Malware Analysis Report

2025-01-18 06:22

Sample ID 231018-bdhaqsad5z
Target 104bcafc3e10e3b66627fb16ec8c9d6f.bin
SHA256 c6c5956188fb5560136a58253eb13d4c7a937d0b20a345a36986414e2cedf3cb
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery infostealer ransomware themida trojan glupteba pub1 collection dropper evasion loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6c5956188fb5560136a58253eb13d4c7a937d0b20a345a36986414e2cedf3cb

Threat Level: Known bad

The file 104bcafc3e10e3b66627fb16ec8c9d6f.bin was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery infostealer ransomware themida trojan glupteba pub1 collection dropper evasion loader persistence

SmokeLoader

RedLine

Detected Djvu ransomware

Glupteba payload

Amadey

RedLine payload

Djvu Ransomware

Glupteba

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Checks computer location settings

Deletes itself

Themida packer

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-18 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 01:01

Reported

2023-10-18 01:04

Platform

win7-20230831-en

Max time kernel

33s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9227.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9227.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\9227.exe
PID 1364 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\9227.exe
PID 1364 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\9227.exe
PID 1364 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\9227.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\67c40ccd-4c76-4d3e-b7cd-2eaf3abb391e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\F355.exe

C:\Users\Admin\AppData\Local\Temp\F355.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F9BC.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F9BC.dll

C:\Users\Admin\AppData\Local\Temp\145E.exe

C:\Users\Admin\AppData\Local\Temp\145E.exe

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

"C:\Users\Admin\AppData\Local\Temp\EBB6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

"C:\Users\Admin\AppData\Local\Temp\EBB6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\2EF1.exe

C:\Users\Admin\AppData\Local\Temp\2EF1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe

"C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe"

C:\Users\Admin\AppData\Local\Temp\9227.exe

C:\Users\Admin\AppData\Local\Temp\9227.exe

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe

"C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe"

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe

"C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe"

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe

"C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {AFEE4B37-D623-47B1-93EF-2367D5D0390A} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 udp
US 188.114.97.0:443 api.2ip.ua tcp
NL 142.251.36.35:80 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 colisumy.com udp
BR 187.18.108.158:80 colisumy.com tcp
KR 211.40.39.251:80 tcp
KR 211.40.39.251:80 zexeq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 31.41.244.27:41140 tcp
FR 51.254.67.186:16176 tcp

Files

memory/2956-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2956-3-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2956-2-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/2956-5-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1364-4-0x0000000002670000-0x0000000002686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/2616-20-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2616-22-0x0000000001F40000-0x000000000205B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/2616-30-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2752-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/2752-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2752-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2616-21-0x0000000000300000-0x0000000000392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F355.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/592-55-0x00000000002C0000-0x0000000000A68000-memory.dmp

memory/592-56-0x0000000075930000-0x0000000075A40000-memory.dmp

C:\Users\Admin\AppData\Local\67c40ccd-4c76-4d3e-b7cd-2eaf3abb391e\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/592-60-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-62-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-64-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-65-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-67-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-70-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-72-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-73-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-77-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-78-0x00000000779E0000-0x00000000779E2000-memory.dmp

memory/592-74-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-71-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-69-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-68-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-66-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-63-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-61-0x0000000076030000-0x0000000076077000-memory.dmp

memory/592-58-0x0000000075930000-0x0000000075A40000-memory.dmp

memory/592-57-0x0000000075930000-0x0000000075A40000-memory.dmp

\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/2752-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-85-0x0000000000300000-0x0000000000392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/592-88-0x00000000742E0000-0x00000000749CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9BC.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

C:\Users\Admin\AppData\Local\Temp\145E.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

C:\Users\Admin\AppData\Local\Temp\145E.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

memory/752-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1988-100-0x0000000000300000-0x0000000000392000-memory.dmp

\Users\Admin\AppData\Local\Temp\EBB6.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

\Users\Admin\AppData\Local\Temp\F9BC.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/592-123-0x00000000002C0000-0x0000000000A68000-memory.dmp

memory/1136-125-0x0000000010000000-0x00000000101E3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e540bea0fc401cf377e3dddecce76db
SHA1 d26f7b10b59c97cfa003aef9b341e7e5764c379a
SHA256 81bd40e8cbbea71879e7d8f2db08c374c22d751be22517b1c717b78274b69a6f
SHA512 14f60ca6bcedfd1c7307e7fcb9db14db5282fcc574430e2b17d3b411ca1b07a04733eedfdc62be84b743666f6aa9b313fb5cb9f4391c5565f2465c9182d24f8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\Cab2B06.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 996930b1f75c8d334882be683cf1fe52
SHA1 d74ed6df3de25e0c3f167943e2c57c4b78131003
SHA256 98891d21da9d691f9173ae158bbc5394b88f11b4e839855c3fe41f0817a415a9
SHA512 1bb9c5e25f3075b01e38612d87b288304bbf5b42ef857eb5764571e999b282e21f8702b4ffca5de0df37328b28c02df025daf5ab66cdc19506fc7eb345c5eb42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0cc0c70c0abb72ceabbe6c794dd1c1e9
SHA1 c721529a91b9ff21ebbfeee9c301f0332e19a107
SHA256 aebe7d2a2ff7dd8e97496477261537496537ff1d924ac765b83fb35e55a1a7fb
SHA512 d426effa9a04acf840473fc658e8a103312f10236d9f3b7811c842bf505a7c0c0563bc638d30c36bdfc07d0c5e11faa0fed78fac9cb8d3257643519261907b92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1c5e8834eb6d5e9f1fcf600306225e45
SHA1 e50ea0983fe788681a3b56426c39e02f7b6c9233
SHA256 590a46d05dbc965265aaf90646b6d4952379f0acc2b2fe32f9b8773f8566de3c
SHA512 6fc31ee7239df8330d0c62b058d5ae02fff8594106ab2222297d576d79ca0003edf3e8ea060868d6e76d78e156b32402b017c103dd64ee7d688092d4f5fd1a50

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2EF1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2EF1.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/752-201-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1136-205-0x0000000002250000-0x000000000236B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/752-204-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-207-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1180-209-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1180-211-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1180-213-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1180-215-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1180-217-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/752-251-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/752-222-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1136-235-0x0000000002370000-0x000000000246F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCB5UVUE\build3[1].exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/592-285-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/752-259-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1180-258-0x0000000000400000-0x000000000043E000-memory.dmp

memory/592-283-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-281-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-279-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-277-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-275-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-273-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-271-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-269-0x0000000000C20000-0x0000000000C35000-memory.dmp

memory/592-267-0x0000000000C20000-0x0000000000C35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9227.exe

MD5 3d86681b9cfc36c91982d7289bc330ac
SHA1 b9787ed8abe801cd792f81c2e00d700b9584d7ab
SHA256 bf4b857fcc9bb86fba52e1fb7341c0d3d72ab0610ff1b3238426293cc67aa33e
SHA512 66cbd28782941e015fc5c3bf985ef6f51ba9a324e508e530743be5d70247db8c5785ff178eaaa079b0442be98769c464f624faab2ec0a40491324981b28bacb8

memory/592-266-0x0000000000C20000-0x0000000000C35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9227.exe

MD5 3d86681b9cfc36c91982d7289bc330ac
SHA1 b9787ed8abe801cd792f81c2e00d700b9584d7ab
SHA256 bf4b857fcc9bb86fba52e1fb7341c0d3d72ab0610ff1b3238426293cc67aa33e
SHA512 66cbd28782941e015fc5c3bf985ef6f51ba9a324e508e530743be5d70247db8c5785ff178eaaa079b0442be98769c464f624faab2ec0a40491324981b28bacb8

memory/592-264-0x0000000000C20000-0x0000000000C3C000-memory.dmp

memory/2944-263-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1120-298-0x00000000002D2000-0x00000000002E3000-memory.dmp

C:\Users\Admin\AppData\Local\ea145fb2-065a-4c55-a5bb-70e2431e9f1f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1120-301-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/1668-317-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1180-304-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1124-319-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2212-334-0x0000000000400000-0x000000000045A000-memory.dmp

memory/592-338-0x00000000002C0000-0x0000000000A68000-memory.dmp

memory/592-342-0x00000000055E5000-0x000000000561D000-memory.dmp

memory/592-341-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/592-340-0x0000000076030000-0x0000000076077000-memory.dmp

memory/592-339-0x0000000075930000-0x0000000075A40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 01:01

Reported

2023-10-18 01:06

Platform

win10v2004-20230915-en

Max time kernel

179s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\F46E.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\F46E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\F46E.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\14DA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EE53.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5ee54330-0485-44c8-b253-5f51e390f6dd\\EE53.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EE53.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\F46E.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1A4A.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1A4A.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1A4A.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A4A.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3212 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 3212 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 3212 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 4556 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 3212 wrote to memory of 4044 N/A N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe
PID 3212 wrote to memory of 4044 N/A N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe
PID 3212 wrote to memory of 4044 N/A N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe
PID 3212 wrote to memory of 3000 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3212 wrote to memory of 3000 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3000 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1832 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3212 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\1120.exe
PID 3212 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\1120.exe
PID 3212 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\1120.exe
PID 2044 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Windows\SysWOW64\icacls.exe
PID 2044 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Windows\SysWOW64\icacls.exe
PID 2044 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Windows\SysWOW64\icacls.exe
PID 3212 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\14DA.exe
PID 3212 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\14DA.exe
PID 3212 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\14DA.exe
PID 3212 wrote to memory of 4316 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A4A.exe
PID 3212 wrote to memory of 4316 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A4A.exe
PID 3212 wrote to memory of 4316 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A4A.exe
PID 1788 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\14DA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1788 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\14DA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1788 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\14DA.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3212 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\2259.exe
PID 3212 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\2259.exe
PID 3212 wrote to memory of 2408 N/A N/A C:\Users\Admin\AppData\Local\Temp\2259.exe
PID 4432 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 3860 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3212 wrote to memory of 3860 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3212 wrote to memory of 3860 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3212 wrote to memory of 3860 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3212 wrote to memory of 2272 N/A N/A C:\Windows\explorer.exe
PID 3212 wrote to memory of 2272 N/A N/A C:\Windows\explorer.exe
PID 3212 wrote to memory of 2272 N/A N/A C:\Windows\explorer.exe
PID 4432 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 2044 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 2044 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\EE53.exe C:\Users\Admin\AppData\Local\Temp\EE53.exe
PID 3192 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3192 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3192 wrote to memory of 412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4044 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4044 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\F46E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe

"C:\Users\Admin\AppData\Local\Temp\05edab6c2f869a8e4e8262fa0d144734f43c3b8eeb002c0711c3d6643ea4838e.exe"

C:\Users\Admin\AppData\Local\Temp\EE53.exe

C:\Users\Admin\AppData\Local\Temp\EE53.exe

C:\Users\Admin\AppData\Local\Temp\EE53.exe

C:\Users\Admin\AppData\Local\Temp\EE53.exe

C:\Users\Admin\AppData\Local\Temp\F46E.exe

C:\Users\Admin\AppData\Local\Temp\F46E.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F7F9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F7F9.dll

C:\Users\Admin\AppData\Local\Temp\1120.exe

C:\Users\Admin\AppData\Local\Temp\1120.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5ee54330-0485-44c8-b253-5f51e390f6dd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\14DA.exe

C:\Users\Admin\AppData\Local\Temp\14DA.exe

C:\Users\Admin\AppData\Local\Temp\1A4A.exe

C:\Users\Admin\AppData\Local\Temp\1A4A.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\2259.exe

C:\Users\Admin\AppData\Local\Temp\2259.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\EE53.exe

"C:\Users\Admin\AppData\Local\Temp\EE53.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\EE53.exe

"C:\Users\Admin\AppData\Local\Temp\EE53.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1600 -ip 1600

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 568

C:\Users\Admin\AppData\Local\Temp\19AB.exe

C:\Users\Admin\AppData\Local\Temp\19AB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
US 8.8.8.8:53 61.156.94.180.in-addr.arpa udp
MO 180.94.156.61:80 wirtshauspost.at tcp
RU 79.137.192.18:80 79.137.192.18 tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
US 8.8.8.8:53 toennjeskenya.com udp
GB 77.95.113.16:443 toennjeskenya.com tcp
US 8.8.8.8:53 16.113.95.77.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp
MO 180.94.156.61:80 wirtshauspost.at tcp

Files

memory/3632-1-0x0000000000A60000-0x0000000000B60000-memory.dmp

memory/3632-2-0x0000000000850000-0x000000000085B000-memory.dmp

memory/3632-3-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3632-4-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3632-5-0x0000000000A60000-0x0000000000B60000-memory.dmp

memory/3632-6-0x0000000000850000-0x000000000085B000-memory.dmp

memory/3632-7-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/3212-8-0x0000000002550000-0x0000000002566000-memory.dmp

memory/3632-9-0x0000000000400000-0x00000000007CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE53.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

C:\Users\Admin\AppData\Local\Temp\EE53.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/4556-23-0x00000000021C0000-0x000000000225F000-memory.dmp

memory/4556-24-0x00000000023B0000-0x00000000024CB000-memory.dmp

memory/2044-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2044-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE53.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/2044-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2044-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F46E.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\F46E.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/4044-34-0x0000000000B00000-0x00000000012A8000-memory.dmp

memory/4044-35-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-36-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-37-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-38-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-39-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-41-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-40-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-42-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-44-0x0000000077854000-0x0000000077856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7F9.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

C:\Users\Admin\AppData\Local\Temp\F7F9.dll

MD5 a43d9991721fcd1521677bf31c21ce21
SHA1 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c
SHA256 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197
SHA512 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459

memory/1832-53-0x0000000010000000-0x00000000101E3000-memory.dmp

memory/1832-52-0x0000000000BE0000-0x0000000000BE6000-memory.dmp

memory/4044-57-0x0000000000B00000-0x00000000012A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1120.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

C:\Users\Admin\AppData\Local\Temp\1120.exe

MD5 9a31a97c4280c2f132874184bc1864eb
SHA1 424f3577733ecdf081cff3c0b765668fa94bf106
SHA256 d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681
SHA512 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c

memory/4044-62-0x0000000005D20000-0x00000000062C4000-memory.dmp

memory/4044-64-0x0000000005670000-0x0000000005702000-memory.dmp

memory/4044-66-0x0000000005870000-0x000000000590C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14DA.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\14DA.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4044-73-0x0000000000B00000-0x00000000012A8000-memory.dmp

memory/4044-75-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-77-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-76-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-74-0x0000000003550000-0x000000000355A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1A4A.exe

MD5 647545be828a1d9a42749f29ca2b8bec
SHA1 128fbce13a47e53590224a31fc5c6b132e52e8cc
SHA256 3c0b147b253bfceb1eda320b02dfe60eb05b2844e19cfc6879f7ce5a6eb234b5
SHA512 d8533f2ac4e3aa089e471ac229a2015d05fb8d7a49f0c08359f3121065a42c7b184a31ef03acff0c783c1c55b87c553950588e0bc56c14545279c4db612db9a5

C:\Users\Admin\AppData\Local\Temp\1A4A.exe

MD5 647545be828a1d9a42749f29ca2b8bec
SHA1 128fbce13a47e53590224a31fc5c6b132e52e8cc
SHA256 3c0b147b253bfceb1eda320b02dfe60eb05b2844e19cfc6879f7ce5a6eb234b5
SHA512 d8533f2ac4e3aa089e471ac229a2015d05fb8d7a49f0c08359f3121065a42c7b184a31ef03acff0c783c1c55b87c553950588e0bc56c14545279c4db612db9a5

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2044-89-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4044-92-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-93-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4316-94-0x0000000000710000-0x000000000071B000-memory.dmp

memory/4316-95-0x0000000000400000-0x00000000005B8000-memory.dmp

memory/4044-96-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-97-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4044-98-0x00000000761C0000-0x00000000762B0000-memory.dmp

memory/4316-99-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/1832-100-0x0000000002D60000-0x0000000002E7B000-memory.dmp

memory/1832-101-0x0000000002E80000-0x0000000002F7F000-memory.dmp

memory/1832-104-0x0000000002E80000-0x0000000002F7F000-memory.dmp

memory/1832-105-0x0000000002E80000-0x0000000002F7F000-memory.dmp

C:\Users\Admin\AppData\Local\5ee54330-0485-44c8-b253-5f51e390f6dd\EE53.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

C:\Users\Admin\AppData\Local\Temp\2259.exe

MD5 3d86681b9cfc36c91982d7289bc330ac
SHA1 b9787ed8abe801cd792f81c2e00d700b9584d7ab
SHA256 bf4b857fcc9bb86fba52e1fb7341c0d3d72ab0610ff1b3238426293cc67aa33e
SHA512 66cbd28782941e015fc5c3bf985ef6f51ba9a324e508e530743be5d70247db8c5785ff178eaaa079b0442be98769c464f624faab2ec0a40491324981b28bacb8

memory/3212-111-0x00000000025C0000-0x00000000025D6000-memory.dmp

memory/4316-114-0x0000000000400000-0x00000000005B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2259.exe

MD5 3d86681b9cfc36c91982d7289bc330ac
SHA1 b9787ed8abe801cd792f81c2e00d700b9584d7ab
SHA256 bf4b857fcc9bb86fba52e1fb7341c0d3d72ab0610ff1b3238426293cc67aa33e
SHA512 66cbd28782941e015fc5c3bf985ef6f51ba9a324e508e530743be5d70247db8c5785ff178eaaa079b0442be98769c464f624faab2ec0a40491324981b28bacb8

memory/2408-119-0x0000000002A80000-0x0000000002E7F000-memory.dmp

memory/2408-120-0x0000000002E80000-0x000000000376B000-memory.dmp

memory/2408-121-0x0000000000400000-0x0000000000D70000-memory.dmp

memory/2408-122-0x0000000000400000-0x0000000000D70000-memory.dmp

memory/2044-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2408-124-0x0000000002A80000-0x0000000002E7F000-memory.dmp

memory/2272-125-0x0000000000D10000-0x0000000000D1C000-memory.dmp

memory/2272-126-0x0000000000D20000-0x0000000000D27000-memory.dmp

memory/2272-127-0x0000000000D10000-0x0000000000D1C000-memory.dmp

memory/2408-128-0x0000000002E80000-0x000000000376B000-memory.dmp

memory/2408-130-0x0000000000400000-0x0000000000D70000-memory.dmp

memory/3860-132-0x0000000000EA0000-0x0000000000F0B000-memory.dmp

memory/4044-131-0x0000000005A00000-0x0000000005A1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\tbwsfua

MD5 647545be828a1d9a42749f29ca2b8bec
SHA1 128fbce13a47e53590224a31fc5c6b132e52e8cc
SHA256 3c0b147b253bfceb1eda320b02dfe60eb05b2844e19cfc6879f7ce5a6eb234b5
SHA512 d8533f2ac4e3aa089e471ac229a2015d05fb8d7a49f0c08359f3121065a42c7b184a31ef03acff0c783c1c55b87c553950588e0bc56c14545279c4db612db9a5

memory/3860-133-0x0000000000F10000-0x0000000000F85000-memory.dmp

memory/3860-137-0x0000000000EA0000-0x0000000000F0B000-memory.dmp

memory/2408-138-0x0000000000400000-0x0000000000D70000-memory.dmp

memory/2044-139-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4044-140-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-143-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-145-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-147-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-149-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-151-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-153-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-155-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-157-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-159-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-161-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-163-0x0000000005A00000-0x0000000005A15000-memory.dmp

memory/4044-165-0x0000000005A00000-0x0000000005A15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE53.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/2044-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4176-175-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3860-177-0x0000000000F10000-0x0000000000F85000-memory.dmp

memory/1532-178-0x0000000002350000-0x00000000023E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE53.exe

MD5 c25b753d0509d3d7c212480f5c1c4678
SHA1 abe1ada94e919669b3073bc9f5227777f1565695
SHA256 ff00e77fcfc6950ab60b11994e8a954d27c95be013ba4f9bdff19362453c8fa9
SHA512 fa39955375a551e9b0692004c5d0bc43806553ee3c248387cb9a8a14ff5eac95afa37e142471f2414b6867cb3b911fe48f8a6706153ad83dafd7f91abcd3e760

memory/1600-181-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1600-183-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4176-200-0x00000000739A0000-0x0000000074150000-memory.dmp

memory/4044-199-0x0000000000B00000-0x00000000012A8000-memory.dmp

memory/4044-211-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

memory/4176-215-0x0000000007DF0000-0x0000000007E00000-memory.dmp

memory/4044-204-0x00000000761C0000-0x00000000762B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3860-220-0x0000000000EA0000-0x0000000000F0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19AB.exe

MD5 646396a1f9b3474ad8533953a3583b4b
SHA1 9cc3b41381d97196f93d2d551492909d82f58dde
SHA256 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b
SHA512 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa

memory/4176-223-0x0000000008D00000-0x0000000009318000-memory.dmp

memory/4176-224-0x00000000739A0000-0x0000000074150000-memory.dmp

memory/4176-225-0x0000000007DF0000-0x0000000007E00000-memory.dmp