Analysis Overview
SHA256
96845909bbac1b9dc17b3561090872738015abfce91bc5217c367dc2c1327f20
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Downloads MZ/PE file
Drops startup file
Loads dropped DLL
Deletes itself
Executes dropped EXE
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-01 10:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 10:38
Reported
2024-02-01 10:40
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\DAD5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAD5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\writshv | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAD5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAD5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAD5.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\writshv | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\writshv | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\writshv | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\writshv | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\DAD5.exe
C:\Users\Admin\AppData\Local\Temp\DAD5.exe
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {683F5841-3D1E-4C5B-AF20-0472B51873E9} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\writshv
C:\Users\Admin\AppData\Roaming\writshv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | emgvod.com | udp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
| MX | 187.211.34.223:80 | sjyey.com | tcp |
Files
memory/2404-1-0x0000000002C30000-0x0000000002D30000-memory.dmp
memory/2404-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2404-3-0x0000000000400000-0x0000000002B07000-memory.dmp
memory/1208-4-0x0000000002B50000-0x0000000002B66000-memory.dmp
memory/2404-5-0x0000000000400000-0x0000000002B07000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAD5.exe
| MD5 | 06fad45002385c2b1062998e6d840e54 |
| SHA1 | 4c598a9fd8f4768bfcc83a2b43effa1387050003 |
| SHA256 | fe089e2de5573a6e56ca69768894bffa6cfe9d2db226edd6ebd75a221d044611 |
| SHA512 | 4917ea1585e746ad3f105589768a506f48c24d15bc88fe3a65419d7b5fee1f7af1fb06d5746a9a8982ce81de97f668eb24bbf53e45637f5c3e83dc95dd7f3f8f |
memory/2940-18-0x0000000002C80000-0x0000000002D80000-memory.dmp
memory/2940-21-0x0000000000400000-0x0000000002B72000-memory.dmp
memory/2940-22-0x0000000000330000-0x00000000003C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
| MD5 | f9e6489627f500a39da12c2c2ba65938 |
| SHA1 | a5480b0c2cb6620a7f21fdce845cf031671d68f0 |
| SHA256 | 1bf46540825bb936862bc129df0732ef4435ebf00a8da7582174ea2d308ad694 |
| SHA512 | 317fb15e540d417708c4d250a06df6f7aaaf953460ded08f83093a028d69143dfe28e333e0b116f2650f2058bfe9b0f404235b57bb112dd09ed71793631437e5 |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | eda1a9cb00a94d074e1eee567bc4d312 |
| SHA1 | 620be1d916fd83019f9d9f3a43c11c3c027d2dc6 |
| SHA256 | 2e958aa5c9e224e7ee1b059400bf7be62e128094e90218e1831b5a54f27ae996 |
| SHA512 | f80081f6e6929af2a3dee0c4bbb6fbb0e42180644439bc01cba7eaf4c711e4feb3b1f048d6e3d08b504f2c847d915534d8412a2b8afbefac6255672f50801818 |
memory/2940-36-0x0000000000400000-0x0000000002B72000-memory.dmp
memory/2004-37-0x0000000002D50000-0x0000000002E50000-memory.dmp
memory/2004-38-0x0000000000400000-0x0000000002B72000-memory.dmp
memory/2004-42-0x0000000002D50000-0x0000000002E50000-memory.dmp
C:\Users\Admin\AppData\Roaming\writshv
| MD5 | ce56308a4488dc316f3e00361192e6c6 |
| SHA1 | 99ff136466841a4c45552be35cb1628c1f805aec |
| SHA256 | 96845909bbac1b9dc17b3561090872738015abfce91bc5217c367dc2c1327f20 |
| SHA512 | f24734b08018a480ac3b3d02debd11fb7f9e92d6e739a75c46284e3096ae3faf38ab39133fa36b3dfa543033834b2e265ea343662b4fcb6f6405fd4dab520331 |
memory/1492-49-0x0000000002C50000-0x0000000002D50000-memory.dmp
memory/1492-50-0x0000000000400000-0x0000000002B07000-memory.dmp
memory/1208-51-0x00000000029F0000-0x0000000002A06000-memory.dmp
memory/1492-52-0x0000000000400000-0x0000000002B07000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 10:38
Reported
2024-02-01 10:40
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
161s
Command Line
Signatures
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\2DD1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2DD1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ebcrguh | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2DD1.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ebcrguh | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ebcrguh | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ebcrguh | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ebcrguh | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 5012 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2DD1.exe |
| PID 3532 wrote to memory of 5012 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2DD1.exe |
| PID 3532 wrote to memory of 5012 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2DD1.exe |
| PID 5012 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\2DD1.exe | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe |
| PID 5012 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\2DD1.exe | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe |
| PID 5012 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\2DD1.exe | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\2DD1.exe
C:\Users\Admin\AppData\Local\Temp\2DD1.exe
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5012 -ip 5012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1000
C:\Users\Admin\AppData\Roaming\ebcrguh
C:\Users\Admin\AppData\Roaming\ebcrguh
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 200.162.158.95.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| BG | 95.158.162.200:80 | sjyey.com | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | emgvod.com | udp |
| PA | 181.197.171.222:80 | emgvod.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.171.197.181.in-addr.arpa | udp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| BG | 95.158.162.200:80 | emgvod.com | tcp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/3820-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
memory/3820-2-0x0000000002C60000-0x0000000002C6B000-memory.dmp
memory/3820-3-0x0000000000400000-0x0000000002B07000-memory.dmp
memory/3532-4-0x0000000003370000-0x0000000003386000-memory.dmp
memory/3820-5-0x0000000000400000-0x0000000002B07000-memory.dmp
memory/3820-8-0x0000000002C60000-0x0000000002C6B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2DD1.exe
| MD5 | 06fad45002385c2b1062998e6d840e54 |
| SHA1 | 4c598a9fd8f4768bfcc83a2b43effa1387050003 |
| SHA256 | fe089e2de5573a6e56ca69768894bffa6cfe9d2db226edd6ebd75a221d044611 |
| SHA512 | 4917ea1585e746ad3f105589768a506f48c24d15bc88fe3a65419d7b5fee1f7af1fb06d5746a9a8982ce81de97f668eb24bbf53e45637f5c3e83dc95dd7f3f8f |
memory/5012-17-0x0000000002E10000-0x0000000002F10000-memory.dmp
memory/5012-18-0x0000000004800000-0x0000000004891000-memory.dmp
memory/5012-20-0x0000000000400000-0x0000000002B72000-memory.dmp
memory/5012-28-0x0000000000400000-0x0000000002B72000-memory.dmp
memory/1340-30-0x00000000047B0000-0x0000000004841000-memory.dmp
memory/1340-29-0x0000000002D10000-0x0000000002E10000-memory.dmp
memory/1340-31-0x0000000000400000-0x0000000002B72000-memory.dmp
memory/1340-35-0x0000000002D10000-0x0000000002E10000-memory.dmp
C:\Users\Admin\AppData\Roaming\ebcrguh
| MD5 | ce56308a4488dc316f3e00361192e6c6 |
| SHA1 | 99ff136466841a4c45552be35cb1628c1f805aec |
| SHA256 | 96845909bbac1b9dc17b3561090872738015abfce91bc5217c367dc2c1327f20 |
| SHA512 | f24734b08018a480ac3b3d02debd11fb7f9e92d6e739a75c46284e3096ae3faf38ab39133fa36b3dfa543033834b2e265ea343662b4fcb6f6405fd4dab520331 |
memory/3132-42-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
memory/3132-43-0x0000000000400000-0x0000000002B07000-memory.dmp
memory/3532-44-0x0000000003630000-0x0000000003646000-memory.dmp
memory/3132-47-0x0000000000400000-0x0000000002B07000-memory.dmp