Malware Analysis Report

2024-11-13 18:57

Sample ID 240216-e3gx2saa42
Target e88da5d3f528d78eabc2de83797c2195.bin
SHA256 7ae7f99dc8e7bb45c91c1f1721bf959e2a5a368f7f9106b8a6a93c8956c84580
Tags
amadey smokeloader pub3 backdoor spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ae7f99dc8e7bb45c91c1f1721bf959e2a5a368f7f9106b8a6a93c8956c84580

Threat Level: Known bad

The file e88da5d3f528d78eabc2de83797c2195.bin was found to be: Known bad.

Malicious Activity Summary

amadey smokeloader pub3 backdoor spyware stealer trojan

Amadey

SmokeLoader

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-16 04:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 04:27

Reported

2024-02-16 04:30

Platform

win7-20240215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ewgvvug N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ewgvvug N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ewgvvug N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ewgvvug N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 1204 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 3016 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3016 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3016 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3016 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2472 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 808 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 808 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 808 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 808 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1908 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1908 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1908 wrote to memory of 1688 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2080 wrote to memory of 2284 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2080 wrote to memory of 2284 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2080 wrote to memory of 2284 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2080 wrote to memory of 2284 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2284 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2284 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2284 wrote to memory of 2988 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2472 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 480 wrote to memory of 692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 480 wrote to memory of 692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 480 wrote to memory of 692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 480 wrote to memory of 692 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 692 wrote to memory of 936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 692 wrote to memory of 936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 692 wrote to memory of 936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 312 wrote to memory of 2044 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 312 wrote to memory of 2044 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 312 wrote to memory of 2044 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 312 wrote to memory of 2044 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2472 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe

"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1908 -s 308

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2284 -s 308

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 692 -s 308

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {9CB2A9A6-7D71-463F-9F3A-5208CCC5E9E3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Roaming\ewgvvug

C:\Users\Admin\AppData\Roaming\ewgvvug

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
MK 95.86.30.3:80 sjyey.com tcp
MK 95.86.30.3:80 sjyey.com tcp
MK 95.86.30.3:80 sjyey.com tcp
MK 95.86.30.3:80 sjyey.com tcp
MK 95.86.30.3:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
PA 190.219.88.10:80 emgvod.com tcp
MK 95.86.30.3:80 sjyey.com tcp
MK 95.86.30.3:80 sjyey.com tcp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 rimakc.ru udp
US 8.8.8.8:53 anfesq.com udp
RU 91.189.114.4:80 rimakc.ru tcp
MK 95.86.30.3:80 cbinr.com tcp
KR 211.181.24.133:80 cbinr.com tcp
KR 211.181.24.133:80 cbinr.com tcp
MK 95.86.30.3:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
KR 211.181.24.133:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
KR 211.181.24.133:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
RU 91.189.114.4:80 rimakc.ru tcp
KR 211.181.24.133:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
RU 91.189.114.4:80 rimakc.ru tcp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 soetegem.com udp

Files

memory/1772-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1772-1-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

memory/1772-3-0x0000000000400000-0x0000000002BF5000-memory.dmp

memory/1772-5-0x0000000000400000-0x0000000002BF5000-memory.dmp

memory/1204-4-0x0000000002E00000-0x0000000002E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 e1dc6f36bc9f047f33b58c8c0fc2da89
SHA1 cf6dfe8eaa32971eb53f02d0dc7c8ac299968880
SHA256 6f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767
SHA512 6387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92

memory/3016-20-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3016-19-0x0000000000340000-0x00000000003AF000-memory.dmp

memory/3016-18-0x0000000000590000-0x0000000000690000-memory.dmp

memory/3016-21-0x0000000000510000-0x0000000000511000-memory.dmp

\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

MD5 09d5a2daa014b5d40e7ce7154c0b8cd8
SHA1 f4d330c8fe5018f2c327b9118594dace43fc86a1
SHA256 4b977e5546e773765fc8c528fae74a96ac6a380b1c7129df0ae8b119c539467a
SHA512 30b6f46f02839174b846c351c0e8638fd0a60ca78d3e482ec185c195762863819b8144904b8687dbf86767521b4775563cb3eb117380550181ffe0cb35e15700

memory/3016-36-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2472-38-0x0000000000280000-0x00000000002EF000-memory.dmp

memory/2472-37-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/3016-34-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2472-39-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

MD5 444c85d855c718c2c26ead27d0233b40
SHA1 6e4841ff426ddbce06f0864520bc3a5e24fadeb5
SHA256 273d9593822af78e4dd486fcefb2d664dd4ea2dc766534f0329b91483bdcada9
SHA512 b90d815124795d85c77198e1d5f40656012acfa5e4eb0089013f6d68010ce24bd51d360d21662808b52059bacb47fbb19550b14e0d77825b0465255578f1cf6b

C:\Users\Admin\AppData\Local\Temp\248906074286

MD5 2532f33b5213982f3a2195bd4dfdfcd9
SHA1 5b30c24994726ef2258c1c48cc27fc5c1edd7f30
SHA256 c564e73adb96add3824715e92224bee4c7a7eb7e41c09f37f01dbe6eae0c65a6
SHA512 be670110f7540f1f628b5a70ab6d494b0d4d44bc1986a69ea6477769b6e03f330eb9dc950355863fb047d8aebaea3c1acc8c81ccc013c752d835affccac21424

memory/2472-49-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/2472-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2472-71-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/2472-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2472-93-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2044-97-0x00000000005F2000-0x000000000062D000-memory.dmp

memory/2044-96-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/2472-112-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2472-117-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2472-122-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2472-130-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\ewgvvug

MD5 e88da5d3f528d78eabc2de83797c2195
SHA1 7937c0b3fac48fa50aa74e80387a6ff6f463c978
SHA256 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300
SHA512 4dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9

memory/2604-137-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-138-0x0000000000500000-0x0000000000600000-memory.dmp

memory/2616-140-0x0000000002D20000-0x0000000002E20000-memory.dmp

memory/2616-141-0x0000000000400000-0x0000000002BF5000-memory.dmp

memory/1204-143-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

memory/2616-144-0x0000000000400000-0x0000000002BF5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 04:27

Reported

2024-02-16 04:30

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FD9A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FD9A.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wgwdcje N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wgwdcje N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wgwdcje N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wgwdcje N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD9A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 4516 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD9A.exe
PID 3568 wrote to memory of 4516 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD9A.exe
PID 3568 wrote to memory of 4516 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD9A.exe
PID 4516 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\FD9A.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 4516 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\FD9A.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 4516 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\FD9A.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 4380 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4380 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4380 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4380 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3612 wrote to memory of 2512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3612 wrote to memory of 2512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4380 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 1508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2264 wrote to memory of 1508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4380 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3300 wrote to memory of 5080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3300 wrote to memory of 5080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4380 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4380 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe

"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"

C:\Users\Admin\AppData\Local\Temp\FD9A.exe

C:\Users\Admin\AppData\Local\Temp\FD9A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1240

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1016

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1656

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2256 -ip 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 436

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1708

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 4752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 428

C:\Users\Admin\AppData\Roaming\wgwdcje

C:\Users\Admin\AppData\Roaming\wgwdcje

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 980

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 58.151.148.90:80 emgvod.com tcp
US 8.8.8.8:53 90.148.151.58.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 rimakc.ru udp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 cbinr.com udp
RU 91.189.114.4:80 rimakc.ru tcp
AR 186.13.17.220:80 cbinr.com tcp
AR 186.13.17.220:80 cbinr.com tcp
AR 186.13.17.220:80 cbinr.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
RU 91.189.114.4:80 rimakc.ru tcp
AR 186.13.17.220:80 cbinr.com tcp
US 8.8.8.8:53 4.114.189.91.in-addr.arpa udp
RU 91.189.114.4:80 rimakc.ru tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 anfesq.com udp
AR 186.13.17.220:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/460-1-0x0000000002D40000-0x0000000002E40000-memory.dmp

memory/460-2-0x0000000004800000-0x000000000480B000-memory.dmp

memory/460-3-0x0000000000400000-0x0000000002BF5000-memory.dmp

memory/3568-4-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

memory/460-5-0x0000000000400000-0x0000000002BF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD9A.exe

MD5 e1dc6f36bc9f047f33b58c8c0fc2da89
SHA1 cf6dfe8eaa32971eb53f02d0dc7c8ac299968880
SHA256 6f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767
SHA512 6387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92

memory/4516-16-0x00000000004B0000-0x00000000005B0000-memory.dmp

memory/4516-17-0x0000000002100000-0x000000000216F000-memory.dmp

memory/4516-18-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4380-31-0x0000000000560000-0x0000000000660000-memory.dmp

memory/4380-32-0x0000000002080000-0x00000000020EF000-memory.dmp

memory/4380-33-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4516-34-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\168293393341

MD5 c14992cb22fef908fc497df941d768e6
SHA1 881298165b701256d59836666f265a2e4c88e12a
SHA256 2f03cf4c908d7e5a04e07f5f1d62c230712c86845cbb9bdceac96d67b216cd99
SHA512 4fa823bff2eae4ed2dd4b2f7d3a2cd44d13853269c0a2dc57047516fcf17058fcbc135518d84e206aa3dcc54aeba51359ef3b2d991a2dd8e90b733b6f84bf8c1

memory/4380-43-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 21162a10cfbe28a6dddec62b295e7a0c
SHA1 6d558e3e98ca57a4023c5399e6ff487b19d0929b
SHA256 8a04438efe870069b1e76901fc45d488407960fc0ced4d65a0ade1e4547c0bd4
SHA512 99b3abaa54d1beca5d4ad57cd015e5ebb761e3cb93e8dd6d710f315e3801eec2c433d3d27ebfec0bb8e7e4efbd5ab7666a8356eef574c1e83e238746673a79b1

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 a8193603af313c5d7398117d1ed7a79b
SHA1 5bc3f12c5bd68f8ac7fa44046c03f57f38ba0097
SHA256 6d36855190d24614294d487f04e998df81c6f51f4004bdcf9c7613e63bf276e1
SHA512 b078e1123339f53396fb59b55b3c8d34fefb6fadb558349e41721b73923997ee4f605d86a0d2be8cc7674effaae0853e96644b66155f56b80133671bf0ab0b49

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 10f46f631441fafceebe3f50adf3483a
SHA1 71a4db8677564916987c9decdf700d7cf6c03382
SHA256 29e37e287e327f5091e17470bdd8649e6988ae12e45e363d40bebfd8aebd31bf
SHA512 f9532dab7e45e0092a795e8ac5d6d85bd49de1eaaba4463442f81f4287ac669a9bbf62db7213ebf7abc11be083793242edbecbf8261d7da97af2e88a73a8a567

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 aa5eaea51f4d7d8c2266caddc66209d1
SHA1 a329a90a9fa629a00dddfd5f38630a09bbdd3e3b
SHA256 f801137022a6cdc6be2051e1eaf6b6c5e625d9c5dcf4eb3f2b1cfde2813487a7
SHA512 71f963107461bc825be2789f865e2dea60d85edc82c8172b65443cb852c4bccce42eb2b1d04255d9388ac02d0549b766fc78b1ce6280d8e730f438201bf919d2

memory/4380-56-0x0000000000560000-0x0000000000660000-memory.dmp

memory/4380-57-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 1423eaf8ec15936e9b5ce5839da6ea5d
SHA1 8ff8b0caccf59b4870f4ccf1ed79d2bb20583c63
SHA256 7ecd3999f782ab8692b1a8ae78ba6809866ba0d9ec040bc4017c7336b8387b29
SHA512 25a4a9c75c58a843d84d4092897279d4e320ddb5860d252e0a6037ec29c952d07dfd98074716ff5f407e70112f82d91b5524b49aedd1e7c9c3eb5d476b5b2358

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 fca02dd2d6de2c1e8d657f57fbb342bc
SHA1 22901e002420f9a68ad8986bfdda0eebdcfd392e
SHA256 27aadc733207e0c5f22e6582e08815d36418d723986353b5925654514e305fa0
SHA512 bf047daddaa4bb177aa60b7c60e7a00096545c19656633027e70cadaeaeed3bd1f3d3312ec928ba366260ded9b5106faeffe333928db78f6d1c3ff5e5423e635

memory/4380-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2256-63-0x0000000000780000-0x0000000000880000-memory.dmp

memory/2256-64-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/4380-68-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/4380-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4380-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4380-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4752-96-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/4752-97-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\wgwdcje

MD5 e88da5d3f528d78eabc2de83797c2195
SHA1 7937c0b3fac48fa50aa74e80387a6ff6f463c978
SHA256 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300
SHA512 4dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9

memory/3692-102-0x0000000002D80000-0x0000000002E80000-memory.dmp

memory/3692-103-0x0000000000400000-0x0000000002BF5000-memory.dmp

memory/3568-105-0x0000000002A90000-0x0000000002AA6000-memory.dmp

memory/3692-108-0x0000000000400000-0x0000000002BF5000-memory.dmp