Analysis Overview
SHA256
779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
SmokeLoader
Glupteba
Detected Djvu ransomware
Djvu Ransomware
RedLine payload
RedLine
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Deletes itself
Executes dropped EXE
Themida packer
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
outlook_office_path
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 01:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 01:35
Reported
2023-10-17 01:37
Platform
win7-20230831-en
Max time kernel
132s
Max time network
139s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AF94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B417.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C24B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C24B.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B417.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a5940991-cb27-4d53-9ec2-2cf85d454aa1\\A86F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\A86F.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2616 set thread context of 2892 | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | C:\Users\Admin\AppData\Local\Temp\A86F.exe |
| PID 1368 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\AF94.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1848 set thread context of 920 | N/A | C:\Users\Admin\AppData\Local\Temp\A86F.exe | C:\Users\Admin\AppData\Local\Temp\A86F.exe |
| PID 2652 set thread context of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AB7C.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C24B.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C24B.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\A86F.exe
C:\Users\Admin\AppData\Local\Temp\A86F.exe
C:\Users\Admin\AppData\Local\Temp\AB7C.exe
C:\Users\Admin\AppData\Local\Temp\AB7C.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AE7A.dll
C:\Users\Admin\AppData\Local\Temp\A86F.exe
C:\Users\Admin\AppData\Local\Temp\A86F.exe
C:\Users\Admin\AppData\Local\Temp\AF94.exe
C:\Users\Admin\AppData\Local\Temp\AF94.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\AE7A.dll
C:\Users\Admin\AppData\Local\Temp\B417.exe
C:\Users\Admin\AppData\Local\Temp\B417.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\C24B.exe
C:\Users\Admin\AppData\Local\Temp\C24B.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a5940991-cb27-4d53-9ec2-2cf85d454aa1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\A86F.exe
"C:\Users\Admin\AppData\Local\Temp\A86F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\A86F.exe
"C:\Users\Admin\AppData\Local\Temp\A86F.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\taskeng.exe
taskeng.exe {DA1F22D8-632B-4841-B1D0-DAB8AFD16B3F} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017013701.log C:\Windows\Logs\CBS\CbsPersist_20231017013701.cab
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\C24B.exe
"C:\Users\Admin\AppData\Local\Temp\C24B.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.1:443 | api.2ip.ua | tcp |
| US | 188.114.97.1:443 | api.2ip.ua | tcp |
| GB | 145.239.200.147:30225 | tcp |
Files
memory/2436-1-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/2436-2-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/2436-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2436-5-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1252-4-0x0000000002A00000-0x0000000002A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2652-24-0x0000000000BE0000-0x0000000001388000-memory.dmp
memory/2616-25-0x00000000002E0000-0x0000000000372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB7C.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/2616-26-0x00000000002E0000-0x0000000000372000-memory.dmp
memory/2616-27-0x0000000002180000-0x000000000229B000-memory.dmp
\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2892-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2652-33-0x0000000075270000-0x0000000075380000-memory.dmp
memory/2652-35-0x0000000075270000-0x0000000075380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AE7A.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/2652-39-0x0000000075270000-0x0000000075380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AF94.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
memory/2652-44-0x0000000076260000-0x00000000762A7000-memory.dmp
memory/2652-46-0x0000000075270000-0x0000000075380000-memory.dmp
memory/2652-47-0x0000000075270000-0x0000000075380000-memory.dmp
memory/2652-45-0x0000000075270000-0x0000000075380000-memory.dmp
memory/2652-48-0x0000000075270000-0x0000000075380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AF94.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
memory/2652-51-0x0000000075270000-0x0000000075380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B417.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\AE7A.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/2652-60-0x0000000075270000-0x0000000075380000-memory.dmp
memory/2652-62-0x0000000076260000-0x00000000762A7000-memory.dmp
memory/2492-64-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/2492-70-0x0000000000110000-0x0000000000116000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2652-66-0x00000000773A0000-0x00000000773A2000-memory.dmp
memory/2652-63-0x0000000075270000-0x0000000075380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\B417.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2652-56-0x0000000075270000-0x0000000075380000-memory.dmp
memory/2652-36-0x0000000075270000-0x0000000075380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\C24B.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2432-81-0x0000000004A30000-0x0000000004E28000-memory.dmp
memory/2492-82-0x0000000002480000-0x0000000002570000-memory.dmp
memory/2492-84-0x0000000002480000-0x0000000002570000-memory.dmp
memory/2508-87-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2508-88-0x0000000000110000-0x0000000000116000-memory.dmp
memory/2492-86-0x0000000002480000-0x0000000002570000-memory.dmp
memory/2804-90-0x0000000000060000-0x000000000006C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C24B.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2804-102-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2492-103-0x0000000002480000-0x0000000002570000-memory.dmp
memory/2492-74-0x0000000002040000-0x0000000002148000-memory.dmp
memory/2508-104-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2652-108-0x0000000000BE0000-0x0000000001388000-memory.dmp
memory/2892-109-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2892-105-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\a5940991-cb27-4d53-9ec2-2cf85d454aa1\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\C24B.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/1548-131-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2892-130-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1548-132-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/1548-135-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1548-136-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1548-137-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1548-138-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1848-139-0x0000000000230000-0x00000000002C2000-memory.dmp
\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\A86F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/1848-145-0x0000000000230000-0x00000000002C2000-memory.dmp
memory/920-148-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1548-149-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1548-151-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c11244db4ebb3cbad6db4863b1b50019 |
| SHA1 | dcc573674b2dcc1fccc6b508ee68b3cb686d68fc |
| SHA256 | cc0bcfcdf64ce5d112fb2d0dd707a8740bd4aa91741ccd4880871ed650b04a5e |
| SHA512 | 08001468a00d172dd6f34e6949d7c723fb64e64daf6906908a6f11dde7c27868a0286bd7a4d1cc0daa6c6d9827474c4c5567d448dced4a05b8e02a96b8c4c8cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | fe481a093207598c1add8476372e70df |
| SHA1 | 1188a8bf42e0e98832750bcef9a15ada6a6a9422 |
| SHA256 | 5b03f0fea45d729fd590e3f2b313e5852efd3aaa09dae72ee6c17c4450c5cd39 |
| SHA512 | 1c8f9b8c7503fb9bf72b19a326245489e8557d08754e223637044f56093f2f8e0f8ca95ad2e43a9744535a8fc4a7f9649cdf939ef1d9557400bd5da4aeb129eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 62912e7da7c7e03a73f43c50b3c70979 |
| SHA1 | a1514787753be0f3d9fd60e253fcdd4fd9805aea |
| SHA256 | ca4e99a2fea0b8c21bcf8dd8333d3df6ff75727db82cb0efd86eefe09b9f2d85 |
| SHA512 | a24bcc548811162591a8c7c3379ac8536f2928de2a250f9ef867d201798621872aa961f4abc3449fa24ce78f3fbf9f88b92c2f63db99d1ef455da5fdf4b3bb75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2da99b612ccc9ad6ecdf0adfd28b7079 |
| SHA1 | 96415540d8c8782ff531d07cee0f4219e287a203 |
| SHA256 | 3fbda09e4c5bef5bd926a6833f6f99004218a4036103be8d862eeb129ff2a8d4 |
| SHA512 | 4778f37adbc330e630b3feb24f52be17bd2b5305cc80e139cfc2543e14d1f079fa091f89aa23c82270a5d460af254a57cd0ea2a47b2f276faf3b32cc14c4a29c |
C:\Users\Admin\AppData\Local\Temp\Cab5679.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/920-165-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2652-166-0x0000000000520000-0x000000000053C000-memory.dmp
memory/2652-191-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-189-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-187-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-185-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-183-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-181-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-179-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-177-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-175-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-173-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-171-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-168-0x0000000000520000-0x0000000000535000-memory.dmp
memory/2652-167-0x0000000000520000-0x0000000000535000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C24B.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 01:35
Reported
2023-10-17 01:40
Platform
win10v2004-20230915-en
Max time kernel
234s
Max time network
267s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\203C.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\203C.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\203C.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1203.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\203C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\473F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5105.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5AAA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a93b1f5d-ccfd-4bd3-acac-eeca9acbc294\\1203.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1203.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\203C.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\203C.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1656 set thread context of 4956 | N/A | C:\Users\Admin\AppData\Local\Temp\1203.exe | C:\Users\Admin\AppData\Local\Temp\1203.exe |
| PID 2708 set thread context of 5008 | N/A | C:\Users\Admin\AppData\Local\Temp\203C.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3540 set thread context of 4604 | N/A | C:\Users\Admin\AppData\Local\Temp\473F.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1868 set thread context of 1724 | N/A | C:\Users\Admin\AppData\Local\Temp\1203.exe | C:\Users\Admin\AppData\Local\Temp\1203.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5105.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5105.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5105.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5105.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\203C.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\1203.exe
C:\Users\Admin\AppData\Local\Temp\1203.exe
C:\Users\Admin\AppData\Local\Temp\203C.exe
C:\Users\Admin\AppData\Local\Temp\203C.exe
C:\Users\Admin\AppData\Local\Temp\1203.exe
C:\Users\Admin\AppData\Local\Temp\1203.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4336.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4336.dll
C:\Users\Admin\AppData\Local\Temp\473F.exe
C:\Users\Admin\AppData\Local\Temp\473F.exe
C:\Users\Admin\AppData\Local\Temp\4C22.exe
C:\Users\Admin\AppData\Local\Temp\4C22.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a93b1f5d-ccfd-4bd3-acac-eeca9acbc294" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\5105.exe
C:\Users\Admin\AppData\Local\Temp\5105.exe
C:\Users\Admin\AppData\Local\Temp\5AAA.exe
C:\Users\Admin\AppData\Local\Temp\5AAA.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1203.exe
"C:\Users\Admin\AppData\Local\Temp\1203.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe"
C:\Users\Admin\AppData\Local\Temp\1203.exe
"C:\Users\Admin\AppData\Local\Temp\1203.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | mikolyda.beget.tech | udp |
| RU | 91.106.207.50:80 | mikolyda.beget.tech | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 50.207.106.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hoffmanlevi.space | udp |
| RU | 45.130.41.106:443 | hoffmanlevi.space | tcp |
| US | 8.8.8.8:53 | 106.41.130.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| US | 8.8.8.8:53 | 254.27.214.95.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 251.39.40.211.in-addr.arpa | udp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
| KR | 211.40.39.251:80 | wirtshauspost.at | tcp |
Files
memory/3932-1-0x0000000000A40000-0x0000000000B40000-memory.dmp
memory/3932-2-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/3932-3-0x0000000002510000-0x000000000251B000-memory.dmp
memory/3120-4-0x0000000003050000-0x0000000003066000-memory.dmp
memory/3932-5-0x0000000000400000-0x00000000007CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1203.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/3120-17-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-20-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-21-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-22-0x00000000084A0000-0x00000000084B0000-memory.dmp
memory/3120-24-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-23-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-25-0x0000000003280000-0x0000000003290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1203.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/3120-26-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-28-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-30-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-31-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-32-0x00000000084A0000-0x00000000084B0000-memory.dmp
memory/3120-33-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-35-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-34-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-39-0x00000000084A0000-0x00000000084B0000-memory.dmp
memory/3120-44-0x0000000003280000-0x0000000003290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\203C.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\203C.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3120-38-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-37-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-45-0x0000000003280000-0x0000000003290000-memory.dmp
memory/2708-46-0x00000000004B0000-0x0000000000C58000-memory.dmp
memory/3120-50-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-48-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-53-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-55-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-51-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-56-0x0000000003280000-0x0000000003290000-memory.dmp
memory/3120-47-0x0000000008300000-0x0000000008310000-memory.dmp
memory/1656-58-0x0000000000AA0000-0x0000000000B41000-memory.dmp
memory/1656-59-0x0000000002670000-0x000000000278B000-memory.dmp
memory/4956-60-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1203.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/4956-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-64-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/3120-61-0x00000000084A0000-0x00000000084B0000-memory.dmp
memory/2708-67-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/4956-66-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-65-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-69-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-70-0x00000000004B0000-0x0000000000C58000-memory.dmp
memory/2708-74-0x0000000075AA0000-0x0000000075B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4336.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/2708-72-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/4956-75-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2708-76-0x00000000778E4000-0x00000000778E6000-memory.dmp
memory/2708-71-0x0000000075AA0000-0x0000000075B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4336.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/4408-80-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/4408-81-0x0000000000B30000-0x0000000000B36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\473F.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
C:\Users\Admin\AppData\Local\Temp\473F.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
memory/2708-87-0x00000000004B0000-0x0000000000C58000-memory.dmp
memory/2708-90-0x0000000005B50000-0x00000000060F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4C22.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\4C22.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4408-95-0x00000000028B0000-0x00000000029B8000-memory.dmp
memory/2708-98-0x0000000005640000-0x00000000056D2000-memory.dmp
memory/2708-100-0x0000000005880000-0x000000000591C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4408-105-0x00000000029C0000-0x0000000002AB0000-memory.dmp
memory/4408-106-0x00000000029C0000-0x0000000002AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4408-114-0x00000000029C0000-0x0000000002AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\5105.exe
| MD5 | 8ba58058114c2249080990d19707cfd2 |
| SHA1 | f1aeee66056df1ee8f8a0a09519801eaa1ec1f72 |
| SHA256 | 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4 |
| SHA512 | 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31 |
C:\Users\Admin\AppData\Local\Temp\5105.exe
| MD5 | 8ba58058114c2249080990d19707cfd2 |
| SHA1 | f1aeee66056df1ee8f8a0a09519801eaa1ec1f72 |
| SHA256 | 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4 |
| SHA512 | 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31 |
memory/2708-115-0x0000000005800000-0x000000000580A000-memory.dmp
memory/4408-123-0x00000000029C0000-0x0000000002AB0000-memory.dmp
memory/2708-125-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/4568-126-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/4568-127-0x00000000008E0000-0x00000000008EB000-memory.dmp
memory/4568-128-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/2708-129-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-130-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-131-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-132-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-133-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-134-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/2708-135-0x0000000075AA0000-0x0000000075B90000-memory.dmp
memory/4956-136-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4408-138-0x0000000010000000-0x00000000101E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5AAA.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\5AAA.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/1908-146-0x0000000000A70000-0x0000000000AE5000-memory.dmp
memory/1908-147-0x0000000000A00000-0x0000000000A6B000-memory.dmp
memory/1908-145-0x0000000000A00000-0x0000000000A6B000-memory.dmp
memory/3120-148-0x0000000008460000-0x0000000008476000-memory.dmp
memory/1244-153-0x0000000000990000-0x000000000099C000-memory.dmp
memory/2408-152-0x0000000004C40000-0x0000000005046000-memory.dmp
memory/4568-151-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/2408-154-0x0000000005150000-0x0000000005A3B000-memory.dmp
memory/1244-156-0x0000000000990000-0x000000000099C000-memory.dmp
memory/1244-155-0x00000000009A0000-0x00000000009A7000-memory.dmp
memory/2408-157-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\a93b1f5d-ccfd-4bd3-acac-eeca9acbc294\1203.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2708-165-0x0000000005850000-0x000000000586C000-memory.dmp
memory/2708-166-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-170-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2408-161-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2708-187-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-189-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-191-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-193-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-195-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-197-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-199-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-201-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-203-0x0000000005850000-0x0000000005865000-memory.dmp
memory/2708-205-0x0000000005850000-0x0000000005865000-memory.dmp
memory/1908-210-0x0000000000A00000-0x0000000000A6B000-memory.dmp
memory/5008-212-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2708-214-0x0000000075AA0000-0x0000000075B90000-memory.dmp
C:\Users\Admin\AppData\Roaming\crcwtbs
| MD5 | 8ba58058114c2249080990d19707cfd2 |
| SHA1 | f1aeee66056df1ee8f8a0a09519801eaa1ec1f72 |
| SHA256 | 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4 |
| SHA512 | 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31 |
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 62962daa1b19bbcc2db10b7bfd531ea6 |
| SHA1 | d64bae91091eda6a7532ebec06aa70893b79e1f8 |
| SHA256 | 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880 |
| SHA512 | 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7 |
C:\Users\Admin\AppData\Local\Temp\1203.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\1203.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe
| MD5 | cac360e5fb18e8f135b7008cb478e15a |
| SHA1 | 37e4f9b25237b12ab283fc70bf89242ab3b83875 |
| SHA256 | e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8 |
| SHA512 | 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zx3hqypd.afq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 62912e7da7c7e03a73f43c50b3c70979 |
| SHA1 | a1514787753be0f3d9fd60e253fcdd4fd9805aea |
| SHA256 | ca4e99a2fea0b8c21bcf8dd8333d3df6ff75727db82cb0efd86eefe09b9f2d85 |
| SHA512 | a24bcc548811162591a8c7c3379ac8536f2928de2a250f9ef867d201798621872aa961f4abc3449fa24ce78f3fbf9f88b92c2f63db99d1ef455da5fdf4b3bb75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 63e590d62a18b96becf2c29b5dbc674b |
| SHA1 | b7bd02c2d1cfc1853ecf582864626070b8b03e73 |
| SHA256 | d3b4e91c237209e8a7f2b86ef60f99d79716b76f7912c66b1dbf4c87ce3a0195 |
| SHA512 | 307286f368ff2c29e70f3511edf850a647d9c9a879ebdb580c42e66ae8faec7832f849f80091235be4414a0e48316d2434ba5ac0ca4eb8bfed4135065c9efebb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 707cc533f7399d8315ea0fc17c327bd4 |
| SHA1 | ce902f30646ae767e993134dcc7135c4a9708abd |
| SHA256 | 8cbcd25bbe5ee145e3e89a242c86ac78e2d6925208f269114d638cf9a1c57d3c |
| SHA512 | cb0d2e9d82b31894bae098825a324cbe1327885b0d47819e3d987e59a9f5ad08c5164bf1c96c6acd5d9338310b64b76d6b0028abddb7e3ce27371e8c9a3151ce |