Analysis Overview
SHA256
0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f
Threat Level: Known bad
The file NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Djvu Ransomware
Amadey
Glupteba payload
Detected Djvu ransomware
Vidar
Glupteba
RedLine payload
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Themida packer
Modifies file permissions
Checks BIOS information in registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Deletes itself
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
outlook_office_path
outlook_win_path
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 16:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 16:38
Reported
2023-10-17 16:41
Platform
win7-20230831-en
Max time kernel
51s
Max time network
153s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\FA95.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\FA95.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\FA95.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FA95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8BB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F670.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\FA95.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FA95.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2772 set thread context of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\F670.exe | C:\Users\Admin\AppData\Local\Temp\F670.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\F670.exe
C:\Users\Admin\AppData\Local\Temp\F670.exe
C:\Users\Admin\AppData\Local\Temp\F670.exe
C:\Users\Admin\AppData\Local\Temp\F670.exe
C:\Users\Admin\AppData\Local\Temp\FA95.exe
C:\Users\Admin\AppData\Local\Temp\FA95.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\437.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\437.dll
C:\Users\Admin\AppData\Local\Temp\8BB.exe
C:\Users\Admin\AppData\Local\Temp\8BB.exe
C:\Users\Admin\AppData\Local\Temp\11D0.exe
C:\Users\Admin\AppData\Local\Temp\11D0.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {47934843-699B-4624-8A0E-213535CC85CD} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Users\Admin\AppData\Roaming\gwhjijs
C:\Users\Admin\AppData\Roaming\gwhjijs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\09fd8245-914f-4192-ad5b-e9221dba05a1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\2486.exe
C:\Users\Admin\AppData\Local\Temp\2486.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\F670.exe
"C:\Users\Admin\AppData\Local\Temp\F670.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\F670.exe
"C:\Users\Admin\AppData\Local\Temp\F670.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
"C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe"
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
"C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe"
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
"C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
"C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| MX | 189.169.19.32:80 | zexeq.com | tcp |
| PE | 190.187.52.42:80 | zexeq.com | tcp |
| MX | 189.169.19.32:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 49.12.118.149:80 | 49.12.118.149 | tcp |
Files
memory/1916-1-0x0000000000970000-0x0000000000A70000-memory.dmp
memory/1916-2-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/1916-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1280-4-0x00000000029D0000-0x00000000029E6000-memory.dmp
memory/1916-5-0x0000000000400000-0x00000000007CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2772-20-0x0000000001E50000-0x0000000001EE2000-memory.dmp
memory/2772-21-0x0000000001E50000-0x0000000001EE2000-memory.dmp
memory/2772-22-0x0000000001EF0000-0x000000000200B000-memory.dmp
\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2348-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2348-27-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\FA95.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/2812-34-0x0000000000E70000-0x0000000001618000-memory.dmp
memory/2348-35-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2812-37-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-38-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-39-0x0000000076F00000-0x0000000077010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\437.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/2812-42-0x0000000075610000-0x0000000075657000-memory.dmp
memory/2812-44-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-45-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-46-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-47-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-48-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-50-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-49-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-51-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-52-0x0000000075610000-0x0000000075657000-memory.dmp
memory/2812-53-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-54-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-55-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-56-0x0000000076F00000-0x0000000077010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8BB.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
C:\Users\Admin\AppData\Local\Temp\8BB.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
\Users\Admin\AppData\Local\Temp\437.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/2812-64-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/1876-65-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/2348-66-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2812-68-0x0000000077940000-0x0000000077942000-memory.dmp
memory/2812-69-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/1876-70-0x0000000000180000-0x0000000000186000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11D0.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\11D0.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\gwhjijs
| MD5 | 78e7a2a2a891519b61daca63b50bdac1 |
| SHA1 | 8b19e5bf3ba68de0724f7d2e42eaa1abf77773e4 |
| SHA256 | 0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f |
| SHA512 | d7bcd57bd3e4a331b36cb4f5cde54a9f033906c47d7407d88dcd67d41da93680b05c90ec5c56a0456708f892daa2e18096ee006cbdf478f97414d4d386090506 |
memory/2812-83-0x0000000000E70000-0x0000000001618000-memory.dmp
C:\Users\Admin\AppData\Roaming\gwhjijs
| MD5 | 78e7a2a2a891519b61daca63b50bdac1 |
| SHA1 | 8b19e5bf3ba68de0724f7d2e42eaa1abf77773e4 |
| SHA256 | 0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f |
| SHA512 | d7bcd57bd3e4a331b36cb4f5cde54a9f033906c47d7407d88dcd67d41da93680b05c90ec5c56a0456708f892daa2e18096ee006cbdf478f97414d4d386090506 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1876-104-0x0000000002360000-0x000000000247B000-memory.dmp
C:\Users\Admin\AppData\Local\09fd8245-914f-4192-ad5b-e9221dba05a1\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2812-106-0x00000000747C0000-0x0000000074EAE000-memory.dmp
memory/992-107-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/992-108-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/2448-110-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-111-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-109-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1876-112-0x0000000002480000-0x000000000257F000-memory.dmp
memory/2348-114-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2486.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2812-117-0x00000000004F0000-0x0000000000530000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2486.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/1796-125-0x00000000028C0000-0x0000000002CB8000-memory.dmp
memory/2448-124-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-127-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-113-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-116-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1796-130-0x00000000028C0000-0x0000000002CB8000-memory.dmp
memory/436-132-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1796-133-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/436-137-0x00000000000F0000-0x0000000000170000-memory.dmp
memory/1592-140-0x0000000000060000-0x000000000006C000-memory.dmp
memory/436-139-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1592-138-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1796-141-0x0000000002CC0000-0x00000000035AB000-memory.dmp
memory/436-151-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1876-152-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/2812-153-0x0000000000E70000-0x0000000001618000-memory.dmp
\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2812-154-0x0000000075610000-0x0000000075657000-memory.dmp
\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/908-162-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2348-158-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2812-163-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-157-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-164-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-165-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-166-0x0000000076F00000-0x0000000077010000-memory.dmp
memory/2812-167-0x0000000076F00000-0x0000000077010000-memory.dmp
\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/908-172-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2812-170-0x0000000076F00000-0x0000000077010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F670.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1348-177-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2812-178-0x00000000747C0000-0x0000000074EAE000-memory.dmp
memory/1280-179-0x0000000002B70000-0x0000000002B86000-memory.dmp
memory/992-180-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/1796-183-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4EDB.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 48e295cba74b7900552ae090487f21a3 |
| SHA1 | 5202f21821a5c2794848ec13f246a77288a71acc |
| SHA256 | c7a6159f9c8155ef67876deca1c1ab74d8d8f5268525aa37d9a3c71218d28a88 |
| SHA512 | 090971beb0f3b6db34ea00482d365095f37695ed806da7352ad635903d7c86584cec909190d997ab0cc8033ae773a7666033b4e09b9e45fa6c1f8947575f2b95 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 6fca32c01f986ee2660702689b5e3f19 |
| SHA1 | 28a321e06b49c7672cf18296a968ebbf3f5dfe30 |
| SHA256 | 432b80f72adbfada2bdb6f8f2fbb3e10ab37212d13454f4a6849c0edb7f1f058 |
| SHA512 | 4a7bb6de343ab046102df917e0fe96f3da22a8eb5e589f243aeeb7006537313bd782d81e7aba97bb30bc79d359f08a6551e16eb1ab96a2a273aa5e19fb82b39b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0268ef551139ac7672a96e6658ce044a |
| SHA1 | b005ca526faa872c8e0aeafd11e3335c28c16037 |
| SHA256 | 417ec67ee533de68e2008cc547552d33878e0d9bedd6ceaf5572d37112bb036a |
| SHA512 | 5405872c99f9f88596d39057d8701ba360b498d8bbb5eb64cd5af5f8f1100e0ecdaf09ad811aa0b3fc92ddfcef05d1a14e6495868e4995af049cd3be0247860d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 5df3ce713946c9c26d67d9293cd19282 |
| SHA1 | d908cf9c62848b8e67eb1905d27532860823d88b |
| SHA256 | 7cef798ffe68b7d6bb71243a1e54e6cc44d2f4358e510429263648cd7cc36687 |
| SHA512 | 34b5f4ab6ee2c2803666144bdd901e2567f6119a5c1faef1bc483c3eac32e5d78c8083aad370fd3e4c1ae000f66d38ced0ce1e5dacc4fd28bed809b8fb4685c4 |
memory/2812-197-0x00000000004F0000-0x0000000000530000-memory.dmp
memory/1796-198-0x00000000028C0000-0x0000000002CB8000-memory.dmp
memory/1348-199-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1348-201-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2812-202-0x0000000000610000-0x000000000062C000-memory.dmp
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/1348-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1348-228-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/1348-240-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2696-245-0x0000000000925000-0x0000000000954000-memory.dmp
memory/2176-247-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2696-246-0x0000000000230000-0x0000000000281000-memory.dmp
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/2176-241-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2176-232-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2486.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/1348-206-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2812-226-0x0000000000610000-0x0000000000625000-memory.dmp
memory/2812-225-0x0000000000610000-0x0000000000625000-memory.dmp
memory/1348-248-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarF7A9.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | b7b46d7fa62a508b5b848f2e28ba35f8 |
| SHA1 | 47e003ed1ee7c61c4a49ea940aaf529bec590000 |
| SHA256 | d8d7fd084b6cb685c32f28fd787241c5f9697beafef3d0e01d8d27692963ef03 |
| SHA512 | e4c0b8921245345c247df9fd5568f8dc3b9f5621203bd34b22746918814272480458579ca3200475bd35516db96c4718587240a1f5802d8bb4ad0dabec2513c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/2176-306-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2964-323-0x00000000002A0000-0x00000000002A4000-memory.dmp
memory/2964-321-0x00000000008A2000-0x00000000008B3000-memory.dmp
C:\Users\Admin\AppData\Local\e481423c-4bb5-4732-aace-78d1adcf596c\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1980-327-0x0000000000400000-0x0000000000406000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 16:38
Reported
2023-10-17 16:41
Platform
win10v2004-20230915-en
Max time kernel
55s
Max time network
137s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3CBA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\294D.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\294D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\294D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3382.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3CBA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4807.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\294D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\294D.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7d3b6d04-d0d4-4400-bbac-60ccf164ad54\\294D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\294D.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2448 set thread context of 484 | N/A | C:\Users\Admin\AppData\Local\Temp\294D.exe | C:\Users\Admin\AppData\Local\Temp\294D.exe |
| PID 4724 set thread context of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\294D.exe | C:\Users\Admin\AppData\Local\Temp\294D.exe |
| PID 2468 set thread context of 1376 | N/A | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | C:\Users\Admin\AppData\Local\Temp\FE38.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\294D.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4093.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4093.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4093.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2CF8.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4fexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\294D.exe
C:\Users\Admin\AppData\Local\Temp\294D.exe
C:\Users\Admin\AppData\Local\Temp\294D.exe
C:\Users\Admin\AppData\Local\Temp\294D.exe
C:\Users\Admin\AppData\Local\Temp\2CF8.exe
C:\Users\Admin\AppData\Local\Temp\2CF8.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\31BB.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\31BB.dll
C:\Users\Admin\AppData\Local\Temp\3382.exe
C:\Users\Admin\AppData\Local\Temp\3382.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7d3b6d04-d0d4-4400-bbac-60ccf164ad54" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\3CBA.exe
C:\Users\Admin\AppData\Local\Temp\3CBA.exe
C:\Users\Admin\AppData\Local\Temp\4093.exe
C:\Users\Admin\AppData\Local\Temp\4093.exe
C:\Users\Admin\AppData\Local\Temp\4807.exe
C:\Users\Admin\AppData\Local\Temp\4807.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\294D.exe
"C:\Users\Admin\AppData\Local\Temp\294D.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\294D.exe
"C:\Users\Admin\AppData\Local\Temp\294D.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 2828 -ip 2828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 568
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\jrjrufd
C:\Users\Admin\AppData\Roaming\jrjrufd
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\4807.exe
"C:\Users\Admin\AppData\Local\Temp\4807.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\FE38.exe
C:\Users\Admin\AppData\Local\Temp\FE38.exe
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\FE38.exe
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\FE38.exe /q"C:\Users\Admin\AppData\Local\Temp\FE38.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}" /IS_temp
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\Unpluralized Antifrost.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="FE38.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.86.21.104.in-addr.arpa | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 139.254.104.211.in-addr.arpa | udp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | toennjeskenya.com | udp |
| GB | 77.95.113.16:443 | toennjeskenya.com | tcp |
| US | 8.8.8.8:53 | 16.113.95.77.in-addr.arpa | udp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
| KR | 211.104.254.139:80 | wirtshauspost.at | tcp |
Files
memory/1568-1-0x0000000000960000-0x0000000000A60000-memory.dmp
memory/1568-2-0x0000000002510000-0x000000000251B000-memory.dmp
memory/1568-3-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/3164-4-0x0000000002F10000-0x0000000002F26000-memory.dmp
memory/1568-5-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/3164-8-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-9-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-10-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-11-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-12-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-13-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-16-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-15-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-14-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-19-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-18-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-20-0x00000000074C0000-0x00000000074D0000-memory.dmp
memory/3164-21-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-22-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-23-0x00000000074C0000-0x00000000074D0000-memory.dmp
memory/3164-24-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-26-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-30-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-28-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-27-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-32-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-31-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-33-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-34-0x00000000074C0000-0x00000000074D0000-memory.dmp
memory/3164-35-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-36-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-38-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-37-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-39-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-40-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-42-0x0000000007480000-0x0000000007490000-memory.dmp
memory/3164-41-0x0000000007480000-0x0000000007490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\294D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\294D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2448-54-0x00000000022C0000-0x000000000235B000-memory.dmp
memory/2448-55-0x00000000023C0000-0x00000000024DB000-memory.dmp
memory/484-56-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\294D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/484-59-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2CF8.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\2CF8.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/484-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2468-64-0x00000000005A0000-0x0000000000D48000-memory.dmp
memory/2468-66-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/2468-65-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/2468-68-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/2468-69-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/484-67-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2468-70-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/2468-72-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31BB.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/2468-73-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31BB.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
C:\Users\Admin\AppData\Local\Temp\3382.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/2468-86-0x0000000077624000-0x0000000077626000-memory.dmp
memory/4228-84-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/4228-83-0x0000000001010000-0x0000000001016000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3382.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/2468-93-0x00000000005A0000-0x0000000000D48000-memory.dmp
memory/2468-96-0x0000000005D80000-0x0000000006324000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3CBA.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\3CBA.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2468-101-0x00000000056F0000-0x0000000005782000-memory.dmp
memory/2468-102-0x0000000005970000-0x0000000005A0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4093.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\4093.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
memory/2468-108-0x00000000005A0000-0x0000000000D48000-memory.dmp
memory/2468-110-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/2468-109-0x0000000005900000-0x000000000590A000-memory.dmp
memory/2468-111-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4228-113-0x0000000002B70000-0x0000000002C8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4807.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\Local\Temp\4807.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2468-124-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/2468-126-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/3276-130-0x00000000006D0000-0x00000000006DB000-memory.dmp
memory/3276-128-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/4604-127-0x0000000000C10000-0x0000000000C7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3276-131-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/4604-132-0x0000000000C10000-0x0000000000C7B000-memory.dmp
memory/4824-134-0x0000000000690000-0x000000000069C000-memory.dmp
memory/2468-135-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/4604-136-0x0000000000C80000-0x0000000000D00000-memory.dmp
memory/4824-137-0x0000000000690000-0x000000000069C000-memory.dmp
memory/2468-139-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/2468-138-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/484-133-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4228-146-0x0000000002C90000-0x0000000002D8F000-memory.dmp
memory/4228-165-0x0000000002C90000-0x0000000002D8F000-memory.dmp
memory/3008-167-0x0000000002A70000-0x0000000002E76000-memory.dmp
memory/3008-168-0x0000000002E80000-0x000000000376B000-memory.dmp
memory/4228-169-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/2468-170-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
memory/3008-171-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/4228-173-0x0000000002C90000-0x0000000002D8F000-memory.dmp
memory/4604-177-0x0000000000C10000-0x0000000000C7B000-memory.dmp
memory/3276-175-0x0000000000400000-0x00000000005B6000-memory.dmp
C:\Users\Admin\AppData\Local\7d3b6d04-d0d4-4400-bbac-60ccf164ad54\294D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/3164-172-0x0000000002CD0000-0x0000000002CE6000-memory.dmp
memory/484-179-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\294D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/4724-183-0x0000000002150000-0x00000000021E8000-memory.dmp
memory/2828-186-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2828-188-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2828-190-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2468-187-0x0000000005950000-0x000000000596C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\294D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2468-191-0x0000000005950000-0x0000000005965000-memory.dmp
memory/2468-194-0x0000000005950000-0x0000000005965000-memory.dmp
memory/2468-192-0x0000000005950000-0x0000000005965000-memory.dmp
memory/2468-196-0x0000000005950000-0x0000000005965000-memory.dmp
memory/2468-198-0x0000000005950000-0x0000000005965000-memory.dmp
memory/2468-200-0x0000000005950000-0x0000000005965000-memory.dmp
memory/3008-201-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2468-203-0x0000000005950000-0x0000000005965000-memory.dmp
memory/2468-205-0x0000000005950000-0x0000000005965000-memory.dmp
memory/2468-207-0x0000000005950000-0x0000000005965000-memory.dmp
memory/1376-217-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2468-220-0x0000000076EC0000-0x0000000076FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\jrjrufd
| MD5 | 78e7a2a2a891519b61daca63b50bdac1 |
| SHA1 | 8b19e5bf3ba68de0724f7d2e42eaa1abf77773e4 |
| SHA256 | 0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f |
| SHA512 | d7bcd57bd3e4a331b36cb4f5cde54a9f033906c47d7407d88dcd67d41da93680b05c90ec5c56a0456708f892daa2e18096ee006cbdf478f97414d4d386090506 |
C:\Users\Admin\AppData\Roaming\jrjrufd
| MD5 | 78e7a2a2a891519b61daca63b50bdac1 |
| SHA1 | 8b19e5bf3ba68de0724f7d2e42eaa1abf77773e4 |
| SHA256 | 0f761b7d8b1e22f677afae3f0f3dc7413388613694ed62fddca1855334967b4f |
| SHA512 | d7bcd57bd3e4a331b36cb4f5cde54a9f033906c47d7407d88dcd67d41da93680b05c90ec5c56a0456708f892daa2e18096ee006cbdf478f97414d4d386090506 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hje2etie.oly.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\bijrufd
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\4807.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 59f424f1bbe314a1ae4ed96950d0e292 |
| SHA1 | 3c79e4c76db276acf7118d3e70fdac7816add5d8 |
| SHA256 | d22825a2bbee219158dc4f55d46b3f6d00274f0fa04e5adcc33121f9f395a75a |
| SHA512 | 364ba49ffa5659370bec26fbbf18285d2cc9c018bbaab46982068dc114de4b799467034ca3ea5dbea63bff5190702b8552cc25c79500fe5ad6d5643661901234 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 62cacda4114553d26f3a4a8da410f3a2 |
| SHA1 | 8735a388cb084c834fe50e784ddbf7725c0d8d8b |
| SHA256 | cb165ac80244d4bdaf2426248b8769d2aba628805285372c85d1f0ca149f77c4 |
| SHA512 | f7c503b52baf7bd3ab2951276cc6423dae6ae4ca1ae01ca53dc973b0d1d2a1ce01b2c52675518a3d7dfdde382cc7629042efc5e37f1ba117c0a3ef05fa9c2af4 |
C:\Users\Admin\AppData\Local\Temp\FE38.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\FE38.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\FE38.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\FE38.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\_ISMSIDEL.INI
| MD5 | 9f138b86faac2821969f04ff2f593051 |
| SHA1 | 1c76234a90a0cefe40835d02d3a53692c7fc6ee9 |
| SHA256 | 232b27046752bbd3619ce7a7c5e4326b3aac3a0eace8df188712f0a9f1055797 |
| SHA512 | 18d6b0b95e0dd8cc7f4c3cde21b75bb974e6de4d21c547503317fdaa992c1140f26a8620eb2e2bd7ffd2b53f372d9ba3a488c5d40dc419a783d622890f9508d3 |
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\Setup.INI
| MD5 | 236e86a73aa13283f042a8e0e37d817b |
| SHA1 | ccde2476172fba63fc37d4472ad164239d91722f |
| SHA256 | f4f66390a1bb0c30a78df0caf277bdd0111fecb9f53099663f56def6038cb1bf |
| SHA512 | 2a334c02b5c3d67287c49deee07f36d423176aaf51187f9edaafb73798d3a8a56c8e7c677326cc355ca4bbb4b4a851875b9c4318c78a55f3f17d0243ed1427e7 |
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Temp\iss17B6.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 334c261439bf5ffb2898787e6494c72d |
| SHA1 | e1478348e2b275f4050f867ccfd49828c63eda2c |
| SHA256 | f7d503ada25a0c419106453d2938239aa1c049708603381cd11299037d660a4e |
| SHA512 | 201ed6ca9b27d2e5891aff0f9c4f796b93cf21f02398368bb84e410d46eb95f88bf6f74ab8e76050ca3ed3b16aed5a87ba2dadfd32bbfc6774eb6a37e5f390d9 |
C:\Users\Admin\AppData\Local\Temp\{B4A3D970-6FFB-4FB0-AD6B-5E20BF254B38}\Unpluralized Antifrost.msi
| MD5 | 4d8091e549b1716bd33fc3606821fa2f |
| SHA1 | 6c1ec3b6671a2c176e1491df20a3c10b647a375c |
| SHA256 | b13d4f28e5aa790ada64fab95b0f364207c36b96910851f614a9330fa4ea83a0 |
| SHA512 | 1267b0d47ca69f9bd3bc3c55910fc96cadf5f30434d13e98b6f8c27717eb97abede4f4260a930663f609d57c91d40982697082f0f7d6627fec36923db7fdbaea |