Malware Analysis Report

2025-08-05 17:02

Sample ID 240107-ya8d3sdfa4
Target f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
SHA256 f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d
Tags
smokeloader backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d

Threat Level: Known bad

The file f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor evasion trojan

SmokeLoader

Executes dropped EXE

Deletes itself

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Runs regedit.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:38

Platform

win10v2004-20231215-en

Max time kernel

23s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 4456 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 4456 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 4456 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 4456 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 4456 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 3428 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe
PID 3428 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe
PID 3428 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C9E.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe

"C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe"

C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe

"C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3096 -ip 3096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 328

C:\Users\Admin\AppData\Local\Temp\9C9E.exe

C:\Users\Admin\AppData\Local\Temp\9C9E.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"

C:\Users\Admin\AppData\Local\Temp\A1A0.exe

C:\Users\Admin\AppData\Local\Temp\A1A0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1444 -ip 1444

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 40.127.169.103:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 udp
N/A 4.231.128.59:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 4.231.128.59:443 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 24.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 104.21.30.102:80 tcp
N/A 40.127.169.103:443 tcp
N/A 40.127.169.103:443 tcp
US 8.8.8.8:53 udp
N/A 4.231.128.59:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3096-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3096-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4456-1-0x00000000005F0000-0x00000000005F9000-memory.dmp

memory/4456-0-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/3428-4-0x0000000002B00000-0x0000000002B16000-memory.dmp

memory/3096-7-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4880-17-0x0000000002300000-0x0000000002366000-memory.dmp

memory/4880-18-0x0000000000720000-0x000000000072D000-memory.dmp

memory/4880-20-0x0000000002300000-0x0000000002366000-memory.dmp

memory/4880-24-0x0000000002300000-0x0000000002366000-memory.dmp

memory/4880-23-0x0000000002830000-0x000000000283C000-memory.dmp

memory/4880-21-0x0000000000960000-0x0000000000961000-memory.dmp

memory/4880-19-0x0000000077974000-0x0000000077975000-memory.dmp

memory/4880-15-0x0000000000010000-0x000000000006D000-memory.dmp

memory/1444-25-0x0000000000020000-0x0000000000454000-memory.dmp

memory/1444-27-0x0000000000020000-0x0000000000454000-memory.dmp

memory/1444-30-0x0000000000800000-0x00000000008C4000-memory.dmp

memory/4880-36-0x0000000002300000-0x0000000002366000-memory.dmp

memory/4092-38-0x0000000000B10000-0x00000000010A6000-memory.dmp

memory/4880-40-0x0000000000980000-0x0000000000981000-memory.dmp

memory/4092-47-0x0000000000B10000-0x00000000010A6000-memory.dmp

memory/1444-34-0x0000000000800000-0x00000000008C4000-memory.dmp

memory/1444-29-0x0000000000800000-0x00000000008C4000-memory.dmp

memory/1444-63-0x0000000000800000-0x00000000008C4000-memory.dmp

memory/1444-62-0x0000000000020000-0x0000000000453000-memory.dmp

memory/1444-60-0x0000000002A80000-0x0000000002A82000-memory.dmp

memory/1444-59-0x0000000000800000-0x00000000008C4000-memory.dmp

memory/4880-64-0x0000000000980000-0x0000000000981000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:36

Reported

2024-01-07 19:38

Platform

win7-20231215-en

Max time kernel

28s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 1156 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 1156 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 1156 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 1156 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 1156 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 1156 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe
PID 1204 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe
PID 1204 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe
PID 1204 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe
PID 1204 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE47.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe

"C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe"

C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe

"C:\Users\Admin\AppData\Local\Temp\f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938dexe.exe"

C:\Users\Admin\AppData\Local\Temp\CE47.exe

C:\Users\Admin\AppData\Local\Temp\CE47.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\F567.exe

C:\Users\Admin\AppData\Local\Temp\F567.exe

C:\Users\Admin\AppData\Local\Temp\y7913717e597a_1.exe

/suac

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\SysWOW64\regedit.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\Y79137~1.EXE" /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 172.67.172.189:80 host-file-host6.com tcp

Files

memory/1156-3-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/1156-4-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/2648-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2648-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2648-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1204-6-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/2648-7-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2868-21-0x0000000000010000-0x000000000006D000-memory.dmp

memory/2868-23-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2868-24-0x0000000000390000-0x000000000039D000-memory.dmp

memory/2868-22-0x0000000000320000-0x0000000000386000-memory.dmp

memory/2868-31-0x0000000000320000-0x0000000000386000-memory.dmp

memory/2868-30-0x0000000001EF0000-0x0000000001EFC000-memory.dmp

memory/2868-29-0x0000000000320000-0x0000000000386000-memory.dmp

memory/2868-28-0x0000000001D40000-0x0000000001D41000-memory.dmp

memory/2868-26-0x0000000000320000-0x0000000000386000-memory.dmp

memory/2868-25-0x0000000077250000-0x0000000077251000-memory.dmp

memory/2220-33-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-34-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-36-0x0000000000110000-0x00000000001D4000-memory.dmp

memory/2220-40-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-47-0x0000000002020000-0x000000000202C000-memory.dmp

memory/2220-46-0x0000000000110000-0x00000000001D4000-memory.dmp

memory/2868-45-0x0000000000320000-0x0000000000386000-memory.dmp

memory/2220-42-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-41-0x0000000000110000-0x00000000001D4000-memory.dmp

memory/2220-39-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-38-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/2220-37-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-35-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-49-0x0000000002010000-0x0000000002011000-memory.dmp

memory/2220-50-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-48-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-51-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-53-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/1204-54-0x00000000770B1000-0x00000000770B2000-memory.dmp

memory/2220-52-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-55-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-56-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-57-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-58-0x0000000077060000-0x0000000077209000-memory.dmp

memory/2220-65-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2924-68-0x0000000000950000-0x0000000000EE6000-memory.dmp

memory/1204-66-0x00000000029D0000-0x00000000029D6000-memory.dmp

memory/2220-70-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/2220-69-0x0000000000110000-0x00000000001D4000-memory.dmp

memory/2220-71-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-72-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-74-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-73-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-75-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-76-0x0000000000110000-0x00000000001D4000-memory.dmp

memory/2220-77-0x0000000000110000-0x00000000001D4000-memory.dmp

memory/2220-78-0x0000000077240000-0x00000000773C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\y7913717e597a_1.exe

MD5 80c413180b6bd0dd664adc4e0665b494
SHA1 e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA256 6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512 347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

memory/2220-88-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2624-92-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/2624-94-0x0000000000560000-0x000000000056C000-memory.dmp

memory/2624-96-0x00000000002F0000-0x0000000000356000-memory.dmp

memory/2624-95-0x00000000002F0000-0x0000000000356000-memory.dmp

memory/2624-91-0x00000000002F0000-0x0000000000356000-memory.dmp

memory/2624-90-0x00000000002F0000-0x0000000000356000-memory.dmp

C:\Users\Admin\AppData\Roaming\awacrvc

MD5 e22cb3768b8f1f0bd6a8334fe9480230
SHA1 8330fbc04aec9f431b7b7e78bb9cc27dadc1d07a
SHA256 f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d
SHA512 129e2fa45cbe86d5095e2729a941af32cbfa92f64a4cd301cdc73d7963b8a8b69616f21350efec22b043c127da0411aad13efe3b9277f759e31530bf3dc04d40

memory/2220-97-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/1584-99-0x00000000770B1000-0x00000000770B2000-memory.dmp

memory/2924-100-0x0000000000950000-0x0000000000EE6000-memory.dmp

memory/2624-101-0x0000000000010000-0x000000000006D000-memory.dmp

memory/1492-103-0x0000000000CB0000-0x0000000000D16000-memory.dmp

memory/1492-104-0x0000000000CB0000-0x0000000000D16000-memory.dmp

memory/1492-108-0x00000000000D0000-0x00000000000DB000-memory.dmp

memory/1492-107-0x0000000000CB0000-0x0000000000D15000-memory.dmp

memory/2624-106-0x00000000002A0000-0x00000000002A6000-memory.dmp

memory/1204-109-0x0000000002980000-0x0000000002981000-memory.dmp

memory/2220-113-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-117-0x0000000077240000-0x00000000773C1000-memory.dmp

memory/2220-118-0x0000000077240000-0x00000000773C1000-memory.dmp