smokeloader | d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

Analysis

max time kernel
1801s
max time network
1811s
platform
windows10_x64
resource
win10v20201028
submitted
20-11-2020 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HYDRA.exe

Score

10^/10

smokeloader backdoor persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2017

http://92.53.105.14/

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1364 created 2128 1364 svchost.exe starter.exe
PID 1364 created 2128 1364 svchost.exe starter.exe
Executes dropped EXE 10 IoCs

Processes:

yaya.exeva.exeufx.exesant.exepower.exestarter.exeusc.exeusc.exeusc.exeusc.exe

pid process

1492 yaya.exe
1632 va.exe
1960 ufx.exe
2084 sant.exe
2348 power.exe
2128 starter.exe
2256 usc.exe
3208 usc.exe
4000 usc.exe
888 usc.exe
Drops startup file 1 IoCs

Processes:

va.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs va.exe

description	pid	process	target process
PID 1364 created 2128	1364	svchost.exe	starter.exe
PID 1364 created 2128	1364	svchost.exe	starter.exe

pid	process
1492	yaya.exe
1632	va.exe
1960	ufx.exe
2084	sant.exe
2348	power.exe
2128	starter.exe
2256	usc.exe
3208	usc.exe
4000	usc.exe
888	usc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs	va.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Classes = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\drsiwwwu\\artshvwi.exe"	explorer.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

sant.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	sant.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	sant.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exeSCHTASKS.exeSCHTASKS.exeSCHTASKS.exe

pid process

2160 SCHTASKS.exe
2200 SCHTASKS.exe
2284 SCHTASKS.exe
2684 SCHTASKS.exe

pid	process
2160	SCHTASKS.exe
2200	SCHTASKS.exe
2284	SCHTASKS.exe
2684	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sant.exe

pid	process
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe
2084	sant.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sant.exe

pid process

2084 sant.exe
2084 sant.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

usc.exesvchost.exestarter.exepowershell.exeusc.exeusc.exeusc.exe

description	pid	process
Token: SeDebugPrivilege	2256	usc.exe
Token: SeTcbPrivilege	1364	svchost.exe
Token: SeTcbPrivilege	1364	svchost.exe
Token: SeDebugPrivilege	2128	starter.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	3208	usc.exe
Token: SeDebugPrivilege	4000	usc.exe
Token: SeDebugPrivilege	888	usc.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

HYDRA.exeyaya.exeufx.exeusc.exestarter.execsc.exesvchost.exesant.exepower.exeusc.exeusc.exeusc.exe

description	pid	process	target process
PID 4040 wrote to memory of 1492	4040	HYDRA.exe	yaya.exe
PID 4040 wrote to memory of 1492	4040	HYDRA.exe	yaya.exe
PID 4040 wrote to memory of 1492	4040	HYDRA.exe	yaya.exe
PID 4040 wrote to memory of 1632	4040	HYDRA.exe	va.exe
PID 4040 wrote to memory of 1632	4040	HYDRA.exe	va.exe
PID 4040 wrote to memory of 1632	4040	HYDRA.exe	va.exe
PID 4040 wrote to memory of 1960	4040	HYDRA.exe	ufx.exe
PID 4040 wrote to memory of 1960	4040	HYDRA.exe	ufx.exe
PID 4040 wrote to memory of 1960	4040	HYDRA.exe	ufx.exe
PID 4040 wrote to memory of 2084	4040	HYDRA.exe	sant.exe
PID 4040 wrote to memory of 2084	4040	HYDRA.exe	sant.exe
PID 4040 wrote to memory of 2084	4040	HYDRA.exe	sant.exe
PID 4040 wrote to memory of 2348	4040	HYDRA.exe	power.exe
PID 4040 wrote to memory of 2348	4040	HYDRA.exe	power.exe
PID 4040 wrote to memory of 2348	4040	HYDRA.exe	power.exe
PID 1492 wrote to memory of 2128	1492	yaya.exe	starter.exe
PID 1492 wrote to memory of 2128	1492	yaya.exe	starter.exe
PID 1960 wrote to memory of 2256	1960	ufx.exe	usc.exe
PID 1960 wrote to memory of 2256	1960	ufx.exe	usc.exe
PID 1960 wrote to memory of 2256	1960	ufx.exe	usc.exe
PID 2256 wrote to memory of 2160	2256	usc.exe	SCHTASKS.exe
PID 2256 wrote to memory of 2160	2256	usc.exe	SCHTASKS.exe
PID 2256 wrote to memory of 2160	2256	usc.exe	SCHTASKS.exe
PID 2128 wrote to memory of 2940	2128	starter.exe	csc.exe
PID 2128 wrote to memory of 2940	2128	starter.exe	csc.exe
PID 2940 wrote to memory of 1380	2940	csc.exe	cvtres.exe
PID 2940 wrote to memory of 1380	2940	csc.exe	cvtres.exe
PID 1364 wrote to memory of 2488	1364	svchost.exe	cmd.exe
PID 1364 wrote to memory of 2488	1364	svchost.exe	cmd.exe
PID 1364 wrote to memory of 2484	1364	svchost.exe	cmd.exe
PID 1364 wrote to memory of 2484	1364	svchost.exe	cmd.exe
PID 2084 wrote to memory of 200	2084	sant.exe	explorer.exe
PID 2084 wrote to memory of 200	2084	sant.exe	explorer.exe
PID 2084 wrote to memory of 200	2084	sant.exe	explorer.exe
PID 2348 wrote to memory of 3292	2348	power.exe	powershell.exe
PID 2348 wrote to memory of 3292	2348	power.exe	powershell.exe
PID 2348 wrote to memory of 3292	2348	power.exe	powershell.exe
PID 3208 wrote to memory of 2200	3208	usc.exe	SCHTASKS.exe
PID 3208 wrote to memory of 2200	3208	usc.exe	SCHTASKS.exe
PID 3208 wrote to memory of 2200	3208	usc.exe	SCHTASKS.exe
PID 4000 wrote to memory of 2284	4000	usc.exe	SCHTASKS.exe
PID 4000 wrote to memory of 2284	4000	usc.exe	SCHTASKS.exe
PID 4000 wrote to memory of 2284	4000	usc.exe	SCHTASKS.exe
PID 888 wrote to memory of 2684	888	usc.exe	SCHTASKS.exe
PID 888 wrote to memory of 2684	888	usc.exe	SCHTASKS.exe
PID 888 wrote to memory of 2684	888	usc.exe	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Roaming\yaya.exe
C:\Users\Admin\AppData\Roaming\yaya.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ztojiw2t.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES771B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC771A.tmp"
5⤵
PID:1380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:2488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:2484

C:\Users\Admin\AppData\Roaming\va.exe
C:\Users\Admin\AppData\Roaming\va.exe
2⤵
- Executes dropped EXE
- Drops startup file
PID:1632

C:\Users\Admin\AppData\Roaming\ufx.exe
C:\Users\Admin\AppData\Roaming\ufx.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960

C:\ProgramData\ucp\usc.exe
"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
4⤵
- Creates scheduled task(s)
PID:2160

C:\Users\Admin\AppData\Roaming\sant.exe
C:\Users\Admin\AppData\Roaming\sant.exe
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Adds Run key to start application
PID:200

C:\Users\Admin\AppData\Roaming\power.exe
C:\Users\Admin\AppData\Roaming\power.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\ProgramData\ucp\usc.exe
C:\ProgramData\ucp\usc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
2⤵
- Creates scheduled task(s)
PID:2200

C:\ProgramData\ucp\usc.exe
C:\ProgramData\ucp\usc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
2⤵
- Creates scheduled task(s)
PID:2284

C:\ProgramData\ucp\usc.exe
C:\ProgramData\ucp\usc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
2⤵
- Creates scheduled task(s)
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ucp\usc.exe
MD5
b100b373d645bf59b0487dbbda6c426d

SHA1
44a4ad2913f5f35408b8c16459dcce3f101bdcc7

SHA256
84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

SHA512
69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

Download Submit
C:\ProgramData\ucp\usc.exe
MD5
b100b373d645bf59b0487dbbda6c426d

SHA1
44a4ad2913f5f35408b8c16459dcce3f101bdcc7

SHA256
84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

SHA512
69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

Download Submit
C:\ProgramData\ucp\usc.exe
MD5
b100b373d645bf59b0487dbbda6c426d

SHA1
44a4ad2913f5f35408b8c16459dcce3f101bdcc7

SHA256
84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

SHA512
69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

Download Submit
C:\ProgramData\ucp\usc.exe
MD5
b100b373d645bf59b0487dbbda6c426d

SHA1
44a4ad2913f5f35408b8c16459dcce3f101bdcc7

SHA256
84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

SHA512
69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

Download Submit
C:\ProgramData\ucp\usc.exe
MD5
b100b373d645bf59b0487dbbda6c426d

SHA1
44a4ad2913f5f35408b8c16459dcce3f101bdcc7

SHA256
84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

SHA512
69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES771B.tmp
MD5
fbd0189905634b8c1bf12b68471bfef6

SHA1
c8a5d15567d2d0b29db53e0f39adb9191d798d43

SHA256
2b8b4a944c93ddcd09a5fade24f169ebd8dde32076553fc106c328f35508bcb3

SHA512
7ba7ec356acdecef03e3475b9061d17a07091bb0ae1202d350b191e3f20883bc22c2546e7d2c4be70092657876ffaed68282555b3e5cda57a91630f99ec243c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztojiw2t.dll
MD5
107937d612b6dcc917c63c6d09aa0255

SHA1
becc883758f0aaff9c81ea1d7e414c79be18a8c7

SHA256
9a2c9f7b5de5aec4536d030a2a8bf012232b382ec1f1c4e78801fccf8bfd6b73

SHA512
10bf96f59e2a3f041233524ea9f42ce93e5ba0e62f9882ff18015d7ef94e78f4fa40e6c799acc3261f40edcc3c9659d90e572d5b0f2faf59eb5a86639b667369

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztojiw2t.pdb
MD5
d2f250048950022679bbac5eae976d7b

SHA1
badd6d13d9fb520e1abdaf75cd73920cb860d7ea

SHA256
1f17a4f3583590eed80b7a63e0183bd9fb923f6f3ed7ac56251e2479f1fbd5e4

SHA512
5b919d602e4adb6422d054f57de9d378cfaf32157cc08886bd62f71dc5c08bfce0ed8b0a7c27efb4cde0ba6a406ead40b8df33a031ba9fe52ef9b076e492a0d2

Download Submit
C:\Users\Admin\AppData\Roaming\power.exe
MD5
743f47ae7d09fce22d0a7c724461f7e3

SHA1
8e98dd1efb70749af72c57344aab409fb927394e

SHA256
1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

SHA512
567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

Download Submit
C:\Users\Admin\AppData\Roaming\power.exe
MD5
743f47ae7d09fce22d0a7c724461f7e3

SHA1
8e98dd1efb70749af72c57344aab409fb927394e

SHA256
1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

SHA512
567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

Download Submit
C:\Users\Admin\AppData\Roaming\sant.exe
MD5
5effca91c3f1e9c87d364460097f8048

SHA1
28387c043ab6857aaa51865346046cf5dc4c7b49

SHA256
3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

SHA512
b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

Download Submit
C:\Users\Admin\AppData\Roaming\sant.exe
MD5
5effca91c3f1e9c87d364460097f8048

SHA1
28387c043ab6857aaa51865346046cf5dc4c7b49

SHA256
3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

SHA512
b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

Download Submit
C:\Users\Admin\AppData\Roaming\ufx.exe
MD5
22e088012519e1013c39a3828bda7498

SHA1
3a8a87cce3f6aff415ee39cf21738663c0610016

SHA256
9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

SHA512
5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

Download Submit
C:\Users\Admin\AppData\Roaming\ufx.exe
MD5
22e088012519e1013c39a3828bda7498

SHA1
3a8a87cce3f6aff415ee39cf21738663c0610016

SHA256
9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

SHA512
5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

Download Submit
C:\Users\Admin\AppData\Roaming\va.exe
MD5
c084e736931c9e6656362b0ba971a628

SHA1
ef83b95fc645ad3a161a19ccef3224c72e5472bd

SHA256
3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

SHA512
cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

Download Submit
C:\Users\Admin\AppData\Roaming\va.exe
MD5
c084e736931c9e6656362b0ba971a628

SHA1
ef83b95fc645ad3a161a19ccef3224c72e5472bd

SHA256
3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

SHA512
cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

Download Submit
C:\Users\Admin\AppData\Roaming\yaya.exe
MD5
7d05ab95cfe93d84bc5db006c789a47f

SHA1
aa4aa0189140670c618348f1baad877b8eca04a4

SHA256
5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

SHA512
40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

Download Submit
C:\Users\Admin\AppData\Roaming\yaya.exe
MD5
7d05ab95cfe93d84bc5db006c789a47f

SHA1
aa4aa0189140670c618348f1baad877b8eca04a4

SHA256
5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

SHA512
40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
MD5
51bf85f3bf56e628b52d61614192359d

SHA1
c1bc90be6a4beb67fb7b195707798106114ec332

SHA256
990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

SHA512
131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

Download Submit
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
MD5
51bf85f3bf56e628b52d61614192359d

SHA1
c1bc90be6a4beb67fb7b195707798106114ec332

SHA256
990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

SHA512
131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC771A.tmp
MD5
fb28ba1d48f27d26141b61f802c769b5

SHA1
5f2bfd13937191e91ce441587f675f4f019ccc28

SHA256
bf2c3cc3c7fa3c4aec33aadee097a831248d8c7c9247d5f278e6787b955a8a03

SHA512
d0a84a8f1078e446c3cdb4d82a38dcb4bb3653f0100faec0dc6b9f11ae4587e690c987d9cdd2e9d3579bcca42707ba9bad34eb4a06f42e9bc07a4af824db42eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ztojiw2t.0.cs
MD5
a0d1b6f34f315b4d81d384b8ebcdeaa5

SHA1
794c1ff4f2a28e0c631a783846ecfffdd4c7ae09

SHA256
0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0

SHA512
0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ztojiw2t.cmdline
MD5
10e1aea96366e7c7e65aeab02653b31a

SHA1
669a0d2fee770c8f046c2d5700ee34aec29a21ae

SHA256
389d7cabd9578f5bb2892088284c84ac3c4c2d8a5ff7bbf53c4889ac98bfd866

SHA512
ce0a8c8ccd82ea800587b39c845b2bee9fef9ac839f45c4b09b519755280d100801db6261e0be1bc8165e36d99f27da80bfb43c4c7801fd7726675d5304fb70e

Download Submit
memory/200-31-0x0000000000000000-mapping.dmp

Download
memory/200-33-0x0000000001380000-0x00000000017BF000-memory.dmp

Filesize
4.2MB

Download
memory/200-32-0x0000000001380000-0x00000000017BF000-memory.dmp

Filesize
4.2MB

Download
memory/1380-26-0x0000000000000000-mapping.dmp

Download
memory/1492-0-0x0000000000000000-mapping.dmp

Download
memory/1632-1-0x0000000000000000-mapping.dmp

Download
memory/1960-6-0x0000000000000000-mapping.dmp

Download
memory/2084-7-0x0000000000000000-mapping.dmp

Download
memory/2128-15-0x0000000000000000-mapping.dmp

Download
memory/2128-18-0x00007FFFF3A30000-0x00007FFFF43D0000-memory.dmp

Filesize
9.6MB

Download
memory/2160-22-0x0000000000000000-mapping.dmp

Download
memory/2200-47-0x0000000000000000-mapping.dmp

Download
memory/2256-19-0x0000000000000000-mapping.dmp

Download
memory/2284-49-0x0000000000000000-mapping.dmp

Download
memory/2348-11-0x0000000000000000-mapping.dmp

Download
memory/2684-51-0x0000000000000000-mapping.dmp

Download
memory/2940-23-0x0000000000000000-mapping.dmp

Download
memory/3292-36-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3292-41-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/3292-42-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/3292-43-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/3292-44-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/3292-45-0x0000000009420000-0x0000000009421000-memory.dmp

Filesize
4KB

Download
memory/3292-40-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3292-39-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/3292-38-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/3292-37-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/3292-35-0x0000000071570000-0x0000000071C5E000-memory.dmp

Filesize
6.9MB

Download
memory/3292-34-0x0000000000000000-mapping.dmp

Download