Malware Analysis Report

2025-04-14 07:31

Sample ID 230912-pav93seg95
Target file.exe
SHA256 3803fa85dc6f728944139ae1ec89a5e4a6e01843e8e4f00aa18f6dff49d45193
Tags
amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) smokiez_build backdoor discovery infostealer ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3803fa85dc6f728944139ae1ec89a5e4a6e01843e8e4f00aa18f6dff49d45193

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu redline smokeloader logsdiller cloud (tg: @logsdillabot) smokiez_build backdoor discovery infostealer ransomware trojan

Detected Djvu ransomware

Djvu Ransomware

SmokeLoader

Amadey

RedLine

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Deletes itself

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-12 12:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-12 12:08

Reported

2023-09-12 12:10

Platform

win7-20230831-en

Max time kernel

51s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 1216 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 1216 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 1216 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 1216 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\92DE.exe
PID 1216 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\92DE.exe
PID 1216 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\92DE.exe
PID 1216 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\92DE.exe
PID 1216 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe
PID 1216 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe
PID 1216 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe
PID 1216 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe
PID 1216 wrote to memory of 1496 N/A N/A C:\Users\Admin\AppData\Local\Temp\9772.exe
PID 1216 wrote to memory of 1496 N/A N/A C:\Users\Admin\AppData\Local\Temp\9772.exe
PID 1216 wrote to memory of 1496 N/A N/A C:\Users\Admin\AppData\Local\Temp\9772.exe
PID 1216 wrote to memory of 1496 N/A N/A C:\Users\Admin\AppData\Local\Temp\9772.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1216 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe
PID 1216 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe
PID 1216 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe
PID 1216 wrote to memory of 3060 N/A N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2824 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\94B3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 2724 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9157.exe C:\Users\Admin\AppData\Local\Temp\9157.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\9772.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9DAA.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1216 wrote to memory of 2604 N/A N/A C:\Windows\system32\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\9157.exe

C:\Users\Admin\AppData\Local\Temp\9157.exe

C:\Users\Admin\AppData\Local\Temp\92DE.exe

C:\Users\Admin\AppData\Local\Temp\92DE.exe

C:\Users\Admin\AppData\Local\Temp\94B3.exe

C:\Users\Admin\AppData\Local\Temp\94B3.exe

C:\Users\Admin\AppData\Local\Temp\9772.exe

C:\Users\Admin\AppData\Local\Temp\9772.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\9DAA.exe

C:\Users\Admin\AppData\Local\Temp\9DAA.exe

C:\Users\Admin\AppData\Local\Temp\9157.exe

C:\Users\Admin\AppData\Local\Temp\9157.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A9BC.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A9BC.dll

C:\Users\Admin\AppData\Local\Temp\B561.exe

C:\Users\Admin\AppData\Local\Temp\B561.exe

C:\Users\Admin\AppData\Local\Temp\B561.exe

C:\Users\Admin\AppData\Local\Temp\B561.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C153.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C153.dll

C:\Users\Admin\AppData\Local\Temp\C625.exe

C:\Users\Admin\AppData\Local\Temp\C625.exe

C:\Users\Admin\AppData\Local\Temp\C625.exe

C:\Users\Admin\AppData\Local\Temp\C625.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D320.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D320.dll

C:\Users\Admin\AppData\Local\Temp\DD01.exe

C:\Users\Admin\AppData\Local\Temp\DD01.exe

C:\Users\Admin\AppData\Local\Temp\DD01.exe

C:\Users\Admin\AppData\Local\Temp\DD01.exe

C:\Users\Admin\AppData\Local\Temp\F5FE.exe

C:\Users\Admin\AppData\Local\Temp\F5FE.exe

C:\Users\Admin\AppData\Local\Temp\931.exe

C:\Users\Admin\AppData\Local\Temp\931.exe

C:\Users\Admin\AppData\Local\Temp\1C16.exe

C:\Users\Admin\AppData\Local\Temp\1C16.exe

C:\Users\Admin\AppData\Local\Temp\931.exe

C:\Users\Admin\AppData\Local\Temp\931.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Users\Admin\AppData\Local\Temp\3033.exe

C:\Users\Admin\AppData\Local\Temp\3033.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\5476.exe

C:\Users\Admin\AppData\Local\Temp\5476.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7DF7.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7DF7.dll

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\03b5bff1-87a8-4cd6-a066-c2687bb36709" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AAE1.exe

C:\Users\Admin\AppData\Local\Temp\AAE1.exe

C:\Users\Admin\AppData\Local\Temp\9157.exe

"C:\Users\Admin\AppData\Local\Temp\9157.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D7EA.exe

C:\Users\Admin\AppData\Local\Temp\D7EA.exe

C:\Users\Admin\AppData\Local\Temp\931.exe

"C:\Users\Admin\AppData\Local\Temp\931.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {97D43D7B-750C-48C8-8312-CE3525E2AA15} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\439.exe

C:\Users\Admin\AppData\Local\Temp\439.exe

C:\Users\Admin\AppData\Local\Temp\C625.exe

"C:\Users\Admin\AppData\Local\Temp\C625.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C625.exe

"C:\Users\Admin\AppData\Local\Temp\C625.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AAE1.exe

C:\Users\Admin\AppData\Local\Temp\AAE1.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\wtrvjet

C:\Users\Admin\AppData\Roaming\wtrvjet

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
BA 185.12.79.25:80 colisumy.com tcp
NL 194.169.175.232:80 194.169.175.232 tcp
US 38.181.25.43:3325 tcp
NL 194.169.175.232:45450 tcp
GB 51.38.95.107:42494 tcp
GB 51.38.95.107:42494 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
BA 185.12.79.25:80 colisumy.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
BG 193.42.32.101:80 193.42.32.101 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.15.101:80 crl.usertrust.com tcp
US 104.18.14.101:80 crl.usertrust.com tcp
US 104.18.15.101:80 crl.usertrust.com tcp
US 104.18.14.101:80 crl.usertrust.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp

Files

memory/1704-0-0x0000000000220000-0x0000000000235000-memory.dmp

memory/1704-1-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1704-2-0x0000000000400000-0x0000000002450000-memory.dmp

memory/1216-3-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/1704-4-0x0000000000400000-0x0000000002450000-memory.dmp

memory/1704-7-0x0000000000240000-0x0000000000249000-memory.dmp

memory/1704-8-0x0000000000220000-0x0000000000235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

C:\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

C:\Users\Admin\AppData\Local\Temp\92DE.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

C:\Users\Admin\AppData\Local\Temp\92DE.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

memory/2708-26-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2708-25-0x0000000000260000-0x0000000000290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94B3.exe

MD5 5b8b16db1970f6a48a3227c847cb6f2e
SHA1 a1382caf09f4c56c3e6ac041d2d490617ebca479
SHA256 6f7db0eb30c9c65593fc8a2cecd50a1d749a5efdd8d36addbc83024555611e6f
SHA512 9731898394adfcb4f4fec808d84cac8db9d2d86b4d811db140969ce7dbaf206678578984fc4f4d02943a8fafffa6278f8df40780f98d3c6f3276f7cfd1d6dca9

C:\Users\Admin\AppData\Local\Temp\92DE.exe

MD5 22daa19ff6bdee095131c478f8e642eb
SHA1 1c2ddf7319dc5806e18f9098e423016c054655d7
SHA256 9e2c8234bff4a270c621958b88f926df9267fb399f5d2385f785eea44215a861
SHA512 703087487fb7e24666893898a42fb86dea142700998275ba80983b8352c082883a9fdf873ae19e3f55a456c69bc891cb1f53c54e90a16596f10069a6c23d2bde

memory/2708-35-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2708-36-0x0000000001DE0000-0x0000000001DE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9772.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

C:\Users\Admin\AppData\Local\Temp\9772.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

memory/2708-44-0x0000000004690000-0x00000000046D0000-memory.dmp

memory/2576-45-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9DAA.exe

MD5 f7306eb7350a36e1db7a095e8af1e79c
SHA1 2253008cb0c0dd68d7b02798aea64638d9ea350b
SHA256 9a2c49b3446a8d15c05d4caee7ee932f666e618b62fce4d9beeed9c8c4b5ec3a
SHA512 35f30c179df070b5b0edfe69bf18865983f753a1e19a9a528814a40798d7864772bada5daf93eb0aacd454d8df9ef7b7e05b86b0778a211da6116d536d712497

memory/2576-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2576-53-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2576-54-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2576-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2576-58-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2724-61-0x0000000000270000-0x0000000000301000-memory.dmp

memory/2724-65-0x00000000024D0000-0x00000000025EB000-memory.dmp

memory/2928-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

memory/2576-60-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2576-55-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

memory/2928-67-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-71-0x0000000000270000-0x0000000000301000-memory.dmp

memory/1568-73-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1568-72-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1568-74-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1568-76-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1568-78-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1568-83-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2576-81-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2576-87-0x00000000003D0000-0x00000000003D6000-memory.dmp

memory/1568-88-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1568-92-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2928-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2576-98-0x0000000000720000-0x0000000000760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A9BC.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/2708-95-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1568-93-0x0000000000360000-0x0000000000366000-memory.dmp

memory/2928-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1568-103-0x00000000024A0000-0x00000000024E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\A9BC.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/2560-107-0x0000000010000000-0x000000001021E000-memory.dmp

memory/2708-106-0x0000000004690000-0x00000000046D0000-memory.dmp

memory/2560-109-0x00000000000D0000-0x00000000000D6000-memory.dmp

memory/2692-111-0x0000000074C20000-0x000000007530E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B561.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/1616-119-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/2692-118-0x0000000000610000-0x0000000000650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B561.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\B561.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

\Users\Admin\AppData\Local\Temp\B561.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/1052-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1616-122-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/1616-124-0x0000000003D20000-0x0000000003E3B000-memory.dmp

memory/1568-127-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2576-126-0x0000000074C20000-0x000000007530E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C153.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

\Users\Admin\AppData\Local\Temp\C153.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/2576-131-0x0000000000720000-0x0000000000760000-memory.dmp

memory/3016-134-0x0000000000170000-0x0000000000176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C625.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/1852-141-0x0000000000350000-0x00000000003E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C625.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/1568-146-0x00000000024A0000-0x00000000024E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\C625.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/1852-142-0x0000000000350000-0x00000000003E1000-memory.dmp

memory/560-148-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C625.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/560-151-0x0000000000400000-0x0000000000537000-memory.dmp

memory/560-153-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-154-0x0000000074C20000-0x000000007530E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D320.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

\Users\Admin\AppData\Local\Temp\D320.dll

MD5 eb99bf4bbc66b9132acd86854250d68d
SHA1 1531e42ff59ce5c678914e5f802ef8b28ad4ccdf
SHA256 98f6e5f39fe684677857d612d8e9996ad20918dc8ea7fa93fc2d37fdd78b447b
SHA512 e3a3f20f651dfb8047e8d6f0c145ffece3a4b311848aef5b8edf9df73c3fef5c600e128261e9fdc74e144515772be8cdd507df66b6ae1315c4a8db67a4b21540

memory/2692-160-0x0000000000610000-0x0000000000650000-memory.dmp

memory/1856-162-0x00000000001F0000-0x00000000001F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD01.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/2408-170-0x0000000002380000-0x0000000002411000-memory.dmp

\Users\Admin\AppData\Local\Temp\DD01.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\DD01.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

C:\Users\Admin\AppData\Local\Temp\F5FE.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F5FE.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\931.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

\Users\Admin\AppData\Local\Temp\1C16.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\1C16.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\1C16.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\931.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

\Users\Admin\AppData\Local\Temp\931.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

C:\Users\Admin\AppData\Local\Temp\931.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

memory/1456-209-0x00000000003D0000-0x0000000000462000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\3033.exe

MD5 5b8b16db1970f6a48a3227c847cb6f2e
SHA1 a1382caf09f4c56c3e6ac041d2d490617ebca479
SHA256 6f7db0eb30c9c65593fc8a2cecd50a1d749a5efdd8d36addbc83024555611e6f
SHA512 9731898394adfcb4f4fec808d84cac8db9d2d86b4d811db140969ce7dbaf206678578984fc4f4d02943a8fafffa6278f8df40780f98d3c6f3276f7cfd1d6dca9

C:\Users\Admin\AppData\Local\Temp\3033.exe

MD5 5b8b16db1970f6a48a3227c847cb6f2e
SHA1 a1382caf09f4c56c3e6ac041d2d490617ebca479
SHA256 6f7db0eb30c9c65593fc8a2cecd50a1d749a5efdd8d36addbc83024555611e6f
SHA512 9731898394adfcb4f4fec808d84cac8db9d2d86b4d811db140969ce7dbaf206678578984fc4f4d02943a8fafffa6278f8df40780f98d3c6f3276f7cfd1d6dca9

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\Cab3082.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

\Users\Admin\AppData\Local\Temp\5476.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\5476.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

C:\Users\Admin\AppData\Local\Temp\5476.exe

MD5 255fa20c15103e44fac8c72d6afa0f69
SHA1 74694950c2cf48004c7fc52e630a7ea66e1411fb
SHA256 107c64f0a5aed7d6111d8e8993735f42abc2511359c29494d52683a5a18a9239
SHA512 f0f7b767906753f0d9e58e0a10b9360b39297508d98ebaaece719c681e14b5c679d82ffd5c76949b720d82ca021f3be4ab8f7e29de2ccc590abca382a5570674

memory/580-245-0x0000000001090000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5800.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 934f335684461c5529afe8ecc5c85ccf
SHA1 40aa32c54e39d0e1ccfcd76139108f786ea26c7c
SHA256 4d922783b0916f6894c8d9cd6280dba2fa4e6a65e4e41e04bc8fe530516c0378
SHA512 30b909669901ca336ac16b56a16a5fd7442b0b859ff77f9733e3b6d42f86aacf786564cd9878a7fb457a831dd769c4a0864ec77d7f6a510a3086390f630daf82

memory/1456-270-0x0000000000150000-0x0000000000156000-memory.dmp

memory/1456-271-0x0000000000170000-0x000000000018A000-memory.dmp

memory/1456-272-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

memory/1456-279-0x000000001B180000-0x000000001B200000-memory.dmp

memory/580-283-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

memory/580-284-0x000000001AD10000-0x000000001AD90000-memory.dmp

memory/2376-286-0x0000000000400000-0x0000000000537000-memory.dmp

memory/580-285-0x0000000000570000-0x0000000000576000-memory.dmp

memory/580-290-0x0000000000CC0000-0x0000000000D48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DF7.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

\Users\Admin\AppData\Local\Temp\7DF7.dll

MD5 ec58238fb3adab49461bce7d58730eca
SHA1 c71c577fb65a59f58d61d4cc05232431e020ed6d
SHA256 7c9cd13b71abb01a18ed7b77f602a23c91d1d9b5892888b794d4f43ba1ba37bf
SHA512 991ee2d5b05d728a6e8029e3b6723b4a974158f279d142a59a81a7972af6727b9ad22cc600ee33d65dd83685626a36021f7876ea5ec5cf528acd09d1e3fd3de9

memory/2084-297-0x00000000001B0000-0x00000000001B6000-memory.dmp

memory/1456-299-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

memory/1456-301-0x000000001B180000-0x000000001B200000-memory.dmp

memory/580-302-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

memory/580-303-0x000000001AD10000-0x000000001AD90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 9622537e51915638708894cb1125d8df
SHA1 9866d52f44d3eddd426d2125939aeaf4e4d7d5dd
SHA256 2dea83fc2e4deded477b919a973aac3082d7dc0d4dc1f213ea867245912b928c
SHA512 1a494c161fc0b2480863c80432bea118b9ea1973db86833c74cbb8342b561fea296f5235362417fb755c9bf9856337da5edf8284ab6dd41692c16f36b37f38a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 85a4bd3082869f37e27d4073de459539
SHA1 c6679343c249bff2a8e88a49d802e5314fc3fe4d
SHA256 0f1226909aa571d8cd372d9c3274d39e9c4f97be946784ca201819ab6a9dc8be
SHA512 cab53f5dcbf58de5d9a97ffa872848332c57dc3703d3047a7a6396a36eb258b5d3775930b7bae36e7e20e7a2ad849ed9c17fb3b44dd60456527114aefc39238c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 85a4bd3082869f37e27d4073de459539
SHA1 c6679343c249bff2a8e88a49d802e5314fc3fe4d
SHA256 0f1226909aa571d8cd372d9c3274d39e9c4f97be946784ca201819ab6a9dc8be
SHA512 cab53f5dcbf58de5d9a97ffa872848332c57dc3703d3047a7a6396a36eb258b5d3775930b7bae36e7e20e7a2ad849ed9c17fb3b44dd60456527114aefc39238c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce681faaabca4597b73be8a4cce24409
SHA1 e2309e16e07e37acf2c993456e231d2db0779a5b
SHA256 1130a3491a88f2ea2fb46d8a85bbe8e32e1c340e49636fa694423cbf5af9f431
SHA512 d0621c8cc14c0e4346a9996d84db451db1b1354e3d6d677db2ee3d80e1a9df512c43bbdd98502c9cdc9eaf2039dfd5c4fd23fe64a6b4c1365599a16ec66a9d68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a7866960e25bd0fafb64abdbdc8b57b
SHA1 bcc04cce8abd3686c7d6de1b47ea3fe273deec37
SHA256 9b2e9ae92010e59b636af87dcf19ca8e14523c1cc2a83727766f75cdc32984ca
SHA512 dfe776714a87d8aefc93f21fe4a2b1ced5256cf30858f3dc00c4bdcfb5755317093c0c4b2581233232add38a771e78767b324632d9d21ddabb01f3bed55c7e44

C:\Users\Admin\AppData\Local\Temp\AAE1.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

C:\Users\Admin\AppData\Local\Temp\AAE1.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

C:\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

\Users\Admin\AppData\Local\Temp\9157.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

memory/2928-360-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 4e65e11c8d8be8aa3e004ba90577d0f6
SHA1 5bf8a43f56e25fde476cbfad43527a9a7b897283
SHA256 6d0fbdaa6a84fefc3b10e36c419fd547451b295f441929cbcd75917193943a27
SHA512 23cd69c31f7bf273eab1ef1ad35aad38d404831cd78713c8a3b22e7ef611f7868d989429b935909258ba014443ab215e7c73ccf2b0093b751ad11ae554764970

C:\Users\Admin\AppData\Local\Temp\B561.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/1052-376-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a7866960e25bd0fafb64abdbdc8b57b
SHA1 bcc04cce8abd3686c7d6de1b47ea3fe273deec37
SHA256 9b2e9ae92010e59b636af87dcf19ca8e14523c1cc2a83727766f75cdc32984ca
SHA512 dfe776714a87d8aefc93f21fe4a2b1ced5256cf30858f3dc00c4bdcfb5755317093c0c4b2581233232add38a771e78767b324632d9d21ddabb01f3bed55c7e44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 8cb8f90ec602fd3a3e719cb78d8c7cce
SHA1 cdf764f8683ff175fb19bb0ed9e8765e28033e3b
SHA256 da35784b211cae7f4696f5b33b9b2ba9295bfa1016ad92ed28a3d588c1c84651
SHA512 939433b40ad73f85b50268616a1717dc3be47087450d7682b4dab5a657a4279a9a61d706b5e6fc24183995a27ab0803d704e0f2fde6e450d3b05d8b4c0bd6395

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02

MD5 dd2d4271bdda476676cf64d82850dba3
SHA1 4557763574ce28cc92ce1d5d2f32364031db6484
SHA256 b15749d9c8c2bdfbad029c5700dd9a1c23144323070688657b8dd76852090687
SHA512 60eb7ebfbd02ae7dd7e482f31e3ed289b671dff28f5dfe72d32d80a900b2e5e5e9479d26fbb7ad3d470191d66d2d163b61639ac72589ba13d8a9d91167bb1d5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02

MD5 44c71aff68c86de9c60f658d73b1b9fd
SHA1 1ac0620d268b7cd1d15d7e0e9c225a16a2e361d6
SHA256 c3030ee6208b54eb18a26268c7b80c70d9a0db0a8fc19711d0e35ff66d290b88
SHA512 0b9ab4198cf491fee489d4df798e06e4dcac5b75998aa7b30a8f3a5144903abb29c68345c8635b91ec050fd83fbf25b2e4034b51614aeb8012bce035256b818b

C:\Users\Admin\AppData\Local\Temp\D7EA.exe

MD5 75747bfd55fe1ae1d3cfef6264ec582b
SHA1 783e5538edcca02d061dd21085097f2d104ea098
SHA256 abc29462bf6643a78fd8ebce22af6423456be4a1f7982cacddf0d05769b3847f
SHA512 4688779c6a1efb1b379b1af15533179a30cef5ee1b13d69878dcfb44b647f728dd86bdbabd0e1674c6552c2fae6aa7d18673d9119706b5e67d93aed93549316e

\Users\Admin\AppData\Local\Temp\931.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

\Users\Admin\AppData\Local\Temp\931.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

C:\Users\Admin\AppData\Local\Temp\931.exe

MD5 9f0d0d8d853ed237223544f27623786f
SHA1 2d8b93130d08b807113722557cab797b306d58c6
SHA256 630980e8d53c5147c1fa131a723a95e668f28a7191836113e9f8e99060e93c1d
SHA512 d259cde075fc51845c8d84960bfc655349275fc1826cd123eba48eba0effb217b1322160c7f9cc0d4da10efce2e5d66d662446ce7ec8f502a0af68870efc3911

memory/2376-414-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\03b5bff1-87a8-4cd6-a066-c2687bb36709\C625.exe

MD5 b824b7041174e3ecd9ebc6ec556f7055
SHA1 4dfa17503c2daed700bd52cf3be773b87cc8098f
SHA256 e750e775cf67d3c3fdf410a8b14ec9d0c493b00747fa72fb2b143099c46744dc
SHA512 2f56c13c4a3d5ce25cc01b814048c7771894aca8b0c272dd9824debe06e6b6915199ae64b387042f3e7210a5fc61f7ced6bf8111b1884197a0b9c1d59d4eb4ca

memory/832-439-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/560-434-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1380-446-0x0000000000320000-0x00000000003B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-12 12:08

Reported

2023-09-12 12:10

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\44F9.exe

C:\Users\Admin\AppData\Local\Temp\44F9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.155.27.67.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
US 8.8.8.8:53 colisumy.com udp
KR 115.88.24.200:80 colisumy.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 200.24.88.115.in-addr.arpa udp

Files

memory/2792-0-0x0000000004190000-0x00000000041A5000-memory.dmp

memory/2792-1-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2792-2-0x0000000000400000-0x0000000002450000-memory.dmp

memory/3216-3-0x0000000002570000-0x0000000002586000-memory.dmp

memory/2792-4-0x0000000000400000-0x0000000002450000-memory.dmp

memory/2792-8-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/2792-7-0x0000000004190000-0x00000000041A5000-memory.dmp

memory/3216-13-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-14-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-15-0x0000000007D00000-0x0000000007D10000-memory.dmp

memory/3216-16-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-17-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-18-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-20-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-19-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-22-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-24-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-23-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-30-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-32-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/3216-31-0x0000000007D20000-0x0000000007D30000-memory.dmp