Analysis Overview
SHA256
3c0c51d03ba888e6faa5d930d0a747e21901af69250bc137b55e85c6e1d0d963
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Glupteba
SmokeLoader
Amadey
Djvu Ransomware
RedLine payload
Glupteba payload
RedLine
Detected Djvu ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Executes dropped EXE
Modifies file permissions
Checks BIOS information in registry
Loads dropped DLL
Deletes itself
Themida packer
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 10:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 10:02
Reported
2023-10-17 10:07
Platform
win10v2004-20230915-en
Max time kernel
241s
Max time network
253s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2C42.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2C42.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2C42.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16D5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16D5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2C42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3220.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BBB4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D344.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E854.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\2C42.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2C42.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1540 set thread context of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\16D5.exe | C:\Users\Admin\AppData\Local\Temp\16D5.exe |
| PID 1144 set thread context of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\3220.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\D344.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\D344.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\D344.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D344.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\16D5.exe
C:\Users\Admin\AppData\Local\Temp\16D5.exe
C:\Users\Admin\AppData\Local\Temp\16D5.exe
C:\Users\Admin\AppData\Local\Temp\16D5.exe
C:\Users\Admin\AppData\Local\Temp\2C42.exe
C:\Users\Admin\AppData\Local\Temp\2C42.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\30B8.dll
C:\Users\Admin\AppData\Local\Temp\3220.exe
C:\Users\Admin\AppData\Local\Temp\3220.exe
C:\Users\Admin\AppData\Local\Temp\BBB4.exe
C:\Users\Admin\AppData\Local\Temp\BBB4.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\30B8.dll
C:\Users\Admin\AppData\Local\Temp\D344.exe
C:\Users\Admin\AppData\Local\Temp\D344.exe
C:\Users\Admin\AppData\Local\Temp\E854.exe
C:\Users\Admin\AppData\Local\Temp\E854.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\16B.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\16B.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
Files
memory/328-1-0x0000000000700000-0x0000000000800000-memory.dmp
memory/328-2-0x0000000000640000-0x000000000064B000-memory.dmp
memory/328-3-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/328-4-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/328-5-0x0000000000700000-0x0000000000800000-memory.dmp
memory/3100-6-0x0000000003230000-0x0000000003246000-memory.dmp
memory/328-10-0x0000000000640000-0x000000000064B000-memory.dmp
memory/328-7-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16D5.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\16D5.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1540-22-0x0000000002230000-0x00000000022CC000-memory.dmp
memory/1540-23-0x0000000002390000-0x00000000024AB000-memory.dmp
memory/1436-24-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16D5.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1436-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1436-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1436-28-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2C42.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\2C42.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/4304-33-0x0000000000880000-0x0000000001028000-memory.dmp
memory/4304-34-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-36-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-37-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-38-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-39-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-41-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-43-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-44-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-45-0x00000000774C4000-0x00000000774C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\30B8.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/4304-49-0x0000000000880000-0x0000000001028000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3220.exe
| MD5 | 0eb209073c46b31d582a961d47f81dc8 |
| SHA1 | 390731f05458610d99cd5bb796849bca69107d42 |
| SHA256 | 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a |
| SHA512 | e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f |
C:\Users\Admin\AppData\Local\Temp\3220.exe
| MD5 | 0eb209073c46b31d582a961d47f81dc8 |
| SHA1 | 390731f05458610d99cd5bb796849bca69107d42 |
| SHA256 | 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a |
| SHA512 | e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f |
memory/4304-61-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-62-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-63-0x0000000077350000-0x0000000077440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBB4.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\BBB4.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4304-67-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-68-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-69-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-71-0x0000000077350000-0x0000000077440000-memory.dmp
memory/4304-72-0x0000000077350000-0x0000000077440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D344.exe
| MD5 | cf7a6fc5659883c4e415ad165bcadeb5 |
| SHA1 | f22de24b69c804a165018229f618576747ab4fb2 |
| SHA256 | 97bd1070b0a6c867fe908300777b66ff362fbc926a831e8e7f7a66bc808dff92 |
| SHA512 | 8a8f5d4e844a4de78a96788de533dbef6992dba690f912f5490106fb32d0a6d4226d100a31db002b34b00c7cb1f5d458b4569be93cfd973f0e10083017910011 |
C:\Users\Admin\AppData\Local\Temp\D344.exe
| MD5 | cf7a6fc5659883c4e415ad165bcadeb5 |
| SHA1 | f22de24b69c804a165018229f618576747ab4fb2 |
| SHA256 | 97bd1070b0a6c867fe908300777b66ff362fbc926a831e8e7f7a66bc808dff92 |
| SHA512 | 8a8f5d4e844a4de78a96788de533dbef6992dba690f912f5490106fb32d0a6d4226d100a31db002b34b00c7cb1f5d458b4569be93cfd973f0e10083017910011 |
memory/3312-79-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/3312-80-0x0000000000700000-0x000000000070B000-memory.dmp
memory/3312-81-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/3100-84-0x0000000003140000-0x0000000003156000-memory.dmp
memory/3312-87-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\30B8.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
C:\Users\Admin\AppData\Local\Temp\E854.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/3308-97-0x00000000010F0000-0x00000000010F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E854.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/3308-100-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/5092-105-0x0000000004D40000-0x0000000005141000-memory.dmp
memory/5092-106-0x0000000005150000-0x0000000005A3B000-memory.dmp
memory/5092-107-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3308-109-0x0000000002CF0000-0x0000000002DF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3308-113-0x0000000002E00000-0x0000000002EF0000-memory.dmp
memory/3308-114-0x0000000002E00000-0x0000000002EF0000-memory.dmp
memory/3308-116-0x0000000002E00000-0x0000000002EF0000-memory.dmp
memory/3308-117-0x0000000002E00000-0x0000000002EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16B.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/4556-121-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\16B.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/3308-123-0x0000000010000000-0x00000000101E4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 10:02
Reported
2023-10-17 10:06
Platform
win7-20230831-en
Max time kernel
105s
Max time network
174s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\9898.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\9898.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9898.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9898.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A038.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A5E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BA40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A5E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b4e63f95-5a9f-456e-a608-f832311a32b8\\93C7.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\93C7.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\9898.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9898.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2892 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | C:\Users\Admin\AppData\Local\Temp\93C7.exe |
| PID 2696 set thread context of 1412 | N/A | C:\Users\Admin\AppData\Local\Temp\A038.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 888 set thread context of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\93C7.exe | C:\Users\Admin\AppData\Local\Temp\93C7.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\93C7.exe
C:\Users\Admin\AppData\Local\Temp\93C7.exe
C:\Users\Admin\AppData\Local\Temp\93C7.exe
C:\Users\Admin\AppData\Local\Temp\93C7.exe
C:\Users\Admin\AppData\Local\Temp\9898.exe
C:\Users\Admin\AppData\Local\Temp\9898.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9E73.dll
C:\Users\Admin\AppData\Local\Temp\A038.exe
C:\Users\Admin\AppData\Local\Temp\A038.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9E73.dll
C:\Users\Admin\AppData\Local\Temp\A5E4.exe
C:\Users\Admin\AppData\Local\Temp\A5E4.exe
C:\Users\Admin\AppData\Local\Temp\BA40.exe
C:\Users\Admin\AppData\Local\Temp\BA40.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EBEB.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\EBEB.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b4e63f95-5a9f-456e-a608-f832311a32b8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\93C7.exe
"C:\Users\Admin\AppData\Local\Temp\93C7.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\93C7.exe
"C:\Users\Admin\AppData\Local\Temp\93C7.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017100535.log C:\Windows\Logs\CBS\CbsPersist_20231017100535.cab
C:\Windows\system32\taskeng.exe
taskeng.exe {22556CAB-0913-4E8F-B924-4ED1769DE58C} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe
"C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe
"C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build2.exe"
C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build3.exe
"C:\Users\Admin\AppData\Local\0ca2eaef-6f86-435c-bf85-502b37b5fdde\build3.exe"
C:\Users\Admin\AppData\Local\Temp\BA40.exe
"C:\Users\Admin\AppData\Local\Temp\BA40.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| BA | 109.175.29.39:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| PA | 190.141.134.150:80 | zexeq.com | tcp |
| GB | 145.239.200.147:30225 | tcp | |
| PA | 190.141.134.150:80 | zexeq.com | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 49.12.118.149:80 | 49.12.118.149 | tcp |
Files
memory/2860-1-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2860-3-0x00000000001C0000-0x00000000001CB000-memory.dmp
memory/2860-2-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/2860-5-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/1216-4-0x0000000002A50000-0x0000000002A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2892-20-0x00000000002A0000-0x0000000000332000-memory.dmp
memory/2892-21-0x00000000002A0000-0x0000000000332000-memory.dmp
memory/2892-22-0x0000000001EC0000-0x0000000001FDB000-memory.dmp
memory/2632-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2892-30-0x00000000002A0000-0x0000000000332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2632-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2632-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2632-32-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9898.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3044-37-0x0000000000F30000-0x00000000016D8000-memory.dmp
memory/3044-38-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-40-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-39-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-44-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-43-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-42-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-52-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-53-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-57-0x00000000777D0000-0x00000000777D2000-memory.dmp
memory/3044-56-0x0000000077280000-0x0000000077390000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9E73.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/3044-55-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-54-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-51-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-50-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-49-0x0000000077280000-0x0000000077390000-memory.dmp
\Users\Admin\AppData\Local\Temp\9E73.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
C:\Users\Admin\AppData\Local\Temp\A038.exe
| MD5 | 0eb209073c46b31d582a961d47f81dc8 |
| SHA1 | 390731f05458610d99cd5bb796849bca69107d42 |
| SHA256 | 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a |
| SHA512 | e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f |
C:\Users\Admin\AppData\Local\Temp\A038.exe
| MD5 | 0eb209073c46b31d582a961d47f81dc8 |
| SHA1 | 390731f05458610d99cd5bb796849bca69107d42 |
| SHA256 | 30c888dc6f1ab30cb7c0132abf1871aad47017bd4be2f5be2961b27f4061197a |
| SHA512 | e946013e3a22711bf282046695fc30352dbc0a74686be5c3a826a284b3bad36f15b86b413ce386947ae33fd922bacf948c837bf65e5cf24114e0125a8c5b183f |
memory/3044-48-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-47-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-46-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-45-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-41-0x0000000075630000-0x0000000075677000-memory.dmp
memory/2380-69-0x0000000010000000-0x00000000101E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\A5E4.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\A5E4.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3044-78-0x0000000000F30000-0x00000000016D8000-memory.dmp
memory/2380-79-0x0000000002290000-0x0000000002398000-memory.dmp
memory/2380-80-0x00000000023A0000-0x0000000002490000-memory.dmp
memory/2380-81-0x00000000023A0000-0x0000000002490000-memory.dmp
memory/2380-83-0x00000000023A0000-0x0000000002490000-memory.dmp
memory/2380-84-0x00000000023A0000-0x0000000002490000-memory.dmp
memory/2380-86-0x0000000000190000-0x0000000000196000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA40.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\BA40.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/992-94-0x00000000047D0000-0x0000000004BC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EBEB.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
\Users\Admin\AppData\Local\Temp\EBEB.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1992-107-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/1404-115-0x00000000000D0000-0x000000000013B000-memory.dmp
memory/1412-114-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1412-116-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1412-117-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1412-118-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1412-119-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1412-120-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2352-121-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1992-122-0x0000000000E00000-0x0000000000F1B000-memory.dmp
memory/1992-123-0x00000000023F0000-0x00000000024EF000-memory.dmp
memory/1992-126-0x00000000023F0000-0x00000000024EF000-memory.dmp
memory/1992-127-0x00000000023F0000-0x00000000024EF000-memory.dmp
memory/1992-128-0x00000000000D0000-0x00000000000D6000-memory.dmp
memory/2352-132-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1412-133-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1412-135-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1404-158-0x00000000000D0000-0x000000000013B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3044-160-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2632-161-0x0000000000400000-0x0000000000537000-memory.dmp
memory/992-163-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\b4e63f95-5a9f-456e-a608-f832311a32b8\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/992-165-0x0000000004BD0000-0x00000000054BB000-memory.dmp
memory/992-168-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1412-171-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/992-172-0x00000000047D0000-0x0000000004BC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA40.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/3044-180-0x0000000005900000-0x0000000005940000-memory.dmp
memory/2632-177-0x0000000000400000-0x0000000000537000-memory.dmp
memory/888-181-0x0000000000270000-0x0000000000302000-memory.dmp
memory/1412-175-0x00000000072C0000-0x0000000007300000-memory.dmp
\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/888-184-0x0000000000270000-0x0000000000302000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\93C7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/3044-188-0x0000000000F30000-0x00000000016D8000-memory.dmp
memory/3044-190-0x0000000075630000-0x0000000075677000-memory.dmp
memory/3044-189-0x0000000077280000-0x0000000077390000-memory.dmp
memory/2224-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/992-193-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3044-203-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-202-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-201-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-200-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-199-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-198-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-197-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-196-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-195-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-194-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-204-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-205-0x0000000077280000-0x0000000077390000-memory.dmp
memory/3044-206-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/992-207-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1412-208-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2224-209-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2224-216-0x00000000740F0000-0x00000000740F6000-memory.dmp
memory/2224-217-0x0000000073FB0000-0x0000000073FB6000-memory.dmp
memory/1412-235-0x00000000072C0000-0x0000000007300000-memory.dmp
memory/3044-234-0x0000000000640000-0x000000000065C000-memory.dmp
memory/2224-222-0x0000000000400000-0x0000000000537000-memory.dmp
memory/992-237-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2224-238-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3044-250-0x0000000005900000-0x0000000005940000-memory.dmp
memory/992-252-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3044-253-0x0000000000640000-0x0000000000655000-memory.dmp
memory/3044-256-0x0000000000640000-0x0000000000655000-memory.dmp
memory/3044-254-0x0000000000640000-0x0000000000655000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3044-301-0x00000000006B0000-0x00000000006B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA40.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\CabD182.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc63e71ae20632a0221677c4e90037d6 |
| SHA1 | dcb43c5f4a6b5c9851182354950511af63765bc5 |
| SHA256 | 5391732a023c2f84169c8664e245554eae52baad9ded030b1ef0f3a86c98e4b6 |
| SHA512 | 65eed045f7fc7cff45f5a15ade67de4cbd339fc4dc743cba088a8e2f77ef04386a64a6fb5db61cb137ebc7cad410c89d656f2de4abe93b15b0deb947b650eefc |
C:\Users\Admin\AppData\Local\Temp\TarD4A1.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
\Windows\rss\csrss.exe
| MD5 | 5fc76a3a60a054bc2d87f6d1fff96606 |
| SHA1 | dff2ead5f5b2f7782aa2d845093bd5f942a87e03 |
| SHA256 | 20989a4c4639d305fe06890fa2c7bee0d97e1a3c4a18c7969a4dd314ef6efd8c |
| SHA512 | eb702409ca7e60e7675e32d80403bec9269a66ef130af877bdfe8d9f19a2502c98bdee4559e9f86909712a362c147ba8fbdf37a9acba5b93bb1feead3cd629e6 |
C:\Windows\rss\csrss.exe
| MD5 | 06f6e0d86b33e1d4159f3a7b4340adef |
| SHA1 | ac6dcd96bc6494102290cd46f65c6400df84039b |
| SHA256 | 97693485985653965e7f0c8abe231797695bd680fca4886762490bd8adbe1f03 |
| SHA512 | 9281a8765b5f65e95598d1ff73f9c38e0fa08d91de561333155ec5093c061f51f47f5bc76e62130cdbdd6908e43f86c2ad00c9ec0a6a7fe319016b74fa756bf0 |
\Windows\rss\csrss.exe
| MD5 | ce6661fabe1e09d50f5398144f56df35 |
| SHA1 | dd2d0f7877400811a869b147aa755ee5d7a09b0a |
| SHA256 | a495627e6c0359e76ddd7183dc329bd0db368006d3bcb7771859a1072bb6a362 |
| SHA512 | f5f088bbfa417b1bba4369114d6fcefbdac32a08f0c1512230d11d7b295e733a9b673170d8ff6b8efd25a7faa1c89c197cbf4824593860a8bc43889ff8b0cb90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | b968feeb996d4c054a471295ac2a9218 |
| SHA1 | 68e6c0a4313d5b73c10a0fa471c6b656efe50ee4 |
| SHA256 | e7b1829e1be96323fb1c11304da86dace8fae4d50f0710f32b03310a438298ab |
| SHA512 | bf7f455e1834922b9e52ee81e4e3f51594f41d3c7be7f019a3320f131ca0e0b3b021ab878bad25d82277b0155f0faeb785c2b4ce31edeb3deae46a9fa2eddd09 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |