Malware Analysis Report

2025-01-18 06:55

Sample ID 231017-bzq5rsgf2z
Target file
SHA256 779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery evasion infostealer persistence ransomware themida trojan glupteba pub1 dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

779a53aa3f90186b419cce157caefc492dd5c07072bbc9560992845fbeb34c64

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery evasion infostealer persistence ransomware themida trojan glupteba pub1 dropper loader

Glupteba payload

SmokeLoader

Glupteba

Detected Djvu ransomware

Djvu Ransomware

RedLine payload

RedLine

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Deletes itself

Executes dropped EXE

Themida packer

Loads dropped DLL

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

outlook_office_path

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 01:35

Reported

2023-10-17 01:37

Platform

win7-20230831-en

Max time kernel

132s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\AB7C.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\AB7C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\AB7C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a5940991-cb27-4d53-9ec2-2cf85d454aa1\\A86F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A86F.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\AB7C.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AB7C.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AB7C.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C24B.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\C24B.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 1252 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 1252 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 1252 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 1252 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB7C.exe
PID 1252 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB7C.exe
PID 1252 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB7C.exe
PID 1252 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB7C.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 2616 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\A86F.exe C:\Users\Admin\AppData\Local\Temp\A86F.exe
PID 1252 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 2896 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1252 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF94.exe
PID 1252 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF94.exe
PID 1252 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF94.exe
PID 1252 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\Temp\AF94.exe
PID 2896 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2896 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1252 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\B417.exe
PID 1252 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\B417.exe
PID 1252 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\B417.exe
PID 1252 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\B417.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\B417.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\B417.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\B417.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2912 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\B417.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2588 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2588 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2500 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\A86F.exe

C:\Users\Admin\AppData\Local\Temp\A86F.exe

C:\Users\Admin\AppData\Local\Temp\AB7C.exe

C:\Users\Admin\AppData\Local\Temp\AB7C.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AE7A.dll

C:\Users\Admin\AppData\Local\Temp\A86F.exe

C:\Users\Admin\AppData\Local\Temp\A86F.exe

C:\Users\Admin\AppData\Local\Temp\AF94.exe

C:\Users\Admin\AppData\Local\Temp\AF94.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AE7A.dll

C:\Users\Admin\AppData\Local\Temp\B417.exe

C:\Users\Admin\AppData\Local\Temp\B417.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\C24B.exe

C:\Users\Admin\AppData\Local\Temp\C24B.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a5940991-cb27-4d53-9ec2-2cf85d454aa1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\A86F.exe

"C:\Users\Admin\AppData\Local\Temp\A86F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A86F.exe

"C:\Users\Admin\AppData\Local\Temp\A86F.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {DA1F22D8-632B-4841-B1D0-DAB8AFD16B3F} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017013701.log C:\Windows\Logs\CBS\CbsPersist_20231017013701.cab

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C24B.exe

"C:\Users\Admin\AppData\Local\Temp\C24B.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.1:443 api.2ip.ua tcp
US 188.114.97.1:443 api.2ip.ua tcp
GB 145.239.200.147:30225 tcp

Files

memory/2436-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/2436-2-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2436-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2436-5-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1252-4-0x0000000002A00000-0x0000000002A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2652-24-0x0000000000BE0000-0x0000000001388000-memory.dmp

memory/2616-25-0x00000000002E0000-0x0000000000372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB7C.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2616-26-0x00000000002E0000-0x0000000000372000-memory.dmp

memory/2616-27-0x0000000002180000-0x000000000229B000-memory.dmp

\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2892-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2652-33-0x0000000075270000-0x0000000075380000-memory.dmp

memory/2652-35-0x0000000075270000-0x0000000075380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE7A.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2652-39-0x0000000075270000-0x0000000075380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AF94.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/2652-44-0x0000000076260000-0x00000000762A7000-memory.dmp

memory/2652-46-0x0000000075270000-0x0000000075380000-memory.dmp

memory/2652-47-0x0000000075270000-0x0000000075380000-memory.dmp

memory/2652-45-0x0000000075270000-0x0000000075380000-memory.dmp

memory/2652-48-0x0000000075270000-0x0000000075380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AF94.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/2652-51-0x0000000075270000-0x0000000075380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B417.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\AE7A.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2652-60-0x0000000075270000-0x0000000075380000-memory.dmp

memory/2652-62-0x0000000076260000-0x00000000762A7000-memory.dmp

memory/2492-64-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/2492-70-0x0000000000110000-0x0000000000116000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2652-66-0x00000000773A0000-0x00000000773A2000-memory.dmp

memory/2652-63-0x0000000075270000-0x0000000075380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\B417.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2652-56-0x0000000075270000-0x0000000075380000-memory.dmp

memory/2652-36-0x0000000075270000-0x0000000075380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\C24B.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2432-81-0x0000000004A30000-0x0000000004E28000-memory.dmp

memory/2492-82-0x0000000002480000-0x0000000002570000-memory.dmp

memory/2492-84-0x0000000002480000-0x0000000002570000-memory.dmp

memory/2508-87-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2508-88-0x0000000000110000-0x0000000000116000-memory.dmp

memory/2492-86-0x0000000002480000-0x0000000002570000-memory.dmp

memory/2804-90-0x0000000000060000-0x000000000006C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C24B.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2804-102-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2492-103-0x0000000002480000-0x0000000002570000-memory.dmp

memory/2492-74-0x0000000002040000-0x0000000002148000-memory.dmp

memory/2508-104-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2652-108-0x0000000000BE0000-0x0000000001388000-memory.dmp

memory/2892-109-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2892-105-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\a5940991-cb27-4d53-9ec2-2cf85d454aa1\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\C24B.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1548-131-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2892-130-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1548-132-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1548-135-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1548-136-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1548-137-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1548-138-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1848-139-0x0000000000230000-0x00000000002C2000-memory.dmp

\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\A86F.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/1848-145-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/920-148-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1548-149-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1548-151-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c11244db4ebb3cbad6db4863b1b50019
SHA1 dcc573674b2dcc1fccc6b508ee68b3cb686d68fc
SHA256 cc0bcfcdf64ce5d112fb2d0dd707a8740bd4aa91741ccd4880871ed650b04a5e
SHA512 08001468a00d172dd6f34e6949d7c723fb64e64daf6906908a6f11dde7c27868a0286bd7a4d1cc0daa6c6d9827474c4c5567d448dced4a05b8e02a96b8c4c8cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 fe481a093207598c1add8476372e70df
SHA1 1188a8bf42e0e98832750bcef9a15ada6a6a9422
SHA256 5b03f0fea45d729fd590e3f2b313e5852efd3aaa09dae72ee6c17c4450c5cd39
SHA512 1c8f9b8c7503fb9bf72b19a326245489e8557d08754e223637044f56093f2f8e0f8ca95ad2e43a9744535a8fc4a7f9649cdf939ef1d9557400bd5da4aeb129eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 62912e7da7c7e03a73f43c50b3c70979
SHA1 a1514787753be0f3d9fd60e253fcdd4fd9805aea
SHA256 ca4e99a2fea0b8c21bcf8dd8333d3df6ff75727db82cb0efd86eefe09b9f2d85
SHA512 a24bcc548811162591a8c7c3379ac8536f2928de2a250f9ef867d201798621872aa961f4abc3449fa24ce78f3fbf9f88b92c2f63db99d1ef455da5fdf4b3bb75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2da99b612ccc9ad6ecdf0adfd28b7079
SHA1 96415540d8c8782ff531d07cee0f4219e287a203
SHA256 3fbda09e4c5bef5bd926a6833f6f99004218a4036103be8d862eeb129ff2a8d4
SHA512 4778f37adbc330e630b3feb24f52be17bd2b5305cc80e139cfc2543e14d1f079fa091f89aa23c82270a5d460af254a57cd0ea2a47b2f276faf3b32cc14c4a29c

C:\Users\Admin\AppData\Local\Temp\Cab5679.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/920-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2652-166-0x0000000000520000-0x000000000053C000-memory.dmp

memory/2652-191-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-189-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-187-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-185-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-183-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-181-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-179-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-177-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-175-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-173-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-171-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-168-0x0000000000520000-0x0000000000535000-memory.dmp

memory/2652-167-0x0000000000520000-0x0000000000535000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C24B.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 01:35

Reported

2023-10-17 01:40

Platform

win10v2004-20230915-en

Max time kernel

234s

Max time network

267s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\203C.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\203C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\203C.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1203.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a93b1f5d-ccfd-4bd3-acac-eeca9acbc294\\1203.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\1203.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\203C.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\203C.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5105.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5105.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5105.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5105.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\203C.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 3120 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 3120 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 3120 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\203C.exe
PID 3120 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\203C.exe
PID 3120 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\203C.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 1656 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Users\Admin\AppData\Local\Temp\1203.exe
PID 3120 wrote to memory of 4508 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3120 wrote to memory of 4508 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4508 wrote to memory of 4408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4508 wrote to memory of 4408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4508 wrote to memory of 4408 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3120 wrote to memory of 3540 N/A N/A C:\Users\Admin\AppData\Local\Temp\473F.exe
PID 3120 wrote to memory of 3540 N/A N/A C:\Users\Admin\AppData\Local\Temp\473F.exe
PID 3120 wrote to memory of 3540 N/A N/A C:\Users\Admin\AppData\Local\Temp\473F.exe
PID 3120 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C22.exe
PID 3120 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C22.exe
PID 3120 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C22.exe
PID 4460 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\4C22.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4460 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\4C22.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4460 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\4C22.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3120 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\5105.exe
PID 3120 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\5105.exe
PID 3120 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\5105.exe
PID 4956 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Windows\SysWOW64\icacls.exe
PID 4956 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Windows\SysWOW64\icacls.exe
PID 4956 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\1203.exe C:\Windows\SysWOW64\icacls.exe
PID 3120 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\5AAA.exe
PID 3120 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\5AAA.exe
PID 3120 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\5AAA.exe
PID 4324 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4324 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4324 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3120 wrote to memory of 1908 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3120 wrote to memory of 1908 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3120 wrote to memory of 1908 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3120 wrote to memory of 1908 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4324 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 1244 N/A N/A C:\Windows\explorer.exe
PID 3120 wrote to memory of 1244 N/A N/A C:\Windows\explorer.exe
PID 3120 wrote to memory of 1244 N/A N/A C:\Windows\explorer.exe
PID 3748 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3748 wrote to memory of 516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2708 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\203C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\203C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\203C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\203C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\203C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2708 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\203C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\1203.exe

C:\Users\Admin\AppData\Local\Temp\1203.exe

C:\Users\Admin\AppData\Local\Temp\203C.exe

C:\Users\Admin\AppData\Local\Temp\203C.exe

C:\Users\Admin\AppData\Local\Temp\1203.exe

C:\Users\Admin\AppData\Local\Temp\1203.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4336.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4336.dll

C:\Users\Admin\AppData\Local\Temp\473F.exe

C:\Users\Admin\AppData\Local\Temp\473F.exe

C:\Users\Admin\AppData\Local\Temp\4C22.exe

C:\Users\Admin\AppData\Local\Temp\4C22.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a93b1f5d-ccfd-4bd3-acac-eeca9acbc294" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5105.exe

C:\Users\Admin\AppData\Local\Temp\5105.exe

C:\Users\Admin\AppData\Local\Temp\5AAA.exe

C:\Users\Admin\AppData\Local\Temp\5AAA.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1203.exe

"C:\Users\Admin\AppData\Local\Temp\1203.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\1203.exe

"C:\Users\Admin\AppData\Local\Temp\1203.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 mikolyda.beget.tech udp
RU 91.106.207.50:80 mikolyda.beget.tech tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 hoffmanlevi.space udp
RU 45.130.41.106:443 hoffmanlevi.space tcp
US 8.8.8.8:53 106.41.130.45.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 211.40.39.251:80 wirtshauspost.at tcp
KR 211.40.39.251:80 wirtshauspost.at tcp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
KR 211.40.39.251:80 wirtshauspost.at tcp
KR 211.40.39.251:80 wirtshauspost.at tcp
KR 211.40.39.251:80 wirtshauspost.at tcp
US 188.114.96.0:443 api.2ip.ua tcp
KR 211.40.39.251:80 wirtshauspost.at tcp
KR 211.40.39.251:80 wirtshauspost.at tcp
KR 211.40.39.251:80 wirtshauspost.at tcp
KR 211.40.39.251:80 wirtshauspost.at tcp
KR 211.40.39.251:80 wirtshauspost.at tcp

Files

memory/3932-1-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/3932-2-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3932-3-0x0000000002510000-0x000000000251B000-memory.dmp

memory/3120-4-0x0000000003050000-0x0000000003066000-memory.dmp

memory/3932-5-0x0000000000400000-0x00000000007CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1203.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/3120-17-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-20-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-21-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-22-0x00000000084A0000-0x00000000084B0000-memory.dmp

memory/3120-24-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-23-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-25-0x0000000003280000-0x0000000003290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1203.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/3120-26-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-28-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-30-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-31-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-32-0x00000000084A0000-0x00000000084B0000-memory.dmp

memory/3120-33-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-35-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-34-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-39-0x00000000084A0000-0x00000000084B0000-memory.dmp

memory/3120-44-0x0000000003280000-0x0000000003290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\203C.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\203C.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3120-38-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-37-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-45-0x0000000003280000-0x0000000003290000-memory.dmp

memory/2708-46-0x00000000004B0000-0x0000000000C58000-memory.dmp

memory/3120-50-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-48-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-53-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-55-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-51-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-56-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3120-47-0x0000000008300000-0x0000000008310000-memory.dmp

memory/1656-58-0x0000000000AA0000-0x0000000000B41000-memory.dmp

memory/1656-59-0x0000000002670000-0x000000000278B000-memory.dmp

memory/4956-60-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1203.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/4956-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-64-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/3120-61-0x00000000084A0000-0x00000000084B0000-memory.dmp

memory/2708-67-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/4956-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-65-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-69-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-70-0x00000000004B0000-0x0000000000C58000-memory.dmp

memory/2708-74-0x0000000075AA0000-0x0000000075B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4336.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2708-72-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/4956-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2708-76-0x00000000778E4000-0x00000000778E6000-memory.dmp

memory/2708-71-0x0000000075AA0000-0x0000000075B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4336.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4408-80-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/4408-81-0x0000000000B30000-0x0000000000B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\473F.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

C:\Users\Admin\AppData\Local\Temp\473F.exe

MD5 7d7ad41ac102ec1f3919414e1346f983
SHA1 b920bd01839c9b9c5d07ab7925f3ed97a5761b0e
SHA256 f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8
SHA512 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008

memory/2708-87-0x00000000004B0000-0x0000000000C58000-memory.dmp

memory/2708-90-0x0000000005B50000-0x00000000060F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4C22.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4C22.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4408-95-0x00000000028B0000-0x00000000029B8000-memory.dmp

memory/2708-98-0x0000000005640000-0x00000000056D2000-memory.dmp

memory/2708-100-0x0000000005880000-0x000000000591C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4408-105-0x00000000029C0000-0x0000000002AB0000-memory.dmp

memory/4408-106-0x00000000029C0000-0x0000000002AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4408-114-0x00000000029C0000-0x0000000002AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5105.exe

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

C:\Users\Admin\AppData\Local\Temp\5105.exe

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

memory/2708-115-0x0000000005800000-0x000000000580A000-memory.dmp

memory/4408-123-0x00000000029C0000-0x0000000002AB0000-memory.dmp

memory/2708-125-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/4568-126-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/4568-127-0x00000000008E0000-0x00000000008EB000-memory.dmp

memory/4568-128-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2708-129-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-130-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-131-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-132-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-133-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-134-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/2708-135-0x0000000075AA0000-0x0000000075B90000-memory.dmp

memory/4956-136-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4408-138-0x0000000010000000-0x00000000101E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5AAA.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\5AAA.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1908-146-0x0000000000A70000-0x0000000000AE5000-memory.dmp

memory/1908-147-0x0000000000A00000-0x0000000000A6B000-memory.dmp

memory/1908-145-0x0000000000A00000-0x0000000000A6B000-memory.dmp

memory/3120-148-0x0000000008460000-0x0000000008476000-memory.dmp

memory/1244-153-0x0000000000990000-0x000000000099C000-memory.dmp

memory/2408-152-0x0000000004C40000-0x0000000005046000-memory.dmp

memory/4568-151-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2408-154-0x0000000005150000-0x0000000005A3B000-memory.dmp

memory/1244-156-0x0000000000990000-0x000000000099C000-memory.dmp

memory/1244-155-0x00000000009A0000-0x00000000009A7000-memory.dmp

memory/2408-157-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\a93b1f5d-ccfd-4bd3-acac-eeca9acbc294\1203.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

memory/2708-165-0x0000000005850000-0x000000000586C000-memory.dmp

memory/2708-166-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-170-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2408-161-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2708-187-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-189-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-191-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-193-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-195-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-197-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-199-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-201-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-203-0x0000000005850000-0x0000000005865000-memory.dmp

memory/2708-205-0x0000000005850000-0x0000000005865000-memory.dmp

memory/1908-210-0x0000000000A00000-0x0000000000A6B000-memory.dmp

memory/5008-212-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2708-214-0x0000000075AA0000-0x0000000075B90000-memory.dmp

C:\Users\Admin\AppData\Roaming\crcwtbs

MD5 8ba58058114c2249080990d19707cfd2
SHA1 f1aeee66056df1ee8f8a0a09519801eaa1ec1f72
SHA256 77bf2578bc2a527cd2449186a767359b5ff32b7beb3150787770c73370119dd4
SHA512 79b34ad79a383029ff0ac49b5586bdcb6a51dce4a1df547157d7641a8b8cc4585f8d425de3a8f3872a03dab76dc7ea449cea0ffcd516dfd152f39c44ff908d31

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

C:\Users\Admin\AppData\Local\Temp\1203.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\1203.exe

MD5 83d5f72c8cf168c87a13a7104e2cf1f8
SHA1 bffcd4da68d49d9d749497b21650ce2600546140
SHA256 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7
SHA512 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\1000117001\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zx3hqypd.afq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 62912e7da7c7e03a73f43c50b3c70979
SHA1 a1514787753be0f3d9fd60e253fcdd4fd9805aea
SHA256 ca4e99a2fea0b8c21bcf8dd8333d3df6ff75727db82cb0efd86eefe09b9f2d85
SHA512 a24bcc548811162591a8c7c3379ac8536f2928de2a250f9ef867d201798621872aa961f4abc3449fa24ce78f3fbf9f88b92c2f63db99d1ef455da5fdf4b3bb75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 63e590d62a18b96becf2c29b5dbc674b
SHA1 b7bd02c2d1cfc1853ecf582864626070b8b03e73
SHA256 d3b4e91c237209e8a7f2b86ef60f99d79716b76f7912c66b1dbf4c87ce3a0195
SHA512 307286f368ff2c29e70f3511edf850a647d9c9a879ebdb580c42e66ae8faec7832f849f80091235be4414a0e48316d2434ba5ac0ca4eb8bfed4135065c9efebb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 707cc533f7399d8315ea0fc17c327bd4
SHA1 ce902f30646ae767e993134dcc7135c4a9708abd
SHA256 8cbcd25bbe5ee145e3e89a242c86ac78e2d6925208f269114d638cf9a1c57d3c
SHA512 cb0d2e9d82b31894bae098825a324cbe1327885b0d47819e3d987e59a9f5ad08c5164bf1c96c6acd5d9338310b64b76d6b0028abddb7e3ce27371e8c9a3151ce