Malware Analysis Report

2025-01-18 05:07

Sample ID 231018-w136yahe8s
Target NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe
SHA256 9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67c
Tags
amadey djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) summ backdoor discovery evasion infostealer ransomware stealer themida trojan pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67c

Threat Level: Known bad

The file NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader vidar logsdiller cloud (tg: @logsdillabot) summ backdoor discovery evasion infostealer ransomware stealer themida trojan pub1

Djvu Ransomware

Vidar

RedLine payload

RedLine

Amadey

SmokeLoader

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Checks BIOS information in registry

Deletes itself

Modifies file permissions

Loads dropped DLL

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-18 18:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 18:24

Reported

2023-10-18 18:26

Platform

win7-20230831-en

Max time kernel

45s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\BB54.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BB54.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BB54.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\BB54.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BB54.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2324 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CE5B.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CE5B.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\CE5B.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2324 N/A N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 1260 wrote to memory of 2324 N/A N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 1260 wrote to memory of 2324 N/A N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 1260 wrote to memory of 2324 N/A N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 1260 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB54.exe
PID 1260 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB54.exe
PID 1260 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB54.exe
PID 1260 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB54.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 2324 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\B78C.exe C:\Users\Admin\AppData\Local\Temp\B78C.exe
PID 1260 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2752 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E7.exe
PID 1260 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E7.exe
PID 1260 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E7.exe
PID 1260 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\Temp\C9E7.exe
PID 1260 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE5B.exe
PID 1260 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE5B.exe
PID 1260 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE5B.exe
PID 1260 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE5B.exe
PID 2752 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2752 wrote to memory of 2632 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1260 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe
PID 1260 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe
PID 1260 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe
PID 1260 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe
PID 2708 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2708 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2708 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2708 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\DD88.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\B78C.exe

C:\Users\Admin\AppData\Local\Temp\B78C.exe

C:\Users\Admin\AppData\Local\Temp\BB54.exe

C:\Users\Admin\AppData\Local\Temp\BB54.exe

C:\Users\Admin\AppData\Local\Temp\B78C.exe

C:\Users\Admin\AppData\Local\Temp\B78C.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C296.dll

C:\Users\Admin\AppData\Local\Temp\C9E7.exe

C:\Users\Admin\AppData\Local\Temp\C9E7.exe

C:\Users\Admin\AppData\Local\Temp\CE5B.exe

C:\Users\Admin\AppData\Local\Temp\CE5B.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C296.dll

C:\Users\Admin\AppData\Local\Temp\DD88.exe

C:\Users\Admin\AppData\Local\Temp\DD88.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fd3f0444-3bdd-4103-93f1-a41b24265592" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\F924.exe

C:\Users\Admin\AppData\Local\Temp\F924.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\B78C.exe

"C:\Users\Admin\AppData\Local\Temp\B78C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B78C.exe

"C:\Users\Admin\AppData\Local\Temp\B78C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

"C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe"

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

"C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe"

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

"C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8F438456-E3BA-4D26-AF84-4E4DBC2CD511} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

"C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 188.114.97.0:443 api.2ip.ua tcp
BG 171.22.28.236:38306 tcp
US 8.8.8.8:53 stalagmijesarl.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
RU 85.209.11.85:41140 tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
AL 95.107.163.44:80 colisumy.com tcp
MX 189.169.91.61:80 zexeq.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
MX 189.169.91.61:80 zexeq.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
BG 171.22.28.236:38306 tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.72.252.171:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
DE 5.75.212.77:80 5.75.212.77 tcp

Files

memory/1964-1-0x0000000000A10000-0x0000000000B10000-memory.dmp

memory/1964-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1964-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1260-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/1964-5-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1964-7-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\BB54.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/2668-25-0x0000000001130000-0x000000000186E000-memory.dmp

memory/2324-26-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2660-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2660-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2668-35-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-39-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-40-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2324-38-0x0000000000850000-0x000000000096B000-memory.dmp

memory/2324-34-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2668-42-0x0000000076A50000-0x0000000076A97000-memory.dmp

memory/2668-43-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-44-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-45-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-46-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-47-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-48-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-49-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-50-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-51-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-52-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-53-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-55-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-56-0x0000000077220000-0x0000000077222000-memory.dmp

memory/2668-57-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-58-0x0000000074E50000-0x0000000074F60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C9E7.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\C9E7.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/2660-64-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-65-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE5B.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\CE5B.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\C296.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/2536-74-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/2536-76-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/2536-75-0x0000000000220000-0x0000000000229000-memory.dmp

\Users\Admin\AppData\Local\Temp\C296.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/2632-79-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/2632-78-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2668-81-0x0000000001130000-0x000000000186E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\DD88.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\DD88.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2904-96-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2904-97-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2536-101-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/1260-100-0x0000000003A90000-0x0000000003AA6000-memory.dmp

memory/2904-103-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2904-99-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2904-98-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2904-108-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2668-109-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2904-95-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2904-94-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2904-112-0x0000000074180000-0x000000007486E000-memory.dmp

memory/2632-113-0x0000000002320000-0x0000000002446000-memory.dmp

memory/2632-115-0x0000000002450000-0x0000000002559000-memory.dmp

memory/2632-116-0x0000000002450000-0x0000000002559000-memory.dmp

memory/2668-114-0x0000000001130000-0x000000000186E000-memory.dmp

memory/2632-118-0x0000000002450000-0x0000000002559000-memory.dmp

memory/2632-119-0x0000000002450000-0x0000000002559000-memory.dmp

memory/2668-120-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-122-0x0000000076A50000-0x0000000076A97000-memory.dmp

memory/2668-121-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-123-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-124-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-125-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-126-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-127-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2668-128-0x0000000074E50000-0x0000000074F60000-memory.dmp

memory/2904-130-0x0000000007370000-0x00000000073B0000-memory.dmp

memory/2668-129-0x0000000004F50000-0x0000000004F90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F924.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\F924.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\fd3f0444-3bdd-4103-93f1-a41b24265592\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/328-156-0x0000000000130000-0x00000000001A5000-memory.dmp

memory/328-157-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/328-155-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1388-175-0x0000000000060000-0x000000000006C000-memory.dmp

\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1388-179-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2660-173-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2668-180-0x00000000007B0000-0x00000000007CC000-memory.dmp

memory/348-174-0x00000000026A0000-0x0000000002A98000-memory.dmp

\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/328-172-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/748-181-0x0000000000320000-0x00000000003B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\B78C.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/748-189-0x0000000000320000-0x00000000003B1000-memory.dmp

memory/1924-188-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2668-190-0x00000000007B0000-0x00000000007C5000-memory.dmp

memory/2668-191-0x00000000007B0000-0x00000000007C5000-memory.dmp

memory/2668-193-0x00000000007B0000-0x00000000007C5000-memory.dmp

memory/2668-195-0x00000000007B0000-0x00000000007C5000-memory.dmp

memory/2668-197-0x00000000007B0000-0x00000000007C5000-memory.dmp

memory/2668-199-0x00000000007B0000-0x00000000007C5000-memory.dmp

memory/2668-201-0x00000000007B0000-0x00000000007C5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3090981d14de5b54f155531e074a96d6
SHA1 82abe05e487614c4a4cb8d988907a941b36f90a4
SHA256 31b106fdcc73ece094c0e08ce9e5aeafce42ceb28f0e32db346bcbce8918ae64
SHA512 66bcccee12eabdf9aeb3d650a43dbe5f24dcca5055ebd05bd8d75788a68013881afe2ea97b453f8c9d3a4369bd09ba1724d471f9f105411a59792e73793460e3

memory/2668-215-0x00000000007B0000-0x00000000007C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2942.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03803da62639fde28cac19f360caa835
SHA1 7e9b9112078e9b28411f6ffaefd7aa7d868e189b
SHA256 f8085c40e933d3e57eabbe95dbf179f6048d8430a8016153a6ce198ae7a57ac1
SHA512 adda63598c6d97d7fdb7fb2b8b955a87ff67fcce72404f341a8263abd7451edef2872108236c24f3682266c4be32ed5cf2eb696930ad021c1b9c512679fff1e6

memory/2668-217-0x00000000007B0000-0x00000000007C5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/2668-219-0x00000000007B0000-0x00000000007C5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a8aae5125592f68f1223a146182b86d3
SHA1 cff58a494a521bbf62d0e8588bfe5efa37e6707b
SHA256 7c66b32662954598b435f02837397477aaea420a75179b9d14ab86bb483927b6
SHA512 02bb7f2196ebf59604cc757e81b1018bb1e0f3033778ee968b7057043f83ab9d9a317c498c1517ed51d05b6707c6f56cc442eeaf75c84e0575de741d6b7f5530

memory/2668-221-0x00000000007B0000-0x00000000007C5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4402a0fc0ec273e2c3bd6a1188700b05
SHA1 2c8ff24692967b5ae6a2b827113336b51bfe59d6
SHA256 18b75f28d4760e6da2dd7a54f388dfa8576e124acee9fa1127b0ad7be52c51b9
SHA512 fc105e88cc8c5a785914a2eb6920e4b648db2332e1984e3f61f396562229e89f6a6200859868419664cc5436750a0014934102e618088ccf7c270c13d60b9abf

memory/2612-245-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4I18IP7\build2[1].exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/1380-289-0x0000000000335000-0x0000000000364000-memory.dmp

memory/1380-290-0x00000000001B0000-0x0000000000201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC2CB.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87c0d2dbc497b2261efa4c8714625582
SHA1 ace0c802220593e615a8d7fb51014e961cab45ab
SHA256 3c687a9adf46d565cd369d86860b6117967955fe34a34b38ebed19685eeeb0df
SHA512 a4c6171b713e75563d204cf607ea998fe2ce99c7159cdae837d037ab7482489350022c163b47c0756273221044b4aa3702662da606696b45a48abbcb9721f025

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f9274245937cb6c1397f7bfede422cfc
SHA1 9c6660c305591a7d297effbb98d1e150044ce8a2
SHA256 dbb080662dde7c2c99042422940b2a684ec60e8bda36513f9297a8e4d215b63f
SHA512 932e6455d9eb362d5cc55f49fc61ed72529e1e33ee59c0202affd76762a23334c7c6e5bcfd77306a798e2745d8b4f4d574253ff7648a6a131c2781c0ec4d68bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f9274245937cb6c1397f7bfede422cfc
SHA1 9c6660c305591a7d297effbb98d1e150044ce8a2
SHA256 dbb080662dde7c2c99042422940b2a684ec60e8bda36513f9297a8e4d215b63f
SHA512 932e6455d9eb362d5cc55f49fc61ed72529e1e33ee59c0202affd76762a23334c7c6e5bcfd77306a798e2745d8b4f4d574253ff7648a6a131c2781c0ec4d68bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7aebdbda526266eb5cab7062bae5c595
SHA1 9c56af41a7532b0829c3bd3203ee1e747eef1b5d
SHA256 765028f8a00cddb7475e009fb802b344d72cb3e2148863b5c03e9eb196356981
SHA512 60c9641a7d1b50b0cf11c17e78fab701502aa7617593d9fae25542a7facaa8b9b9c7c247e7121396efe73bdac80c4afd3e26ab7b88e82e4a2021ee2ebffa813a

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1664-424-0x0000000000962000-0x0000000000973000-memory.dmp

memory/1664-427-0x0000000000220000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Local\3693fa3d-7fe5-4e91-b0d3-9643a8cc240f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1120-432-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F924.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2612-482-0x0000000074180000-0x000000007486E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 18:24

Reported

2023-10-18 18:27

Platform

win10v2004-20230915-en

Max time kernel

50s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\11BF.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\11BF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\11BF.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16F1.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\11BF.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11BF.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1920 set thread context of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 3132 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 3132 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 3132 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\Temp\11BF.exe
PID 3132 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\Temp\11BF.exe
PID 3132 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\Temp\11BF.exe
PID 3132 wrote to memory of 4884 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3132 wrote to memory of 4884 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 1920 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\E53.exe C:\Users\Admin\AppData\Local\Temp\E53.exe
PID 4884 wrote to memory of 3960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4884 wrote to memory of 3960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4884 wrote to memory of 3960 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3132 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\Temp\16F1.exe
PID 3132 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\Temp\16F1.exe
PID 3132 wrote to memory of 452 N/A N/A C:\Users\Admin\AppData\Local\Temp\16F1.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEAS9b407a1c2e907f13de6f840233ad1d2d181b835459ff028cb3fcc55ca09bc67cexeexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\E53.exe

C:\Users\Admin\AppData\Local\Temp\E53.exe

C:\Users\Admin\AppData\Local\Temp\11BF.exe

C:\Users\Admin\AppData\Local\Temp\11BF.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\150C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\150C.dll

C:\Users\Admin\AppData\Local\Temp\16F1.exe

C:\Users\Admin\AppData\Local\Temp\16F1.exe

C:\Users\Admin\AppData\Local\Temp\1869.exe

C:\Users\Admin\AppData\Local\Temp\1869.exe

C:\Users\Admin\AppData\Local\Temp\E53.exe

C:\Users\Admin\AppData\Local\Temp\E53.exe

C:\Users\Admin\AppData\Local\Temp\203A.exe

C:\Users\Admin\AppData\Local\Temp\203A.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fa11ee8b-bdb2-4e57-b1a5-38b0b52abcf6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\28B7.exe

C:\Users\Admin\AppData\Local\Temp\28B7.exe

C:\Users\Admin\AppData\Local\Temp\2E65.exe

C:\Users\Admin\AppData\Local\Temp\2E65.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4728 -ip 4728

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp

Files

memory/1020-1-0x0000000000770000-0x0000000000870000-memory.dmp

memory/1020-2-0x0000000000750000-0x000000000075B000-memory.dmp

memory/1020-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3132-4-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

memory/1020-5-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E53.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\E53.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\11BF.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

C:\Users\Admin\AppData\Local\Temp\11BF.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/4792-22-0x00000000001C0000-0x00000000008FE000-memory.dmp

memory/4792-23-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-24-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-25-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-26-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-27-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-31-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-29-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/2516-44-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E53.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\16F1.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/2516-45-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\150C.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

C:\Users\Admin\AppData\Local\Temp\1869.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/3960-53-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/2516-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3960-54-0x0000000000FE0000-0x0000000000FE6000-memory.dmp

memory/4792-56-0x00000000001C0000-0x00000000008FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16F1.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\1869.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/4792-58-0x0000000005930000-0x0000000005ED4000-memory.dmp

memory/4792-59-0x0000000005420000-0x00000000054B2000-memory.dmp

memory/4792-60-0x00000000055C0000-0x000000000565C000-memory.dmp

memory/2516-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1920-37-0x00000000023F0000-0x000000000248C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\150C.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/1920-34-0x00000000025E0000-0x00000000026FB000-memory.dmp

memory/4792-61-0x00000000053F0000-0x00000000053FA000-memory.dmp

memory/4792-33-0x0000000077994000-0x0000000077996000-memory.dmp

memory/4792-28-0x00000000757E0000-0x00000000758D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\203A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\203A.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4912-69-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/4912-71-0x0000000000850000-0x0000000000859000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4912-75-0x0000000000400000-0x00000000007CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4792-86-0x00000000001C0000-0x00000000008FE000-memory.dmp

memory/4792-87-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-88-0x00000000757E0000-0x00000000758D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28B7.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

C:\Users\Admin\AppData\Local\Temp\28B7.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

memory/4792-93-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-95-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-94-0x00000000757E0000-0x00000000758D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E65.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\2E65.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

memory/740-101-0x0000000000B60000-0x0000000000BCB000-memory.dmp

memory/4792-102-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-103-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/4792-104-0x00000000757E0000-0x00000000758D0000-memory.dmp

memory/740-106-0x0000000000E00000-0x0000000000E80000-memory.dmp

memory/740-107-0x0000000000B60000-0x0000000000BCB000-memory.dmp

memory/3960-105-0x0000000003150000-0x0000000003276000-memory.dmp

memory/1176-112-0x0000000000800000-0x000000000080C000-memory.dmp

memory/1176-123-0x0000000000800000-0x000000000080C000-memory.dmp

memory/1176-113-0x0000000000810000-0x0000000000817000-memory.dmp

memory/2516-111-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3132-131-0x0000000007010000-0x0000000007026000-memory.dmp

memory/4728-135-0x0000000000810000-0x000000000081B000-memory.dmp

memory/4728-137-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/3960-140-0x0000000002D10000-0x0000000002E19000-memory.dmp

memory/4728-143-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/3960-142-0x0000000002D10000-0x0000000002E19000-memory.dmp

memory/4912-139-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/3960-145-0x0000000002D10000-0x0000000002E19000-memory.dmp

memory/3960-147-0x0000000002D10000-0x0000000002E19000-memory.dmp