Malware Analysis Report

2025-01-18 06:39

Sample ID 231012-sjvaxsfe91
Target 26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe
SHA256 26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564

Threat Level: Known bad

The file 26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader ransomware themida trojan

Amadey

Glupteba

RedLine payload

Djvu Ransomware

Glupteba payload

RedLine

SmokeLoader

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Themida packer

Modifies file permissions

Loads dropped DLL

Deletes itself

Checks BIOS information in registry

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 15:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 15:09

Reported

2023-10-16 09:39

Platform

win7-20230831-en

Max time kernel

48s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\47F9.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\47F9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\47F9.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4450.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\47F9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\47F9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2572 set thread context of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4CAC.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 1348 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 1348 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 1348 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 1348 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\Temp\47F9.exe
PID 1348 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\Temp\47F9.exe
PID 1348 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\Temp\47F9.exe
PID 1348 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\Temp\47F9.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 2572 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\4450.exe C:\Users\Admin\AppData\Local\Temp\4450.exe
PID 1348 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CAC.exe
PID 1348 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CAC.exe
PID 1348 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CAC.exe
PID 1348 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CAC.exe
PID 1348 wrote to memory of 1624 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1348 wrote to memory of 1624 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1348 wrote to memory of 1624 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1348 wrote to memory of 1624 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1348 wrote to memory of 1624 N/A N/A C:\Windows\system32\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe

"C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe"

C:\Users\Admin\AppData\Local\Temp\4450.exe

C:\Users\Admin\AppData\Local\Temp\4450.exe

C:\Users\Admin\AppData\Local\Temp\47F9.exe

C:\Users\Admin\AppData\Local\Temp\47F9.exe

C:\Users\Admin\AppData\Local\Temp\4450.exe

C:\Users\Admin\AppData\Local\Temp\4450.exe

C:\Users\Admin\AppData\Local\Temp\4CAC.exe

C:\Users\Admin\AppData\Local\Temp\4CAC.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\56E9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\56E9.dll

C:\Users\Admin\AppData\Local\Temp\5A25.exe

C:\Users\Admin\AppData\Local\Temp\5A25.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 72

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6CDC.exe

C:\Users\Admin\AppData\Local\Temp\6CDC.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\be694f97-865c-4ecf-97d7-d7a7b8a5dbfd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4450.exe

"C:\Users\Admin\AppData\Local\Temp\4450.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4450.exe

"C:\Users\Admin\AppData\Local\Temp\4450.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskeng.exe

taskeng.exe {11D005F7-EA6E-422B-8EB9-8E3AB72B4D8E} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016093845.log C:\Windows\Logs\CBS\CbsPersist_20231016093845.cab

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\6CDC.exe

"C:\Users\Admin\AppData\Local\Temp\6CDC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 tcp
RU 79.137.192.18:80 79.137.192.18 tcp

Files

memory/1864-1-0x0000000000A10000-0x0000000000B10000-memory.dmp

memory/1864-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1864-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1864-5-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/1348-4-0x0000000002710000-0x0000000002726000-memory.dmp

memory/1864-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\47F9.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/2788-25-0x00000000008E0000-0x0000000001060000-memory.dmp

memory/2572-26-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2620-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2620-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CAC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2788-42-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2572-43-0x0000000000AB0000-0x0000000000BCB000-memory.dmp

memory/2572-41-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2788-44-0x0000000077190000-0x00000000771D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CAC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2788-47-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-48-0x0000000076B80000-0x0000000076C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2788-49-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-50-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-51-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-53-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-52-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-54-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-56-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-58-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-60-0x0000000077A40000-0x0000000077A42000-memory.dmp

memory/2788-61-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2620-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2788-59-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-57-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-55-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-32-0x0000000076B80000-0x0000000076C90000-memory.dmp

\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2620-63-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56E9.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

\Users\Admin\AppData\Local\Temp\56E9.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2788-68-0x00000000749A0000-0x000000007508E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A25.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\5A25.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1164-76-0x0000000000190000-0x0000000000196000-memory.dmp

memory/1164-75-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/808-78-0x0000000000400000-0x000000000043E000-memory.dmp

memory/808-81-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/808-88-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/808-90-0x0000000000400000-0x000000000043E000-memory.dmp

memory/808-86-0x0000000000400000-0x000000000043E000-memory.dmp

memory/808-83-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2788-92-0x00000000008E0000-0x0000000001060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\4CAC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\4CAC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\4CAC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1164-99-0x00000000023E0000-0x00000000024D0000-memory.dmp

memory/1164-100-0x00000000023E0000-0x00000000024D0000-memory.dmp

memory/1164-102-0x00000000023E0000-0x00000000024D0000-memory.dmp

memory/1164-93-0x00000000022D0000-0x00000000023D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6CDC.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3024-108-0x0000000004990000-0x0000000004D88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6CDC.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1164-112-0x00000000023E0000-0x00000000024D0000-memory.dmp

memory/2788-114-0x00000000008E0000-0x0000000001060000-memory.dmp

memory/2788-117-0x0000000076B80000-0x0000000076C90000-memory.dmp

memory/2788-118-0x0000000077190000-0x00000000771D7000-memory.dmp

memory/3024-124-0x0000000004990000-0x0000000004D88000-memory.dmp

memory/3024-130-0x0000000004D90000-0x000000000567B000-memory.dmp

memory/2232-133-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2232-135-0x0000000000060000-0x000000000006C000-memory.dmp

memory/936-136-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/936-149-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/3024-150-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2620-151-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\4CAC.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\be694f97-865c-4ecf-97d7-d7a7b8a5dbfd\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2788-154-0x00000000749A0000-0x000000007508E000-memory.dmp

\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2620-157-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2848-168-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2848-159-0x0000000000220000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4450.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3024-169-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6CDC.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2788-174-0x00000000054D0000-0x0000000005510000-memory.dmp

memory/3024-175-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3024-178-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2788-180-0x00000000054D0000-0x0000000005510000-memory.dmp

memory/3024-182-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3024-192-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2788-193-0x00000000006D0000-0x00000000006EC000-memory.dmp

memory/3024-195-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2788-196-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-197-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-199-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-201-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-203-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-206-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-208-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-210-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-212-0x00000000006D0000-0x00000000006E5000-memory.dmp

memory/2788-221-0x0000000000680000-0x0000000000681000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\6CDC.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/3024-250-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1192-251-0x0000000004940000-0x0000000004D38000-memory.dmp

memory/1192-252-0x0000000000400000-0x0000000002FB8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 15:09

Reported

2023-10-16 09:39

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe

"C:\Users\Admin\AppData\Local\Temp\26293e0ccda76f0ee39b65e7d3538b0df51e1eec2680be05bfe566f94e8cc564_JC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2124-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2124-2-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/2124-3-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2124-4-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2124-6-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3204-5-0x0000000007640000-0x0000000007656000-memory.dmp

memory/2124-9-0x00000000001C0000-0x00000000001CB000-memory.dmp