Analysis Overview
SHA256
129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a
Threat Level: Known bad
The file 129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
DcRat
Vidar
Detect Vidar Stealer
Djvu Ransomware
Detected Djvu ransomware
Lumma Stealer
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Deletes itself
Modifies file permissions
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 02:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 02:04
Reported
2024-03-14 02:06
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5D6F.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0b2fa40c-a3db-4381-b999-934772bdf8a0\\1DE4.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1388 set thread context of 5036 | N/A | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | C:\Users\Admin\AppData\Local\Temp\1DE4.exe |
| PID 4536 set thread context of 4600 | N/A | C:\Users\Admin\AppData\Local\Temp\1DE4.exe | C:\Users\Admin\AppData\Local\Temp\1DE4.exe |
| PID 2320 set thread context of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\5D6F.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1DE4.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5D6F.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe
"C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94BE.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\1DE4.exe
C:\Users\Admin\AppData\Local\Temp\1DE4.exe
C:\Users\Admin\AppData\Local\Temp\1DE4.exe
C:\Users\Admin\AppData\Local\Temp\1DE4.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0b2fa40c-a3db-4381-b999-934772bdf8a0" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1DE4.exe
"C:\Users\Admin\AppData\Local\Temp\1DE4.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\1DE4.exe
"C:\Users\Admin\AppData\Local\Temp\1DE4.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4600 -ip 4600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 568
C:\Users\Admin\AppData\Local\Temp\5D6F.exe
C:\Users\Admin\AppData\Local\Temp\5D6F.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1240
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 149.150.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| UY | 179.25.120.12:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 12.120.25.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.134.221.88.in-addr.arpa | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | 166.138.96.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 172.67.218.191:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| US | 104.21.80.130:443 | wisemassiveharmonious.shop | tcp |
| US | 8.8.8.8:53 | 191.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4012-1-0x0000000000770000-0x0000000000870000-memory.dmp
memory/4012-2-0x00000000008E0000-0x00000000008EB000-memory.dmp
memory/4012-3-0x0000000000400000-0x000000000071E000-memory.dmp
memory/3540-4-0x0000000003500000-0x0000000003516000-memory.dmp
memory/4012-5-0x0000000000400000-0x000000000071E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94BE.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\1DE4.exe
| MD5 | 8d76e42cbd333b2d7c3946ea1351ac7a |
| SHA1 | 800bd806ade43fb2d4f5c81a7929f3e8eeab7019 |
| SHA256 | 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498 |
| SHA512 | c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b |
memory/1388-20-0x0000000002260000-0x00000000022F8000-memory.dmp
memory/1388-21-0x0000000002440000-0x000000000255B000-memory.dmp
memory/5036-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5036-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5036-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5036-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5036-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4536-41-0x0000000002260000-0x00000000022F8000-memory.dmp
memory/4600-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4600-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4600-47-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5D6F.exe
| MD5 | b0500750ede1bc70901508bacc7ab0b8 |
| SHA1 | c6efe4c7b811e6c3eed32f2f70ae7a6ac847c2e8 |
| SHA256 | 04ee06f5a05400d75674fae38ed7d2938468d096cee29f2c896aa8c610fbe5bc |
| SHA512 | f09f5031d10fd2c65ec1d8937035902c2273f3f3f36e386142406ae0079fe6c7fbd68e7ea9c8001dedc119ef4d321ad37ff61069f8242806114e352a815c1be5 |
memory/2320-55-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2320-56-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/2320-57-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/4668-60-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4668-63-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2320-65-0x0000000074930000-0x00000000750E0000-memory.dmp
memory/2320-66-0x00000000027C0000-0x00000000047C0000-memory.dmp
memory/4668-67-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/4668-68-0x0000000000400000-0x000000000044B000-memory.dmp
memory/4668-69-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2320-70-0x00000000027C0000-0x00000000047C0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 02:04
Reported
2024-03-14 02:06
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\58d3f659-4209-4d43-b03e-937d07d797c6\\FF27.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
SmokeLoader
Vidar
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\58d3f659-4209-4d43-b03e-937d07d797c6\\FF27.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\FF27.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2076 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | C:\Users\Admin\AppData\Local\Temp\FF27.exe |
| PID 1028 set thread context of 1064 | N/A | C:\Users\Admin\AppData\Local\Temp\FF27.exe | C:\Users\Admin\AppData\Local\Temp\FF27.exe |
| PID 1648 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe |
| PID 1804 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe |
| PID 2476 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe
"C:\Users\Admin\AppData\Local\Temp\129d4c8ad578c860011f4a4a66a650d502791ec3b7ad73214aae81a6ba3af32a.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\626B.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\FF27.exe
C:\Users\Admin\AppData\Local\Temp\FF27.exe
C:\Users\Admin\AppData\Local\Temp\FF27.exe
C:\Users\Admin\AppData\Local\Temp\FF27.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\58d3f659-4209-4d43-b03e-937d07d797c6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\FF27.exe
"C:\Users\Admin\AppData\Local\Temp\FF27.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\FF27.exe
"C:\Users\Admin\AppData\Local\Temp\FF27.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe"
C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe"
C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe"
C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
"C:\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1428
C:\Windows\system32\taskeng.exe
taskeng.exe {EB08BD67-330F-4817-A539-448B7E9221C2} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| KR | 211.40.39.251:80 | sdfjhuz.com | tcp |
| RU | 81.94.150.149:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| KR | 211.40.39.251:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| KR | 211.171.233.126:80 | sajdfue.com | tcp |
| KR | 211.171.233.126:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 5.75.221.28:80 | 5.75.221.28 | tcp |
| US | 8.8.8.8:53 | sportessentia.home.pl | udp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| PL | 79.96.138.166:443 | sportessentia.home.pl | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
Files
memory/2976-1-0x00000000007A0000-0x00000000008A0000-memory.dmp
memory/2976-2-0x0000000000400000-0x000000000071E000-memory.dmp
memory/2976-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2976-5-0x0000000000400000-0x000000000071E000-memory.dmp
memory/1212-4-0x0000000002D50000-0x0000000002D66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\626B.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\FF27.exe
| MD5 | 8d76e42cbd333b2d7c3946ea1351ac7a |
| SHA1 | 800bd806ade43fb2d4f5c81a7929f3e8eeab7019 |
| SHA256 | 5e1e31f5dec4546c01331bc1705d7c7509c060b00b49d88f444b336992377498 |
| SHA512 | c7bea376a671118dcc28b3e954f6484346ff8b87172b14d6fc77d772b88d32a826ff39c36426ef02d90f86cd96f6995ad2b7e344fed7ebb1d437637bb59fcb7b |
memory/2076-26-0x0000000000310000-0x00000000003A2000-memory.dmp
memory/2076-29-0x0000000000310000-0x00000000003A2000-memory.dmp
memory/2076-31-0x0000000000980000-0x0000000000A9B000-memory.dmp
memory/2816-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2816-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2816-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2816-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1028-61-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2816-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1028-63-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1064-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1064-71-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0315238832eb279403d147dba70d8336 |
| SHA1 | 125903cbaeaaf390766cc49aa306e78d705e8770 |
| SHA256 | 598a8c43829ff19aed00eaa31dabe94f26f99f1bf31fef855c1a001aad935c9d |
| SHA512 | d1e8729eca8dbc5da55b6117803f45d7d7d813d2ebb79a22ef4099a27c196d1ca6faf857ef1bce129034da584832384e3046e99c161117c603cef5d73c44981e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2ff14fb732157b20816afe0e355cc84a |
| SHA1 | a711e7eb1a3738b3303cab8789d4a2aca26b4243 |
| SHA256 | 867370548e14283f78abcac4220f565ccd77dde9230844881ddb21274df4eb92 |
| SHA512 | 397e43d4978431f15287f913f34ca463a93fa00b137123dc8a8ba12cb170afa818ceef93433986ea78231bbc8320eacc5f9d1ce50dcbafc696d8d600abb7ab80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 4e8069d02df54b5ec94ae3d865d9548a |
| SHA1 | 58e213c62600595e3420533dcd1701237687cc20 |
| SHA256 | bc9c0d5517617bb7705c5b48dd95e842d9ee0b4bf2f286e8e996f2299a526c75 |
| SHA512 | 9c05ed9a818dfb2e401100b80613b5dbe0faecf156735e95dbc3b31131b44363eb49204425abfb10d5f58fded7a5013456d15f9decf28e8954cdb80ed39c4741 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 892d3ea376f88d0dcae328f05a1701af |
| SHA1 | cd36e01aa8225e4e7071640e803168751c33696f |
| SHA256 | 08caf83d9b86cdfb5488ff294efd0bf27b5b396517a8d55baa6361420243afca |
| SHA512 | a141cc5639a541f88968d599f645907f7ad5b96149c1b58a0dda06272332d3eaacc65ab3c22a8c989bfc110698f48e762f3b25e10b6f70b735947424b04c9f8f |
C:\Users\Admin\AppData\Local\Temp\Cab122A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1064-86-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1064-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1064-91-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1064-93-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1064-94-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1064-95-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/1648-110-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1688-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1648-111-0x00000000001C0000-0x00000000001F1000-memory.dmp
memory/1688-113-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1688-116-0x0000000000400000-0x0000000000644000-memory.dmp
memory/1688-117-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar38DD.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar3E7E.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
\Users\Admin\AppData\Local\5e3b3c5c-da83-4e40-bbaf-6f101c1d5ad7\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1064-180-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1804-186-0x0000000000920000-0x0000000000A20000-memory.dmp
memory/1804-187-0x0000000000230000-0x0000000000234000-memory.dmp
memory/2980-189-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2980-185-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2980-192-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2980-194-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1688-201-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | a753a293678be299ae1c0e41d6d25178 |
| SHA1 | 9091ac7e453d9f8a48248b69d559dabb5fc3e18c |
| SHA256 | 2a3c5f4ad131e02c97911392e45d146e45aaea34ecd2245ca516b5398e62746b |
| SHA512 | f711f29ccac436f83c6296fce4e38754177ed0bed1cb57ee67412e90b758dc93bd72428e2bcfec7d66ef05fad5d5105bb128d2c6bf4f276571d5af7ef381dc13 |
memory/2476-212-0x0000000000972000-0x0000000000982000-memory.dmp