Malware Analysis Report

2024-11-13 18:56

Sample ID 240216-v22h3aec26
Target 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd
SHA256 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd
Tags
amadey smokeloader pub3 backdoor spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd

Threat Level: Known bad

The file 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd was found to be: Known bad.

Malicious Activity Summary

amadey smokeloader pub3 backdoor spyware stealer trojan

SmokeLoader

Amadey

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-16 17:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 17:29

Reported

2024-02-16 17:32

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe
PID 1384 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe
PID 1384 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe
PID 1384 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D807.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\D807.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\D807.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\D807.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2724 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\D807.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3024 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1640 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1640 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1640 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1640 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1956 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1956 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1956 wrote to memory of 1608 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2364 wrote to memory of 804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2364 wrote to memory of 804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2364 wrote to memory of 804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 804 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 804 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 804 wrote to memory of 1720 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2388 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2388 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2388 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2388 wrote to memory of 2960 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3024 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 832 wrote to memory of 788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 832 wrote to memory of 788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 832 wrote to memory of 788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 832 wrote to memory of 788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 788 wrote to memory of 840 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 788 wrote to memory of 840 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 788 wrote to memory of 840 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3024 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe

"C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"

C:\Users\Admin\AppData\Local\Temp\D807.exe

C:\Users\Admin\AppData\Local\Temp\D807.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1956 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 804 -s 312

C:\Windows\system32\taskeng.exe

taskeng.exe {997A4797-00DD-40E6-8101-0A98043395B0} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 788 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
MX 201.119.102.122:80 sjyey.com tcp
MX 201.119.102.122:80 sjyey.com tcp
MX 201.119.102.122:80 sjyey.com tcp
MX 201.119.102.122:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 211.119.84.112:80 emgvod.com tcp
MX 201.119.102.122:80 sjyey.com tcp
MX 201.119.102.122:80 sjyey.com tcp
MX 201.119.102.122:80 sjyey.com tcp
US 8.8.8.8:53 rimakc.ru udp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 anfesq.com udp
RU 91.189.114.4:80 rimakc.ru tcp
MX 201.119.102.122:80 cbinr.com tcp
UZ 195.158.3.162:80 cbinr.com tcp
UZ 195.158.3.162:80 cbinr.com tcp
UZ 195.158.3.162:80 cbinr.com tcp
MX 201.119.102.122:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
UZ 195.158.3.162:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
UZ 195.158.3.162:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp

Files

memory/2312-1-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/2312-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2312-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/1384-4-0x0000000002730000-0x0000000002746000-memory.dmp

memory/2312-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D807.exe

MD5 f6de33f10f890cd3491cb218269b9200
SHA1 47e4616e96c9a4d52ae8002a083b6886078b0742
SHA256 3ed25603de60da1f4f055ef3496b58c26149563b19d0f7460c7b958db8aca190
SHA512 0c8eb82689e386bd2099a38e026dd63f91e5bd652c2c2fee7d8c7e76ece62296682d138da9e7792313c4b2a8ce32250e496caf0b7dd39920d040f209f51f61b4

memory/2724-18-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2724-19-0x0000000002C70000-0x0000000002CDF000-memory.dmp

memory/2724-33-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/2724-34-0x0000000004530000-0x0000000004531000-memory.dmp

memory/2724-31-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/2724-35-0x0000000000250000-0x0000000000350000-memory.dmp

memory/2724-36-0x0000000002C70000-0x0000000002CDF000-memory.dmp

memory/3024-38-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

memory/3024-40-0x0000000000400000-0x0000000002C16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\427588347149

MD5 0d17bb156f56bb22333ba8a7b5b1f9e6
SHA1 1ab9ef9c0927e78ff2c74f1ff7400aadfdf978cc
SHA256 f2fc9108148999e9e4da81d76cc6e3efa5bf432a2c8535de8e1c2e73b12bd2dd
SHA512 d4ddcdb5179a1e623789c891714bab531e53d20742de459bda54aa71ef613d13b679045f0f72cdc839c62374f7a425cf43a5078f63debc402d64dfc7a47c566f

memory/3024-49-0x0000000000400000-0x0000000002C16000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/3024-77-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/3024-91-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

memory/3024-90-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/2960-92-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2960-93-0x0000000002D00000-0x0000000002D6F000-memory.dmp

memory/2960-95-0x0000000000400000-0x0000000002C16000-memory.dmp

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 37e63740e52383c62de449e85c6c29da
SHA1 14305dc2bf941c81a6148f5929aac0a665a9b999
SHA256 a4d17349ef52297d701a92b14e38599159471eeb9538e0b65396052f7e591cc0
SHA512 8be7a33123fc06a90c815e27e79741c88795a14a4fee7e9643d1433fabae0a6cf9bb6e1b6f64aab869f06dd2616d9c3670739da58cbc0bf6ccb5778130136b3f

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 d5fd87602c58b9606302a094e93c259e
SHA1 d27b267ce8cd5169a27d7b4064ff585442b3cbf9
SHA256 82fa8909ddefad9457a3c0f7d7967c661bc7f42f3e303a7ce4ab7a4f08b24fb6
SHA512 ca32f7f694bc5ad2471fbdd4535c4327306d8a53533dfc74f4ca683a7e72f3711bbc60101dc6546af58035bb8edb71b44596832231c68797ed83534dc5b17775

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 234d14c30242cbcab033c2643ff6ed5b
SHA1 872e049593a042b5b60778ee880bc482fdf47010
SHA256 1145f34b1a1af22e900de9d1ba58fead4380cb2c527515cadc090fa076028721
SHA512 066e433ac9c488d1078e54340319a89afda2f40192771c01d46a42ac2e480d2c682ef23d822b2f60f33a2d49c1c97c8a034430dadef417627e57b6733cf315b3

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 9e2c6b1746252312c26ea5932ea50276
SHA1 a76a69375392c6ffa22e813f001cab28f302d463
SHA256 3a595a0ab8c850cc7be91df8e984e4731d681db0418a781d588200609422b367
SHA512 4c65419b2a749ca4b82ef0c3709c63861ec40a42b6b88be4502a953fb4d7fdc52016b4816ec6f67e8f677450b4328807b55a6ab28f79ea0147900369c53e4e34

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 1b2d9f4d585ec25a019d37b68b27a0fb
SHA1 6d85693fb876d02a76a414a3dac86ba6a5cfaa4c
SHA256 358f2fa639c8257f62bbdf1248a4b5314b373bc8d518ed3d33d30321e472c674
SHA512 110760a43dc6a2e957d95cbb659fc4a8e5aa6cb6fa7d259679ea329d23733cdf28c0aff7df413527deac24ffc8afce45ff5fbcde07f7176a572f42f53d5be5bf

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 4bb63be223a25221f7bb6842ae82fb23
SHA1 ec7cd62e6daf98d865bbdc98ac146d09156876c3
SHA256 a15c8ccda5610fcb7b3de92969bf9e3d3230c79a69ce7b2f446f697b39923385
SHA512 642d55aa55eeda0648fb06661b79bdb5c26f5e5477ec52e068ea25e95bed23e82bb9d2df1c766a2a8c51d26dc979509e97a37ad300c5d278b41c1eadb6717dcf

memory/3024-106-0x0000000000400000-0x0000000002C16000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/3024-121-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/3024-126-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/3024-131-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/2744-137-0x0000000003060000-0x0000000003160000-memory.dmp

memory/2744-138-0x0000000000400000-0x0000000002C16000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 17:29

Reported

2024-02-16 17:32

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B68E.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B68E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B68E.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\B68E.exe
PID 3524 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\B68E.exe
PID 3524 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\Temp\B68E.exe
PID 5108 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\B68E.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 5108 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\B68E.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 5108 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\B68E.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 5020 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 4780 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2288 wrote to memory of 4780 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5020 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4304 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4304 wrote to memory of 3212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5020 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5108 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5108 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5020 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5020 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe

"C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"

C:\Users\Admin\AppData\Local\Temp\B68E.exe

C:\Users\Admin\AppData\Local\Temp\B68E.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1564

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1020

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1532

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 452

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1652

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1052

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
AR 186.13.17.220:80 sjyey.com tcp
AR 186.13.17.220:80 sjyey.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
AR 186.13.17.220:80 sjyey.com tcp
AR 186.13.17.220:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
PA 190.219.88.10:80 emgvod.com tcp
US 8.8.8.8:53 10.88.219.190.in-addr.arpa udp
AR 186.13.17.220:80 sjyey.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
AR 186.13.17.220:80 sjyey.com tcp
AR 186.13.17.220:80 sjyey.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
AR 186.13.17.220:80 sjyey.com tcp
AR 186.13.17.220:80 sjyey.com tcp
US 8.8.8.8:53 rimakc.ru udp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 anfesq.com udp
UZ 195.158.3.162:80 cbinr.com tcp
UZ 195.158.3.162:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
UZ 195.158.3.162:80 cbinr.com tcp
US 8.8.8.8:53 4.114.189.91.in-addr.arpa udp
US 8.8.8.8:53 162.3.158.195.in-addr.arpa udp
US 8.8.8.8:53 anfesq.com udp
UZ 195.158.3.162:80 cbinr.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
UZ 195.158.3.162:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp

Files

memory/4968-1-0x0000000002F00000-0x0000000003000000-memory.dmp

memory/4968-2-0x0000000002E80000-0x0000000002E8B000-memory.dmp

memory/4968-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/3524-4-0x00000000023D0000-0x00000000023E6000-memory.dmp

memory/4968-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B68E.exe

MD5 f6de33f10f890cd3491cb218269b9200
SHA1 47e4616e96c9a4d52ae8002a083b6886078b0742
SHA256 3ed25603de60da1f4f055ef3496b58c26149563b19d0f7460c7b958db8aca190
SHA512 0c8eb82689e386bd2099a38e026dd63f91e5bd652c2c2fee7d8c7e76ece62296682d138da9e7792313c4b2a8ce32250e496caf0b7dd39920d040f209f51f61b4

memory/5108-16-0x0000000002ED0000-0x0000000002FD0000-memory.dmp

memory/5108-17-0x0000000004870000-0x00000000048DF000-memory.dmp

memory/5108-18-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/5020-34-0x0000000002F30000-0x0000000003030000-memory.dmp

memory/5020-35-0x0000000004910000-0x000000000497F000-memory.dmp

memory/5020-36-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/5108-37-0x0000000000400000-0x0000000002C16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\497073144238

MD5 314955e83013d35cb2dd458f814733eb
SHA1 26ada8e47c238d63e3eb1fdae7e3044b17123b9d
SHA256 ef403b0ded17240fa0e24c1840593bcfc6e6f69547e0ad5cd34791f640c3eb8e
SHA512 a42472d1a8b0b9454dc3a638eabcdea4d7cf122bb1ddfd272da3c943c4b0377627d4c443354e9bb38fb71145f58f0230d86d1782729798aa2de335640601f18f

memory/5020-53-0x0000000000400000-0x0000000002C16000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/5020-66-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/5020-67-0x0000000002F30000-0x0000000003030000-memory.dmp

memory/3960-72-0x0000000002C90000-0x0000000002D90000-memory.dmp

memory/3960-73-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/5020-74-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/5020-78-0x0000000000400000-0x0000000002C16000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/5020-90-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/5020-93-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/5020-95-0x0000000000400000-0x0000000002C16000-memory.dmp

memory/4352-98-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

memory/4352-99-0x0000000000400000-0x0000000002C16000-memory.dmp