7ba0b53e5e8d531e09126942bd28260fad041fcca216e8cf881076e67ffc0938774c319d4b30bf06951e31f4c13540 |
\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 5c84e97d351c218f36e5f8ed6b93963d |
| SHA1 | 228e1e09cb250ebdce313e165f5257b23c6b83aa |
| SHA256 | fe4aa4f4b18785c8e167db4e937523c36399c7cefbd62abbd44f04da6e9c069f |
| SHA512 | 62ba8912c8486ba9eb2f2874066e624bc2e6a9b09fd17a47a6f3cb1ede37628285e7dd6cf1f786d570ac17e8c0d0200f6bd8b119de1239106b25deef50d93113 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 5c84e97d351c218f36e5f8ed6b93963d |
| SHA1 | 228e1e09cb250ebdce313e165f5257b23c6b83aa |
| SHA256 | fe4aa4f4b18785c8e167db4e937523c36399c7cefbd62abbd44f04da6e9c069f |
| SHA512 | 62ba8912c8486ba9eb2f2874066e624bc2e6a9b09fd17a47a6f3cb1ede37628285e7dd6cf1f786d570ac17e8c0d0200f6bd8b119de1239106b25deef50d93113 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 01:31
Reported
2023-10-17 01:35
Platform
win10v2004-20230915-en
Max time kernel
156s
Max time network
168s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\74AF.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\74AF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\74AF.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\974D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\64B0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64B0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74AF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64B0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9374.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\974D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9C5F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A317.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64B0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3ACD.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64B0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6416.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\59a6764c-b833-4d29-906a-8603da4ce8fe\\64B0.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\64B0.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\74AF.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74AF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2248 set thread context of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\64B0.exe | C:\Users\Admin\AppData\Local\Temp\64B0.exe |
| PID 2168 set thread context of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\9374.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4244 set thread context of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\74AF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 788 set thread context of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\64B0.exe | C:\Users\Admin\AppData\Local\Temp\64B0.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\64B0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9C5F.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9C5F.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9C5F.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9C5F.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\74AF.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\64B0.exe
C:\Users\Admin\AppData\Local\Temp\64B0.exe
C:\Users\Admin\AppData\Local\Temp\74AF.exe
C:\Users\Admin\AppData\Local\Temp\74AF.exe
C:\Users\Admin\AppData\Local\Temp\64B0.exe
C:\Users\Admin\AppData\Local\Temp\64B0.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\91CD.dll
C:\Users\Admin\AppData\Local\Temp\9374.exe
C:\Users\Admin\AppData\Local\Temp\9374.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\91CD.dll
C:\Users\Admin\AppData\Local\Temp\974D.exe
C:\Users\Admin\AppData\Local\Temp\974D.exe
C:\Users\Admin\AppData\Local\Temp\9C5F.exe
C:\Users\Admin\AppData\Local\Temp\9C5F.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\Temp\A317.exe
C:\Users\Admin\AppData\Local\Temp\A317.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\59a6764c-b833-4d29-906a-8603da4ce8fe" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\64B0.exe
"C:\Users\Admin\AppData\Local\Temp\64B0.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3ACD.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\64B0.exe
"C:\Users\Admin\AppData\Local\Temp\64B0.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3124 -ip 3124
C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe
.\Install.exe /MKdidA "385119" /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 584
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ghmVbzDaG" /SC once /ST 00:23:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\6416.exe
C:\Users\Admin\AppData\Local\Temp\6416.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | mikolyda.beget.tech | udp |
| RU | 91.106.207.50:80 | mikolyda.beget.tech | tcp |
| US | 8.8.8.8:53 | 50.207.106.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hoffmanlevi.space | udp |
| RU | 45.130.41.106:443 | hoffmanlevi.space | tcp |
| US | 8.8.8.8:53 | 106.41.130.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 60.8.204.187.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 254.27.214.95.in-addr.arpa | udp |
| RU | 31.41.244.27:41140 | tcp | |
| GB | 145.239.200.147:30225 | tcp | |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.200.239.145.in-addr.arpa | udp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | rummygoplay.in | udp |
| IN | 103.251.94.112:443 | rummygoplay.in | tcp |
| US | 8.8.8.8:53 | 112.94.251.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
| MX | 187.204.8.60:80 | wirtshauspost.at | tcp |
Files
memory/5072-1-0x0000000000800000-0x0000000000900000-memory.dmp
memory/5072-2-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/5072-3-0x0000000002520000-0x000000000252B000-memory.dmp
memory/3172-4-0x00000000012B0000-0x00000000012C6000-memory.dmp
memory/5072-5-0x0000000000400000-0x00000000007CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64B0.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\64B0.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2248-20-0x00000000009B0000-0x0000000000A4E000-memory.dmp
memory/2248-21-0x0000000002620000-0x000000000273B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\74AF.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\74AF.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/4244-25-0x0000000000880000-0x0000000001028000-memory.dmp
memory/4552-26-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64B0.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/4244-28-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-32-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-33-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-30-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-34-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-35-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4552-29-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91CD.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/4552-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4244-36-0x0000000076580000-0x0000000076670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9374.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
C:\Users\Admin\AppData\Local\Temp\9374.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
memory/4244-43-0x00000000777E4000-0x00000000777E6000-memory.dmp
memory/4552-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\91CD.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
C:\Users\Admin\AppData\Local\Temp\974D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\974D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1508-55-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/1508-54-0x00000000022E0000-0x00000000022E6000-memory.dmp
memory/4244-57-0x0000000000880000-0x0000000001028000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\9C5F.exe
| MD5 | 8ba58058114c2249080990d19707cfd2 |
| SHA1 | f1aeee66056df1ee8f8a0a09519801eaa1ec1f72 |
| SHA256 | 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4 |
| SHA512 | 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31 |
memory/4244-67-0x0000000005A70000-0x0000000005B02000-memory.dmp
memory/4244-68-0x0000000005C10000-0x0000000005CAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C5F.exe
| MD5 | 8ba58058114c2249080990d19707cfd2 |
| SHA1 | f1aeee66056df1ee8f8a0a09519801eaa1ec1f72 |
| SHA256 | 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4 |
| SHA512 | 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31 |
memory/4244-62-0x0000000005F80000-0x0000000006524000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1508-72-0x0000000002630000-0x0000000002738000-memory.dmp
memory/4244-73-0x0000000005A30000-0x0000000005A3A000-memory.dmp
memory/4244-75-0x0000000000880000-0x0000000001028000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A317.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\A317.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1508-81-0x0000000002740000-0x0000000002830000-memory.dmp
memory/1508-82-0x0000000002740000-0x0000000002830000-memory.dmp
memory/1508-87-0x0000000002740000-0x0000000002830000-memory.dmp
memory/4244-88-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-89-0x0000000076580000-0x0000000076670000-memory.dmp
memory/1636-85-0x0000000000680000-0x00000000006EB000-memory.dmp
memory/4244-86-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-84-0x0000000076580000-0x0000000076670000-memory.dmp
memory/1636-95-0x00000000006F0000-0x0000000000770000-memory.dmp
memory/2948-93-0x0000000000C00000-0x0000000000C0C000-memory.dmp
memory/1636-90-0x0000000000680000-0x00000000006EB000-memory.dmp
memory/4244-97-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-99-0x0000000076580000-0x0000000076670000-memory.dmp
memory/1872-100-0x0000000004C40000-0x0000000005047000-memory.dmp
memory/4180-102-0x0000000000810000-0x000000000081B000-memory.dmp
memory/4180-101-0x0000000000890000-0x0000000000990000-memory.dmp
memory/4180-103-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/2948-98-0x0000000000C00000-0x0000000000C0C000-memory.dmp
memory/1872-104-0x0000000005150000-0x0000000005A3B000-memory.dmp
memory/1508-111-0x0000000002740000-0x0000000002830000-memory.dmp
memory/1872-112-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3172-115-0x0000000002EF0000-0x0000000002F06000-memory.dmp
memory/4180-118-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1508-119-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/4244-125-0x0000000005DB0000-0x0000000005DCC000-memory.dmp
memory/4244-127-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-128-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-130-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/1872-126-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4244-132-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-133-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4244-135-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-139-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-137-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-141-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-143-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-145-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-147-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-149-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4244-151-0x0000000005DB0000-0x0000000005DC5000-memory.dmp
memory/4552-152-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\59a6764c-b833-4d29-906a-8603da4ce8fe\64B0.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/1872-162-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1636-163-0x0000000000680000-0x00000000006EB000-memory.dmp
C:\Users\Admin\AppData\Roaming\gvuhcdt
| MD5 | 8ba58058114c2249080990d19707cfd2 |
| SHA1 | f1aeee66056df1ee8f8a0a09519801eaa1ec1f72 |
| SHA256 | 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4 |
| SHA512 | 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31 |
memory/1636-167-0x00000000006F0000-0x0000000000770000-memory.dmp
memory/1872-170-0x0000000004C40000-0x0000000005047000-memory.dmp
memory/4016-172-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4884-173-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4016-176-0x0000000074200000-0x00000000749B0000-memory.dmp
memory/4244-177-0x0000000005DF0000-0x0000000005E00000-memory.dmp
memory/4016-178-0x00000000076F0000-0x0000000007700000-memory.dmp
memory/4884-179-0x0000000074200000-0x00000000749B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64B0.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/4884-181-0x00000000075C0000-0x00000000075D0000-memory.dmp
memory/4552-180-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4244-188-0x0000000076580000-0x0000000076670000-memory.dmp
memory/4884-198-0x0000000008500000-0x0000000008B18000-memory.dmp
memory/4244-211-0x0000000000880000-0x0000000001028000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
memory/4884-212-0x0000000007600000-0x0000000007612000-memory.dmp
memory/4884-215-0x0000000007770000-0x000000000787A000-memory.dmp
memory/1636-216-0x0000000000680000-0x00000000006EB000-memory.dmp
memory/4884-222-0x0000000007660000-0x000000000769C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 62962daa1b19bbcc2db10b7bfd531ea6 |
| SHA1 | d64bae91091eda6a7532ebec06aa70893b79e1f8 |
| SHA256 | 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880 |
| SHA512 | 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7 |
memory/4884-231-0x00000000076C0000-0x000000000770C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS3ACD.tmp\Install.exe
| MD5 | 6a77181784bc9e5a81ed1479bcee7483 |
| SHA1 | f7bc21872e7016a4945017c5ab9b922b44a22ece |
| SHA256 | 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7 |
| SHA512 | e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f |
C:\Users\Admin\AppData\Local\Temp\7zS3ACD.tmp\Install.exe
| MD5 | 6a77181784bc9e5a81ed1479bcee7483 |
| SHA1 | f7bc21872e7016a4945017c5ab9b922b44a22ece |
| SHA256 | 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7 |
| SHA512 | e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f |
memory/788-250-0x0000000002490000-0x000000000252D000-memory.dmp
memory/3124-254-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3124-253-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64B0.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/3124-256-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1872-259-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS3CC1.tmp\Install.exe
| MD5 | cd3191644eeaab1d1cf9b4bea245f78c |
| SHA1 | 75f04b22e62b1366a4c5b2887242b63de1d83c9c |
| SHA256 | f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f |
| SHA512 | 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a |
memory/4884-262-0x0000000007F50000-0x0000000007FB6000-memory.dmp
memory/4480-263-0x00000000000F0000-0x00000000007DF000-memory.dmp
memory/4480-264-0x0000000010000000-0x000000001057B000-memory.dmp
memory/4016-267-0x0000000074200000-0x00000000749B0000-memory.dmp
memory/4016-268-0x00000000076F0000-0x0000000007700000-memory.dmp
memory/4884-269-0x0000000074200000-0x00000000749B0000-memory.dmp
memory/3380-270-0x0000000002DA0000-0x0000000002DD6000-memory.dmp
memory/3380-271-0x0000000074200000-0x00000000749B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pyh4iyfd.fuh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\6416.exe
| MD5 | 49c3a1783950fa165b770f6cf5cc0619 |
| SHA1 | 47704a2a06c92c1ea3a006e515548aa00eac8d02 |
| SHA256 | 4290c815db722f3b8accc02b6ea6f3a86f2851181533b72748ac4143ffd1edc4 |
| SHA512 | 92d670d3a3e23e64f34f2b65179006d5ab050751344f256ccff692b447991a189b91a28638060eee9c5ab5bf43694ae20dffb70e16f01ac5b9a30d1b1dc564b7 |
C:\Users\Admin\AppData\Local\Temp\6416.exe
| MD5 | 49c3a1783950fa165b770f6cf5cc0619 |
| SHA1 | 47704a2a06c92c1ea3a006e515548aa00eac8d02 |
| SHA256 | 4290c815db722f3b8accc02b6ea6f3a86f2851181533b72748ac4143ffd1edc4 |
| SHA512 | 92d670d3a3e23e64f34f2b65179006d5ab050751344f256ccff692b447991a189b91a28638060eee9c5ab5bf43694ae20dffb70e16f01ac5b9a30d1b1dc564b7 |