Analysis Overview
SHA256
7ae7f99dc8e7bb45c91c1f1721bf959e2a5a368f7f9106b8a6a93c8956c84580
Threat Level: Known bad
The file e88da5d3f528d78eabc2de83797c2195.bin was found to be: Known bad.
Malicious Activity Summary
Amadey
SmokeLoader
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-16 04:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 04:27
Reported
2024-02-16 04:30
Platform
win7-20240215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Amadey
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7668.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewgvvug | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ewgvvug | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ewgvvug | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\ewgvvug | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewgvvug | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7668.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe
"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"
C:\Users\Admin\AppData\Local\Temp\7668.exe
C:\Users\Admin\AppData\Local\Temp\7668.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1908 -s 308
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2284 -s 308
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 692 -s 308
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\taskeng.exe
taskeng.exe {9CB2A9A6-7D71-463F-9F3A-5208CCC5E9E3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Roaming\ewgvvug
C:\Users\Admin\AppData\Roaming\ewgvvug
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| MK | 95.86.30.3:80 | sjyey.com | tcp |
| MK | 95.86.30.3:80 | sjyey.com | tcp |
| MK | 95.86.30.3:80 | sjyey.com | tcp |
| MK | 95.86.30.3:80 | sjyey.com | tcp |
| MK | 95.86.30.3:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | emgvod.com | udp |
| PA | 190.219.88.10:80 | emgvod.com | tcp |
| MK | 95.86.30.3:80 | sjyey.com | tcp |
| MK | 95.86.30.3:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | cbinr.com | udp |
| US | 8.8.8.8:53 | rimakc.ru | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| MK | 95.86.30.3:80 | cbinr.com | tcp |
| KR | 211.181.24.133:80 | cbinr.com | tcp |
| KR | 211.181.24.133:80 | cbinr.com | tcp |
| MK | 95.86.30.3:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| KR | 211.181.24.133:80 | cbinr.com | tcp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| KR | 211.181.24.133:80 | cbinr.com | tcp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| KR | 211.181.24.133:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
Files
memory/1772-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1772-1-0x0000000002CB0000-0x0000000002DB0000-memory.dmp
memory/1772-3-0x0000000000400000-0x0000000002BF5000-memory.dmp
memory/1772-5-0x0000000000400000-0x0000000002BF5000-memory.dmp
memory/1204-4-0x0000000002E00000-0x0000000002E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7668.exe
| MD5 | e1dc6f36bc9f047f33b58c8c0fc2da89 |
| SHA1 | cf6dfe8eaa32971eb53f02d0dc7c8ac299968880 |
| SHA256 | 6f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767 |
| SHA512 | 6387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92 |
memory/3016-20-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3016-19-0x0000000000340000-0x00000000003AF000-memory.dmp
memory/3016-18-0x0000000000590000-0x0000000000690000-memory.dmp
memory/3016-21-0x0000000000510000-0x0000000000511000-memory.dmp
\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
| MD5 | 09d5a2daa014b5d40e7ce7154c0b8cd8 |
| SHA1 | f4d330c8fe5018f2c327b9118594dace43fc86a1 |
| SHA256 | 4b977e5546e773765fc8c528fae74a96ac6a380b1c7129df0ae8b119c539467a |
| SHA512 | 30b6f46f02839174b846c351c0e8638fd0a60ca78d3e482ec185c195762863819b8144904b8687dbf86767521b4775563cb3eb117380550181ffe0cb35e15700 |
memory/3016-36-0x0000000000590000-0x0000000000690000-memory.dmp
memory/2472-38-0x0000000000280000-0x00000000002EF000-memory.dmp
memory/2472-37-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/3016-34-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2472-39-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
| MD5 | 444c85d855c718c2c26ead27d0233b40 |
| SHA1 | 6e4841ff426ddbce06f0864520bc3a5e24fadeb5 |
| SHA256 | 273d9593822af78e4dd486fcefb2d664dd4ea2dc766534f0329b91483bdcada9 |
| SHA512 | b90d815124795d85c77198e1d5f40656012acfa5e4eb0089013f6d68010ce24bd51d360d21662808b52059bacb47fbb19550b14e0d77825b0465255578f1cf6b |
C:\Users\Admin\AppData\Local\Temp\248906074286
| MD5 | 2532f33b5213982f3a2195bd4dfdfcd9 |
| SHA1 | 5b30c24994726ef2258c1c48cc27fc5c1edd7f30 |
| SHA256 | c564e73adb96add3824715e92224bee4c7a7eb7e41c09f37f01dbe6eae0c65a6 |
| SHA512 | be670110f7540f1f628b5a70ab6d494b0d4d44bc1986a69ea6477769b6e03f330eb9dc950355863fb047d8aebaea3c1acc8c81ccc013c752d835affccac21424 |
memory/2472-49-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | f01f5bc76b9596e0cfeab8a272cba3a5 |
| SHA1 | 19cab1291e4e518ae636f2fb3d41567e4e6e4722 |
| SHA256 | 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938 |
| SHA512 | ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63 |
memory/2472-70-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2472-71-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/2472-82-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2472-93-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2044-97-0x00000000005F2000-0x000000000062D000-memory.dmp
memory/2044-96-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
| MD5 | 4194e9b8b694b1e9b672c36f0d868e32 |
| SHA1 | 252f27fe313c7bf8e9f36aef0c7b676383872efb |
| SHA256 | 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125 |
| SHA512 | f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7 |
memory/2472-112-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2472-117-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2472-122-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2472-130-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewgvvug
| MD5 | e88da5d3f528d78eabc2de83797c2195 |
| SHA1 | 7937c0b3fac48fa50aa74e80387a6ff6f463c978 |
| SHA256 | 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300 |
| SHA512 | 4dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9 |
memory/2604-137-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-138-0x0000000000500000-0x0000000000600000-memory.dmp
memory/2616-140-0x0000000002D20000-0x0000000002E20000-memory.dmp
memory/2616-141-0x0000000000400000-0x0000000002BF5000-memory.dmp
memory/1204-143-0x0000000002EC0000-0x0000000002ED6000-memory.dmp
memory/2616-144-0x0000000000400000-0x0000000002BF5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 04:27
Reported
2024-02-16 04:30
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Amadey
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FD9A.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD9A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wgwdcje | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wgwdcje | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wgwdcje | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\wgwdcje | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wgwdcje | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD9A.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe
"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"
C:\Users\Admin\AppData\Local\Temp\FD9A.exe
C:\Users\Admin\AppData\Local\Temp\FD9A.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1240
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4516 -ip 4516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1016
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1656
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2256 -ip 2256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 436
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1708
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 428
C:\Users\Admin\AppData\Roaming\wgwdcje
C:\Users\Admin\AppData\Roaming\wgwdcje
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 980
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 112.84.119.211.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | emgvod.com | udp |
| KR | 58.151.148.90:80 | emgvod.com | tcp |
| US | 8.8.8.8:53 | 90.148.151.58.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | rimakc.ru | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| US | 8.8.8.8:53 | cbinr.com | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| AR | 186.13.17.220:80 | cbinr.com | tcp |
| AR | 186.13.17.220:80 | cbinr.com | tcp |
| AR | 186.13.17.220:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| AR | 186.13.17.220:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | 4.114.189.91.in-addr.arpa | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| AR | 186.13.17.220:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/460-1-0x0000000002D40000-0x0000000002E40000-memory.dmp
memory/460-2-0x0000000004800000-0x000000000480B000-memory.dmp
memory/460-3-0x0000000000400000-0x0000000002BF5000-memory.dmp
memory/3568-4-0x0000000002EC0000-0x0000000002ED6000-memory.dmp
memory/460-5-0x0000000000400000-0x0000000002BF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FD9A.exe
| MD5 | e1dc6f36bc9f047f33b58c8c0fc2da89 |
| SHA1 | cf6dfe8eaa32971eb53f02d0dc7c8ac299968880 |
| SHA256 | 6f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767 |
| SHA512 | 6387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92 |
memory/4516-16-0x00000000004B0000-0x00000000005B0000-memory.dmp
memory/4516-17-0x0000000002100000-0x000000000216F000-memory.dmp
memory/4516-18-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4380-31-0x0000000000560000-0x0000000000660000-memory.dmp
memory/4380-32-0x0000000002080000-0x00000000020EF000-memory.dmp
memory/4380-33-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4516-34-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\168293393341
| MD5 | c14992cb22fef908fc497df941d768e6 |
| SHA1 | 881298165b701256d59836666f265a2e4c88e12a |
| SHA256 | 2f03cf4c908d7e5a04e07f5f1d62c230712c86845cbb9bdceac96d67b216cd99 |
| SHA512 | 4fa823bff2eae4ed2dd4b2f7d3a2cd44d13853269c0a2dc57047516fcf17058fcbc135518d84e206aa3dcc54aeba51359ef3b2d991a2dd8e90b733b6f84bf8c1 |
memory/4380-43-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 21162a10cfbe28a6dddec62b295e7a0c |
| SHA1 | 6d558e3e98ca57a4023c5399e6ff487b19d0929b |
| SHA256 | 8a04438efe870069b1e76901fc45d488407960fc0ced4d65a0ade1e4547c0bd4 |
| SHA512 | 99b3abaa54d1beca5d4ad57cd015e5ebb761e3cb93e8dd6d710f315e3801eec2c433d3d27ebfec0bb8e7e4efbd5ab7666a8356eef574c1e83e238746673a79b1 |
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | a8193603af313c5d7398117d1ed7a79b |
| SHA1 | 5bc3f12c5bd68f8ac7fa44046c03f57f38ba0097 |
| SHA256 | 6d36855190d24614294d487f04e998df81c6f51f4004bdcf9c7613e63bf276e1 |
| SHA512 | b078e1123339f53396fb59b55b3c8d34fefb6fadb558349e41721b73923997ee4f605d86a0d2be8cc7674effaae0853e96644b66155f56b80133671bf0ab0b49 |
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 10f46f631441fafceebe3f50adf3483a |
| SHA1 | 71a4db8677564916987c9decdf700d7cf6c03382 |
| SHA256 | 29e37e287e327f5091e17470bdd8649e6988ae12e45e363d40bebfd8aebd31bf |
| SHA512 | f9532dab7e45e0092a795e8ac5d6d85bd49de1eaaba4463442f81f4287ac669a9bbf62db7213ebf7abc11be083793242edbecbf8261d7da97af2e88a73a8a567 |
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | aa5eaea51f4d7d8c2266caddc66209d1 |
| SHA1 | a329a90a9fa629a00dddfd5f38630a09bbdd3e3b |
| SHA256 | f801137022a6cdc6be2051e1eaf6b6c5e625d9c5dcf4eb3f2b1cfde2813487a7 |
| SHA512 | 71f963107461bc825be2789f865e2dea60d85edc82c8172b65443cb852c4bccce42eb2b1d04255d9388ac02d0549b766fc78b1ce6280d8e730f438201bf919d2 |
memory/4380-56-0x0000000000560000-0x0000000000660000-memory.dmp
memory/4380-57-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 1423eaf8ec15936e9b5ce5839da6ea5d |
| SHA1 | 8ff8b0caccf59b4870f4ccf1ed79d2bb20583c63 |
| SHA256 | 7ecd3999f782ab8692b1a8ae78ba6809866ba0d9ec040bc4017c7336b8387b29 |
| SHA512 | 25a4a9c75c58a843d84d4092897279d4e320ddb5860d252e0a6037ec29c952d07dfd98074716ff5f407e70112f82d91b5524b49aedd1e7c9c3eb5d476b5b2358 |
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | fca02dd2d6de2c1e8d657f57fbb342bc |
| SHA1 | 22901e002420f9a68ad8986bfdda0eebdcfd392e |
| SHA256 | 27aadc733207e0c5f22e6582e08815d36418d723986353b5925654514e305fa0 |
| SHA512 | bf047daddaa4bb177aa60b7c60e7a00096545c19656633027e70cadaeaeed3bd1f3d3312ec928ba366260ded9b5106faeffe333928db78f6d1c3ff5e5423e635 |
memory/4380-60-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2256-63-0x0000000000780000-0x0000000000880000-memory.dmp
memory/2256-64-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | f01f5bc76b9596e0cfeab8a272cba3a5 |
| SHA1 | 19cab1291e4e518ae636f2fb3d41567e4e6e4722 |
| SHA256 | 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938 |
| SHA512 | ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63 |
memory/4380-68-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
| MD5 | 4194e9b8b694b1e9b672c36f0d868e32 |
| SHA1 | 252f27fe313c7bf8e9f36aef0c7b676383872efb |
| SHA256 | 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125 |
| SHA512 | f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7 |
memory/4380-87-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4380-89-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4380-92-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4752-96-0x00000000004D0000-0x00000000005D0000-memory.dmp
memory/4752-97-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Roaming\wgwdcje
| MD5 | e88da5d3f528d78eabc2de83797c2195 |
| SHA1 | 7937c0b3fac48fa50aa74e80387a6ff6f463c978 |
| SHA256 | 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300 |
| SHA512 | 4dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9 |
memory/3692-102-0x0000000002D80000-0x0000000002E80000-memory.dmp
memory/3692-103-0x0000000000400000-0x0000000002BF5000-memory.dmp
memory/3568-105-0x0000000002A90000-0x0000000002AA6000-memory.dmp
memory/3692-108-0x0000000000400000-0x0000000002BF5000-memory.dmp