Malware Analysis Report

2025-01-18 06:23

Sample ID 231017-l29p1aba7y
Target file
SHA256 3c0c51d03ba888e6faa5d930d0a747e21901af69250bc137b55e85c6e1d0d963
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor dropper evasion infostealer loader ransomware themida trojan collection discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c0c51d03ba888e6faa5d930d0a747e21901af69250bc137b55e85c6e1d0d963

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor dropper evasion infostealer loader ransomware themida trojan collection discovery persistence

Glupteba

SmokeLoader

Amadey

Djvu Ransomware

RedLine payload

Glupteba payload

RedLine

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Modifies file permissions

Checks BIOS information in registry

Loads dropped DLL

Deletes itself

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 10:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 10:02

Reported

2023-10-17 10:07

Platform

win10v2004-20230915-en

Max time kernel

241s

Max time network

253s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2C42.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2C42.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2C42.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2C42.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2C42.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1540 set thread context of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1144 set thread context of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D344.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D344.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D344.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D344.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 3100 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 3100 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 1540 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\16D5.exe C:\Users\Admin\AppData\Local\Temp\16D5.exe
PID 3100 wrote to memory of 4304 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C42.exe
PID 3100 wrote to memory of 4304 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C42.exe
PID 3100 wrote to memory of 4304 N/A N/A C:\Users\Admin\AppData\Local\Temp\2C42.exe
PID 3100 wrote to memory of 2748 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3100 wrote to memory of 2748 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3100 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\3220.exe
PID 3100 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\3220.exe
PID 3100 wrote to memory of 1144 N/A N/A C:\Users\Admin\AppData\Local\Temp\3220.exe
PID 3100 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBB4.exe
PID 3100 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBB4.exe
PID 3100 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBB4.exe
PID 2748 wrote to memory of 3308 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2748 wrote to memory of 3308 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2748 wrote to memory of 3308 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3100 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\D344.exe
PID 3100 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\D344.exe
PID 3100 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\D344.exe
PID 3100 wrote to memory of 5092 N/A N/A C:\Users\Admin\AppData\Local\Temp\E854.exe
PID 3100 wrote to memory of 5092 N/A N/A C:\Users\Admin\AppData\Local\Temp\E854.exe
PID 3100 wrote to memory of 5092 N/A N/A C:\Users\Admin\AppData\Local\Temp\E854.exe
PID 3100 wrote to memory of 3592 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3100 wrote to memory of 3592 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1144 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\3220.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3592 wrote to memory of 3736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3592 wrote to memory of 3736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3592 wrote to memory of 3736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\16D5.exe

C:\Users\Admin\AppData\Local\Temp\16D5.exe

C:\Users\Admin\AppData\Local\Temp\16D5.exe

C:\Users\Admin\AppData\Local\Temp\16D5.exe

C:\Users\Admin\AppData\Local\Temp\2C42.exe

C:\Users\Admin\AppData\Local\Temp\2C42.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\30B8.dll

C:\Users\Admin\AppData\Local\Temp\3220.exe

C:\Users\Admin\AppData\Local\Temp\3220.exe

C:\Users\Admin\AppData\Local\Temp\BBB4.exe

C:\Users\Admin\AppData\Local\Temp\BBB4.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\30B8.dll

C:\Users\Admin\AppData\Local\Temp\D344.exe

C:\Users\Admin\AppData\Local\Temp\D344.exe

C:\Users\Admin\AppData\Local\Temp\E854.exe

C:\Users\Admin\AppData\Local\Temp\E854.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\16B.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\16B.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp

Files

memory/328-1-0x0000000000700000-0x0000000000800000-memory.dmp

memory/328-2-0x0000000000640000-0x000000000064B000-memory.dmp

memory/328-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/328-4-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/328-5-0x0000000000700000-0x0000000000800000-memory.dmp

memory/3100-6-0x0000000003230000-0x0000000003246000-memory.dmp

memory/328-10-0x0000000000640000-0x000000000064B000-memory.dmp

memory/328-7-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16D5.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\16D5.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1540-22-0x0000000002230000-0x00000000022CC000-memory.dmp

memory/1540-23-0x0000000002390000-0x00000000024AB000-memory.dmp

memory/1436-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16D5.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1436-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1436-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1436-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2C42.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\2C42.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/4304-33-0x0000000000880000-0x0000000001028000-memory.dmp

memory/4304-34-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-36-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-37-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-38-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-39-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-41-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-43-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-44-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-45-0x00000000774C4000-0x00000000774C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30B8.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/4304-49-0x0000000000880000-0x0000000001028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3220.exe

MD5 0eb209073c46b31d582a961d47f81dc8
SHA1 390731f05458610d99cd5bb796849bca69107d42
SHA256 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a
SHA512 e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f

C:\Users\Admin\AppData\Local\Temp\3220.exe

MD5 0eb209073c46b31d582a961d47f81dc8
SHA1 390731f05458610d99cd5bb796849bca69107d42
SHA256 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a
SHA512 e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f

memory/4304-61-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-62-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-63-0x0000000077350000-0x0000000077440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBB4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\BBB4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4304-67-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-68-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-69-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-71-0x0000000077350000-0x0000000077440000-memory.dmp

memory/4304-72-0x0000000077350000-0x0000000077440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D344.exe

MD5 cf7a6fc5659883c4e415ad165bcadeb5
SHA1 f22de24b69c804a165018229f618576747ab4fb2
SHA256 97bd1070b0a6c867fe908300777b66ff362fbc926a831e8e7f7a66bc808dff92
SHA512 8a8f5d4e844a4de78a96788de533dbef6992dba690f912f5490106fb32d0a6d4226d100a31db002b34b00c7cb1f5d458b4569be93cfd973f0e10083017910011

C:\Users\Admin\AppData\Local\Temp\D344.exe

MD5 cf7a6fc5659883c4e415ad165bcadeb5
SHA1 f22de24b69c804a165018229f618576747ab4fb2
SHA256 97bd1070b0a6c867fe908300777b66ff362fbc926a831e8e7f7a66bc808dff92
SHA512 8a8f5d4e844a4de78a96788de533dbef6992dba690f912f5490106fb32d0a6d4226d100a31db002b34b00c7cb1f5d458b4569be93cfd973f0e10083017910011

memory/3312-79-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/3312-80-0x0000000000700000-0x000000000070B000-memory.dmp

memory/3312-81-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3100-84-0x0000000003140000-0x0000000003156000-memory.dmp

memory/3312-87-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30B8.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\E854.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3308-97-0x00000000010F0000-0x00000000010F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E854.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3308-100-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/5092-105-0x0000000004D40000-0x0000000005141000-memory.dmp

memory/5092-106-0x0000000005150000-0x0000000005A3B000-memory.dmp

memory/5092-107-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3308-109-0x0000000002CF0000-0x0000000002DF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3308-113-0x0000000002E00000-0x0000000002EF0000-memory.dmp

memory/3308-114-0x0000000002E00000-0x0000000002EF0000-memory.dmp

memory/3308-116-0x0000000002E00000-0x0000000002EF0000-memory.dmp

memory/3308-117-0x0000000002E00000-0x0000000002EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16B.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/4556-121-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16B.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/3308-123-0x0000000010000000-0x00000000101E4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 10:02

Reported

2023-10-17 10:06

Platform

win7-20230831-en

Max time kernel

105s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9898.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9898.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9898.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b4e63f95-5a9f-456e-a608-f832311a32b8\\93C7.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\93C7.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9898.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 1216 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 1216 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 1216 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 2892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\93C7.exe C:\Users\Admin\AppData\Local\Temp\93C7.exe
PID 1216 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe
PID 1216 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe
PID 1216 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe
PID 1216 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe
PID 1216 wrote to memory of 2284 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 2284 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 2284 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 2284 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 2284 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2284 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2284 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2284 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2284 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2284 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2284 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2284 wrote to memory of 2380 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\A038.exe
PID 1216 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\A038.exe
PID 1216 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\A038.exe
PID 1216 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\A038.exe
PID 1216 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe
PID 1216 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe
PID 1216 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe
PID 1216 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe
PID 1216 wrote to memory of 992 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA40.exe
PID 1216 wrote to memory of 992 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA40.exe
PID 1216 wrote to memory of 992 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA40.exe
PID 1216 wrote to memory of 992 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA40.exe
PID 1216 wrote to memory of 1336 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 1336 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 1336 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 1336 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1216 wrote to memory of 1336 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1336 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1336 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1336 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1336 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1336 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1336 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1336 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1216 wrote to memory of 1404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 1404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 1404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 1404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1216 wrote to memory of 1404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1524 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1524 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1524 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1524 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\A5E4.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\93C7.exe

C:\Users\Admin\AppData\Local\Temp\93C7.exe

C:\Users\Admin\AppData\Local\Temp\93C7.exe

C:\Users\Admin\AppData\Local\Temp\93C7.exe

C:\Users\Admin\AppData\Local\Temp\9898.exe

C:\Users\Admin\AppData\Local\Temp\9898.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\9E73.dll

C:\Users\Admin\AppData\Local\Temp\A038.exe

C:\Users\Admin\AppData\Local\Temp\A038.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9E73.dll

C:\Users\Admin\AppData\Local\Temp\A5E4.exe

C:\Users\Admin\AppData\Local\Temp\A5E4.exe

C:\Users\Admin\AppData\Local\Temp\BA40.exe

C:\Users\Admin\AppData\Local\Temp\BA40.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EBEB.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EBEB.dll

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b4e63f95-5a9f-456e-a608-f832311a32b8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\93C7.exe

"C:\Users\Admin\AppData\Local\Temp\93C7.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\93C7.exe

"C:\Users\Admin\AppData\Local\Temp\93C7.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017100535.log C:\Windows\Logs\CBS\CbsPersist_20231017100535.cab

C:\Windows\system32\taskeng.exe

taskeng.exe {22556CAB-0913-4E8F-B924-4ED1769DE58C} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe

"C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe

"C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe"

C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build3.exe

"C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build3.exe"

C:\Users\Admin\AppData\Local\Temp\BA40.exe

"C:\Users\Admin\AppData\Local\Temp\BA40.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
BA 109.175.29.39:80 colisumy.com tcp
US 8.8.8.8:53 zexeq.com udp
PA 190.141.134.150:80 zexeq.com tcp
GB 145.239.200.147:30225 tcp
PA 190.141.134.150:80 zexeq.com tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 49.12.118.149:80 49.12.118.149 tcp

Files

memory/2860-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2860-3-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/2860-2-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2860-5-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1216-4-0x0000000002A50000-0x0000000002A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2892-20-0x00000000002A0000-0x0000000000332000-memory.dmp

memory/2892-21-0x00000000002A0000-0x0000000000332000-memory.dmp

memory/2892-22-0x0000000001EC0000-0x0000000001FDB000-memory.dmp

memory/2632-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2892-30-0x00000000002A0000-0x0000000000332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2632-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2632-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2632-32-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9898.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/3044-37-0x0000000000F30000-0x00000000016D8000-memory.dmp

memory/3044-38-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-40-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-39-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-44-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-43-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-42-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-52-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-53-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-57-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/3044-56-0x0000000077280000-0x0000000077390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9E73.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3044-55-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-54-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-51-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-50-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-49-0x0000000077280000-0x0000000077390000-memory.dmp

\Users\Admin\AppData\Local\Temp\9E73.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\Temp\A038.exe

MD5 0eb209073c46b31d582a961d47f81dc8
SHA1 390731f05458610d99cd5bb796849bca69107d42
SHA256 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a
SHA512 e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f

C:\Users\Admin\AppData\Local\Temp\A038.exe

MD5 0eb209073c46b31d582a961d47f81dc8
SHA1 390731f05458610d99cd5bb796849bca69107d42
SHA256 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a
SHA512 e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f

memory/3044-48-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-47-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-46-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-45-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-41-0x0000000075630000-0x0000000075677000-memory.dmp

memory/2380-69-0x0000000010000000-0x00000000101E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\A5E4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\A5E4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3044-78-0x0000000000F30000-0x00000000016D8000-memory.dmp

memory/2380-79-0x0000000002290000-0x0000000002398000-memory.dmp

memory/2380-80-0x00000000023A0000-0x0000000002490000-memory.dmp

memory/2380-81-0x00000000023A0000-0x0000000002490000-memory.dmp

memory/2380-83-0x00000000023A0000-0x0000000002490000-memory.dmp

memory/2380-84-0x00000000023A0000-0x0000000002490000-memory.dmp

memory/2380-86-0x0000000000190000-0x0000000000196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA40.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\BA40.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/992-94-0x00000000047D0000-0x0000000004BC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBEB.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

\Users\Admin\AppData\Local\Temp\EBEB.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1992-107-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/1404-115-0x00000000000D0000-0x000000000013B000-memory.dmp

memory/1412-114-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1412-116-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1412-117-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1412-118-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1412-119-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1412-120-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2352-121-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1992-122-0x0000000000E00000-0x0000000000F1B000-memory.dmp

memory/1992-123-0x00000000023F0000-0x00000000024EF000-memory.dmp

memory/1992-126-0x00000000023F0000-0x00000000024EF000-memory.dmp

memory/1992-127-0x00000000023F0000-0x00000000024EF000-memory.dmp

memory/1992-128-0x00000000000D0000-0x00000000000D6000-memory.dmp

memory/2352-132-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1412-133-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1412-135-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1404-158-0x00000000000D0000-0x000000000013B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3044-160-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2632-161-0x0000000000400000-0x0000000000537000-memory.dmp

memory/992-163-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\b4e63f95-5a9f-456e-a608-f832311a32b8\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/992-165-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/992-168-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1412-171-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/992-172-0x00000000047D0000-0x0000000004BC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA40.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3044-180-0x0000000005900000-0x0000000005940000-memory.dmp

memory/2632-177-0x0000000000400000-0x0000000000537000-memory.dmp

memory/888-181-0x0000000000270000-0x0000000000302000-memory.dmp

memory/1412-175-0x00000000072C0000-0x0000000007300000-memory.dmp

\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/888-184-0x0000000000270000-0x0000000000302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93C7.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/3044-188-0x0000000000F30000-0x00000000016D8000-memory.dmp

memory/3044-190-0x0000000075630000-0x0000000075677000-memory.dmp

memory/3044-189-0x0000000077280000-0x0000000077390000-memory.dmp

memory/2224-191-0x0000000000400000-0x0000000000537000-memory.dmp

memory/992-193-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3044-203-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-202-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-201-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-200-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-199-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-198-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-197-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-196-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-195-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-194-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-204-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-205-0x0000000077280000-0x0000000077390000-memory.dmp

memory/3044-206-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/992-207-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1412-208-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2224-209-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2224-216-0x00000000740F0000-0x00000000740F6000-memory.dmp

memory/2224-217-0x0000000073FB0000-0x0000000073FB6000-memory.dmp

memory/1412-235-0x00000000072C0000-0x0000000007300000-memory.dmp

memory/3044-234-0x0000000000640000-0x000000000065C000-memory.dmp

memory/2224-222-0x0000000000400000-0x0000000000537000-memory.dmp

memory/992-237-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2224-238-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3044-250-0x0000000005900000-0x0000000005940000-memory.dmp

memory/992-252-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3044-253-0x0000000000640000-0x0000000000655000-memory.dmp

memory/3044-256-0x0000000000640000-0x0000000000655000-memory.dmp

memory/3044-254-0x0000000000640000-0x0000000000655000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3044-301-0x00000000006B0000-0x00000000006B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA40.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\CabD182.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc63e71ae20632a0221677c4e90037d6
SHA1 dcb43c5f4a6b5c9851182354950511af63765bc5
SHA256 5391732a023c2f84169c8664e245554eae52baad9ded030b1ef0f3a86c98e4b6
SHA512 65eed045f7fc7cff45f5a15ade67de4cbd339fc4dc743cba088a8e2f77ef04386a64a6fb5db61cb137ebc7cad410c89d656f2de4abe93b15b0deb947b650eefc

C:\Users\Admin\AppData\Local\Temp\TarD4A1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

\Windows\rss\csrss.exe

MD5 5fc76a3a60a054bc2d87f6d1fff96606
SHA1 dff2ead5f5b2f7782aa2d845093bd5f942a87e03
SHA256 20989a4c4639d305fe06890fa2c7bee0d97e1a3c4a18c7969a4dd314ef6efd8c
SHA512 eb702409ca7e60e7675e32d80403bec9269a66ef130af877bdfe8d9f19a2502c98bdee4559e9f86909712a362c147ba8fbdf37a9acba5b93bb1feead3cd629e6

C:\Windows\rss\csrss.exe

MD5 06f6e0d86b33e1d4159f3a7b4340adef
SHA1 ac6dcd96bc6494102290cd46f65c6400df84039b
SHA256 97693485985653965e7f0c8abe231797695bd680fca4886762490bd8adbe1f03
SHA512 9281a8765b5f65e95598d1ff73f9c38e0fa08d91de561333155ec5093c061f51f47f5bc76e62130cdbdd6908e43f86c2ad00c9ec0a6a7fe319016b74fa756bf0

\Windows\rss\csrss.exe

MD5 ce6661fabe1e09d50f5398144f56df35
SHA1 dd2d0f7877400811a869b147aa755ee5d7a09b0a
SHA256 a495627e6c0359e76ddd7183dc329bd0db368006d3bcb7771859a1072bb6a362
SHA512 f5f088bbfa417b1bba4369114d6fcefbdac32a08f0c1512230d11d7b295e733a9b673170d8ff6b8efd25a7faa1c89c197cbf4824593860a8bc43889ff8b0cb90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b968feeb996d4c054a471295ac2a9218
SHA1 68e6c0a4313d5b73c10a0fa471c6b656efe50ee4
SHA256 e7b1829e1be96323fb1c11304da86dace8fae4d50f0710f32b03310a438298ab
SHA512 bf7f455e1834922b9e52ee81e4e3f51594f41d3c7be7f019a3320f131ca0e0b3b021ab878bad25d82277b0155f0faeb785c2b4ce31edeb3deae46a9fa2eddd09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc