Malware Analysis Report

2025-01-18 05:07

Sample ID 231017-wbwqkagc53
Target NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe
SHA256 b6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1

Threat Level: Known bad

The file NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware themida trojan pub1

Glupteba

Detected Djvu ransomware

RedLine

RedLine payload

Amadey

SmokeLoader

Glupteba payload

Djvu Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks computer location settings

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

outlook_win_path

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 17:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 17:45

Reported

2023-10-17 17:50

Platform

win7-20230831-en

Max time kernel

228s

Max time network

240s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\537E.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\537E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\537E.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7285.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a802bf6e-5ade-4e0f-abf1-fb2fab7553d9\\4ECC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4ECC.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\537E.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\537E.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\537E.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 2472 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\4ECC.exe C:\Users\Admin\AppData\Local\Temp\4ECC.exe
PID 1204 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\537E.exe
PID 1204 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\537E.exe
PID 1204 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\537E.exe
PID 1204 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\537E.exe
PID 1204 wrote to memory of 1812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1812 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 1220 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe
PID 1204 wrote to memory of 1220 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe
PID 1204 wrote to memory of 1220 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe
PID 1204 wrote to memory of 1220 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe
PID 1812 wrote to memory of 2364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1812 wrote to memory of 2364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1812 wrote to memory of 2364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1812 wrote to memory of 2364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1812 wrote to memory of 2364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1812 wrote to memory of 2364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1812 wrote to memory of 2364 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 520 N/A N/A C:\Users\Admin\AppData\Local\Temp\7285.exe
PID 1204 wrote to memory of 520 N/A N/A C:\Users\Admin\AppData\Local\Temp\7285.exe
PID 1204 wrote to memory of 520 N/A N/A C:\Users\Admin\AppData\Local\Temp\7285.exe
PID 1204 wrote to memory of 520 N/A N/A C:\Users\Admin\AppData\Local\Temp\7285.exe
PID 1204 wrote to memory of 740 N/A N/A C:\Users\Admin\AppData\Local\Temp\85B8.exe
PID 1204 wrote to memory of 740 N/A N/A C:\Users\Admin\AppData\Local\Temp\85B8.exe
PID 1204 wrote to memory of 740 N/A N/A C:\Users\Admin\AppData\Local\Temp\85B8.exe
PID 1204 wrote to memory of 740 N/A N/A C:\Users\Admin\AppData\Local\Temp\85B8.exe
PID 1204 wrote to memory of 608 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1204 wrote to memory of 608 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1204 wrote to memory of 608 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1204 wrote to memory of 608 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1204 wrote to memory of 608 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Windows\explorer.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Windows\explorer.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Windows\explorer.exe
PID 1204 wrote to memory of 1200 N/A N/A C:\Windows\explorer.exe
PID 520 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7285.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 520 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7285.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 520 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7285.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 520 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7285.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1220 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\6E02.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

C:\Users\Admin\AppData\Local\Temp\537E.exe

C:\Users\Admin\AppData\Local\Temp\537E.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6940.dll

C:\Users\Admin\AppData\Local\Temp\6E02.exe

C:\Users\Admin\AppData\Local\Temp\6E02.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6940.dll

C:\Users\Admin\AppData\Local\Temp\7285.exe

C:\Users\Admin\AppData\Local\Temp\7285.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\85B8.exe

C:\Users\Admin\AppData\Local\Temp\85B8.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a802bf6e-5ade-4e0f-abf1-fb2fab7553d9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp

Files

memory/2632-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2632-1-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/2632-3-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2632-4-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2632-5-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/2632-6-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2632-8-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1204-7-0x00000000029E0000-0x00000000029F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2472-23-0x00000000006A0000-0x0000000000732000-memory.dmp

memory/2472-24-0x00000000006A0000-0x0000000000732000-memory.dmp

memory/2472-25-0x0000000001F50000-0x000000000206B000-memory.dmp

\Users\Admin\AppData\Local\Temp\4ECC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2392-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2392-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\537E.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2392-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2352-38-0x0000000000E90000-0x0000000001638000-memory.dmp

memory/2352-39-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-40-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-41-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-42-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-43-0x0000000076DA0000-0x0000000076DE7000-memory.dmp

memory/2352-44-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-45-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-46-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-47-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-49-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-51-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-53-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-56-0x0000000076DA0000-0x0000000076DE7000-memory.dmp

memory/2352-55-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-54-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2392-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2352-59-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-57-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-60-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-61-0x0000000076C70000-0x0000000076D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6940.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/2352-62-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-64-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-65-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-66-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-67-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-69-0x0000000077660000-0x0000000077662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E02.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\6E02.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

\Users\Admin\AppData\Local\Temp\6940.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/2364-76-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/2364-77-0x0000000000190000-0x0000000000196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\7285.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\7285.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2364-87-0x0000000002200000-0x000000000231B000-memory.dmp

memory/2364-89-0x0000000002320000-0x000000000241F000-memory.dmp

memory/2364-92-0x0000000002320000-0x000000000241F000-memory.dmp

memory/2364-93-0x0000000002320000-0x000000000241F000-memory.dmp

memory/2352-95-0x0000000000E90000-0x0000000001638000-memory.dmp

memory/2352-96-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-97-0x0000000076DA0000-0x0000000076DE7000-memory.dmp

memory/2352-98-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-100-0x0000000076C70000-0x0000000076D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85B8.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/2352-99-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-106-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/740-107-0x0000000002870000-0x0000000002C68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85B8.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/2352-109-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-110-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-112-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-111-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-113-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-114-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-115-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-119-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-118-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-117-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-116-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/1200-120-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1200-121-0x0000000000060000-0x000000000006C000-memory.dmp

memory/608-122-0x0000000000080000-0x00000000000EB000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1096-143-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-142-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-141-0x0000000000400000-0x000000000043E000-memory.dmp

memory/608-140-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1096-144-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-146-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-145-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1096-148-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-150-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2352-155-0x0000000000E90000-0x0000000001638000-memory.dmp

memory/2352-160-0x0000000074350000-0x0000000074A3E000-memory.dmp

memory/740-163-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/740-165-0x0000000002C70000-0x000000000355B000-memory.dmp

memory/2352-166-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/2352-167-0x0000000076C70000-0x0000000076D80000-memory.dmp

memory/740-168-0x0000000002870000-0x0000000002C68000-memory.dmp

memory/1096-169-0x0000000074350000-0x0000000074A3E000-memory.dmp

C:\Users\Admin\AppData\Local\a802bf6e-5ade-4e0f-abf1-fb2fab7553d9\4ECC.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/1096-181-0x00000000074E0000-0x0000000007520000-memory.dmp

memory/2352-182-0x0000000000460000-0x00000000004A0000-memory.dmp

memory/2392-186-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85B8.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/740-192-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/2392-194-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2352-195-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-196-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-198-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-200-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-202-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-204-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-206-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-212-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-210-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-208-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-214-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-216-0x0000000000440000-0x0000000000455000-memory.dmp

memory/2352-218-0x0000000000440000-0x0000000000455000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 17:45

Reported

2023-10-17 17:49

Platform

win10v2004-20230915-en

Max time kernel

200s

Max time network

216s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5BF2.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5BF2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5BF2.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9DF0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\45D9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\45D9.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\990bdd8a-7977-45e3-9e2a-bd48d4a54dd8\\45D9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\45D9.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5BF2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5BF2.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AE2D.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AE2D.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AE2D.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AE2D.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5BF2.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 2660 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 2660 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 2660 wrote to memory of 60 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BF2.exe
PID 2660 wrote to memory of 60 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BF2.exe
PID 2660 wrote to memory of 60 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BF2.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 1728 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Users\Admin\AppData\Local\Temp\45D9.exe
PID 2660 wrote to memory of 3196 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2660 wrote to memory of 3196 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3196 wrote to memory of 3084 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3196 wrote to memory of 3084 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3196 wrote to memory of 3084 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe
PID 2660 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe
PID 2660 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe
PID 2660 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DF0.exe
PID 2660 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DF0.exe
PID 2660 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DF0.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4412 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\89F9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2660 wrote to memory of 3788 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE2D.exe
PID 2660 wrote to memory of 3788 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE2D.exe
PID 2660 wrote to memory of 3788 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE2D.exe
PID 5116 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Windows\SysWOW64\icacls.exe
PID 5116 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Windows\SysWOW64\icacls.exe
PID 5116 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\45D9.exe C:\Windows\SysWOW64\icacls.exe
PID 1684 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9DF0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1684 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9DF0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1684 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9DF0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3108 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3108 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3108 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3108 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4956 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4956 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4956 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4956 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4956 wrote to memory of 32 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4956 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4956 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASb6961297c26ff9d5304389fd95d1df276cc6d81e1ab52c61f99ef8046d969ae1exeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\45D9.exe

C:\Users\Admin\AppData\Local\Temp\45D9.exe

C:\Users\Admin\AppData\Local\Temp\5BF2.exe

C:\Users\Admin\AppData\Local\Temp\5BF2.exe

C:\Users\Admin\AppData\Local\Temp\45D9.exe

C:\Users\Admin\AppData\Local\Temp\45D9.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7279.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7279.dll

C:\Users\Admin\AppData\Local\Temp\89F9.exe

C:\Users\Admin\AppData\Local\Temp\89F9.exe

C:\Users\Admin\AppData\Local\Temp\9DF0.exe

C:\Users\Admin\AppData\Local\Temp\9DF0.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\AE2D.exe

C:\Users\Admin\AppData\Local\Temp\AE2D.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\990bdd8a-7977-45e3-9e2a-bd48d4a54dd8" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\BB8C.exe

C:\Users\Admin\AppData\Local\Temp\BB8C.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\45D9.exe

"C:\Users\Admin\AppData\Local\Temp\45D9.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\45D9.exe

"C:\Users\Admin\AppData\Local\Temp\45D9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe

"C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe"

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe

"C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe"

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe

"C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe"

C:\Users\Admin\AppData\Local\Temp\7529.exe

C:\Users\Admin\AppData\Local\Temp\7529.exe

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe

"C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.157.27.67.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
FR 51.254.67.186:16176 tcp
US 8.8.8.8:53 186.67.254.51.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
MX 201.124.243.137:80 zexeq.com tcp
MX 201.124.243.137:80 zexeq.com tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 137.243.124.201.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 toennjeskenya.com udp
GB 77.95.113.16:443 toennjeskenya.com tcp
MX 201.124.243.137:80 zexeq.com tcp
US 8.8.8.8:53 16.113.95.77.in-addr.arpa udp
KR 123.140.161.243:80 wirtshauspost.at tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
KR 123.140.161.243:80 wirtshauspost.at tcp

Files

memory/2912-1-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/2912-2-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2912-3-0x0000000000930000-0x000000000093B000-memory.dmp

memory/2912-4-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2660-5-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

memory/2912-6-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45D9.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\45D9.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

C:\Users\Admin\AppData\Local\Temp\5BF2.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\5BF2.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/60-24-0x00000000002F0000-0x0000000000A98000-memory.dmp

memory/1728-25-0x00000000022C0000-0x000000000235E000-memory.dmp

memory/60-26-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/1728-27-0x0000000002360000-0x000000000247B000-memory.dmp

memory/60-29-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-32-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-33-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-35-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/5116-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5116-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/60-37-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-38-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/5116-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/60-41-0x0000000076FB4000-0x0000000076FB6000-memory.dmp

memory/60-36-0x00000000765B0000-0x00000000766A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45D9.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/5116-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/60-42-0x00000000002F0000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7279.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/60-47-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-48-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-49-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-50-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-51-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-52-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-55-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/60-56-0x00000000765B0000-0x00000000766A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89F9.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\89F9.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\7279.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/3084-61-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/3084-62-0x00000000009F0000-0x00000000009F6000-memory.dmp

memory/60-70-0x00000000002F0000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9DF0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\9DF0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/60-71-0x0000000005A90000-0x0000000006034000-memory.dmp

memory/2688-72-0x0000000000400000-0x000000000043E000-memory.dmp

memory/60-73-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/60-74-0x0000000005800000-0x000000000589C000-memory.dmp

memory/2688-75-0x00000000731E0000-0x0000000073990000-memory.dmp

memory/60-76-0x0000000005780000-0x000000000578A000-memory.dmp

memory/2688-77-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\AE2D.exe

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

C:\Users\Admin\AppData\Local\Temp\AE2D.exe

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3084-97-0x0000000002AE0000-0x0000000002BFB000-memory.dmp

memory/2688-98-0x0000000008E60000-0x0000000009478000-memory.dmp

memory/3084-99-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/3788-100-0x0000000000770000-0x0000000000870000-memory.dmp

memory/3788-102-0x0000000000720000-0x000000000072B000-memory.dmp

memory/2688-101-0x00000000080D0000-0x00000000081DA000-memory.dmp

memory/3788-104-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/2688-103-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

memory/3084-105-0x0000000000E00000-0x0000000000EFF000-memory.dmp

memory/3084-108-0x0000000000E00000-0x0000000000EFF000-memory.dmp

memory/3084-109-0x0000000000E00000-0x0000000000EFF000-memory.dmp

memory/5116-112-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-113-0x0000000008600000-0x0000000008616000-memory.dmp

memory/3788-114-0x0000000000400000-0x00000000005B6000-memory.dmp

C:\Users\Admin\AppData\Local\990bdd8a-7977-45e3-9e2a-bd48d4a54dd8\45D9.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/2688-118-0x0000000007E40000-0x0000000007E7C000-memory.dmp

memory/2688-119-0x0000000007FC0000-0x000000000800C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BB8C.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

C:\Users\Admin\AppData\Local\Temp\BB8C.exe

MD5 71b9cd84ec146c642e076dfb2a87c31a
SHA1 18f593471c238beb864de6425c0343cbb0ea8597
SHA256 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309
SHA512 af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c

memory/60-123-0x00000000057D0000-0x00000000057EC000-memory.dmp

memory/60-125-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/60-127-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/2092-128-0x00000000006D0000-0x000000000073B000-memory.dmp

memory/2092-131-0x00000000006D0000-0x000000000073B000-memory.dmp

memory/60-132-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/60-135-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/2688-134-0x00000000731E0000-0x0000000073990000-memory.dmp

memory/2092-129-0x0000000000740000-0x00000000007B5000-memory.dmp

memory/60-137-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/60-139-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/60-141-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/60-143-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/2688-145-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

memory/2280-147-0x0000000002A00000-0x0000000002DFD000-memory.dmp

memory/60-146-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/4196-150-0x0000000000D60000-0x0000000000D6C000-memory.dmp

memory/60-149-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/2280-153-0x0000000002E00000-0x00000000036EB000-memory.dmp

memory/60-152-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/2280-156-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/4196-157-0x0000000000D60000-0x0000000000D6C000-memory.dmp

memory/60-155-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/60-159-0x00000000057D0000-0x00000000057E5000-memory.dmp

memory/5116-161-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2092-162-0x0000000000740000-0x00000000007B5000-memory.dmp

memory/2280-163-0x0000000002A00000-0x0000000002DFD000-memory.dmp

memory/2280-165-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/2160-168-0x0000000000400000-0x000000000045A000-memory.dmp

memory/60-169-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/4196-170-0x0000000000D60000-0x0000000000D6C000-memory.dmp

memory/2160-171-0x00000000731E0000-0x0000000073990000-memory.dmp

C:\Users\Admin\AppData\Roaming\jtbusrh

MD5 a6cc2635415872e2cfa5bc586b8d5ac1
SHA1 1ab7f97be976876998982fef5a4f54f29325ff10
SHA256 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e
SHA512 cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad

memory/2160-181-0x0000000007AF0000-0x0000000007B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45D9.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/5116-176-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1480-183-0x0000000002240000-0x00000000022D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\45D9.exe

MD5 3d0534c699f0f264c2ecedebb5cf3af8
SHA1 f0cb1804fe81dba82b085e51d64953a77dc5e174
SHA256 e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230
SHA512 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d

memory/436-187-0x0000000000400000-0x0000000000537000-memory.dmp

memory/436-188-0x0000000000400000-0x0000000000537000-memory.dmp

memory/436-189-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0268ef551139ac7672a96e6658ce044a
SHA1 b005ca526faa872c8e0aeafd11e3335c28c16037
SHA256 417ec67ee533de68e2008cc547552d33878e0d9bedd6ceaf5572d37112bb036a
SHA512 5405872c99f9f88596d39057d8701ba360b498d8bbb5eb64cd5af5f8f1100e0ecdaf09ad811aa0b3fc92ddfcef05d1a14e6495868e4995af049cd3be0247860d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 07edb734259397091756c639ee888ab4
SHA1 e6068cd8199853d90eff6b7cfa17197ce11cccd1
SHA256 000d236d59023ca0c54b088f04852bfa9da9dd4059fdd452ce7a4c5bac6d925e
SHA512 8bace8d152d2a95a8b5fb7d6e10a092a34f8b01c7f87e5ca45ba6e6adc5ab7e8bbcefda080ce9e9fb294d216624338a0bdfd673fcd3188c51f61f53dfd36dce6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f9fa18f17808f06454680af89283fa10
SHA1 bb2f2d23a01fee80fbad74ca69b5a2436054d536
SHA256 d8e660ec3d345d8a9327337501aa004bae024131f67d01b5afe000a156eb0c21
SHA512 5d56fbf8717ef689d87f561e389cfe62e9cb9ba8230c6ee7e27fdc7ba9429f002db0270550b4a1d012151f622e105d7f73b1c22f924d14552168a3059d2d8eaa

memory/2160-194-0x00000000084D0000-0x0000000008536000-memory.dmp

memory/436-195-0x0000000000400000-0x0000000000537000-memory.dmp

memory/436-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/60-198-0x00000000765B0000-0x00000000766A0000-memory.dmp

memory/2280-197-0x0000000000400000-0x0000000000D6F000-memory.dmp

memory/60-199-0x00000000002F0000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2160-219-0x00000000731E0000-0x0000000073990000-memory.dmp

memory/436-221-0x0000000000400000-0x0000000000537000-memory.dmp

memory/436-224-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2160-225-0x0000000007AF0000-0x0000000007B00000-memory.dmp

memory/2092-233-0x00000000006D0000-0x000000000073B000-memory.dmp

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\Temp\7529.exe

MD5 646396a1f9b3474ad8533953a3583b4b
SHA1 9cc3b41381d97196f93d2d551492909d82f58dde
SHA256 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b
SHA512 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa

C:\Users\Admin\AppData\Local\fd9f8e8b-7f7c-4502-af7a-879a82a9a540\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319