Analysis Overview
SHA256
09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd
Threat Level: Known bad
The file 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Amadey
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-16 17:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 17:29
Reported
2024-02-16 17:32
Platform
win7-20231215-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Amadey
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D807.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D807.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe
"C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"
C:\Users\Admin\AppData\Local\Temp\D807.exe
C:\Users\Admin\AppData\Local\Temp\D807.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1956 -s 312
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 804 -s 312
C:\Windows\system32\taskeng.exe
taskeng.exe {997A4797-00DD-40E6-8101-0A98043395B0} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 788 -s 312
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| MX | 201.119.102.122:80 | sjyey.com | tcp |
| MX | 201.119.102.122:80 | sjyey.com | tcp |
| MX | 201.119.102.122:80 | sjyey.com | tcp |
| MX | 201.119.102.122:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | emgvod.com | udp |
| KR | 211.119.84.112:80 | emgvod.com | tcp |
| MX | 201.119.102.122:80 | sjyey.com | tcp |
| MX | 201.119.102.122:80 | sjyey.com | tcp |
| MX | 201.119.102.122:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | rimakc.ru | udp |
| US | 8.8.8.8:53 | cbinr.com | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| MX | 201.119.102.122:80 | cbinr.com | tcp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| MX | 201.119.102.122:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
Files
memory/2312-1-0x0000000002D10000-0x0000000002E10000-memory.dmp
memory/2312-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2312-3-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/1384-4-0x0000000002730000-0x0000000002746000-memory.dmp
memory/2312-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D807.exe
| MD5 | f6de33f10f890cd3491cb218269b9200 |
| SHA1 | 47e4616e96c9a4d52ae8002a083b6886078b0742 |
| SHA256 | 3ed25603de60da1f4f055ef3496b58c26149563b19d0f7460c7b958db8aca190 |
| SHA512 | 0c8eb82689e386bd2099a38e026dd63f91e5bd652c2c2fee7d8c7e76ece62296682d138da9e7792313c4b2a8ce32250e496caf0b7dd39920d040f209f51f61b4 |
memory/2724-18-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2724-19-0x0000000002C70000-0x0000000002CDF000-memory.dmp
memory/2724-33-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/2724-34-0x0000000004530000-0x0000000004531000-memory.dmp
memory/2724-31-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/2724-35-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2724-36-0x0000000002C70000-0x0000000002CDF000-memory.dmp
memory/3024-38-0x0000000002DB0000-0x0000000002EB0000-memory.dmp
memory/3024-40-0x0000000000400000-0x0000000002C16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\427588347149
| MD5 | 0d17bb156f56bb22333ba8a7b5b1f9e6 |
| SHA1 | 1ab9ef9c0927e78ff2c74f1ff7400aadfdf978cc |
| SHA256 | f2fc9108148999e9e4da81d76cc6e3efa5bf432a2c8535de8e1c2e73b12bd2dd |
| SHA512 | d4ddcdb5179a1e623789c891714bab531e53d20742de459bda54aa71ef613d13b679045f0f72cdc839c62374f7a425cf43a5078f63debc402d64dfc7a47c566f |
memory/3024-49-0x0000000000400000-0x0000000002C16000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | f01f5bc76b9596e0cfeab8a272cba3a5 |
| SHA1 | 19cab1291e4e518ae636f2fb3d41567e4e6e4722 |
| SHA256 | 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938 |
| SHA512 | ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63 |
memory/3024-77-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/3024-91-0x0000000002DB0000-0x0000000002EB0000-memory.dmp
memory/3024-90-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/2960-92-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/2960-93-0x0000000002D00000-0x0000000002D6F000-memory.dmp
memory/2960-95-0x0000000000400000-0x0000000002C16000-memory.dmp
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 37e63740e52383c62de449e85c6c29da |
| SHA1 | 14305dc2bf941c81a6148f5929aac0a665a9b999 |
| SHA256 | a4d17349ef52297d701a92b14e38599159471eeb9538e0b65396052f7e591cc0 |
| SHA512 | 8be7a33123fc06a90c815e27e79741c88795a14a4fee7e9643d1433fabae0a6cf9bb6e1b6f64aab869f06dd2616d9c3670739da58cbc0bf6ccb5778130136b3f |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | d5fd87602c58b9606302a094e93c259e |
| SHA1 | d27b267ce8cd5169a27d7b4064ff585442b3cbf9 |
| SHA256 | 82fa8909ddefad9457a3c0f7d7967c661bc7f42f3e303a7ce4ab7a4f08b24fb6 |
| SHA512 | ca32f7f694bc5ad2471fbdd4535c4327306d8a53533dfc74f4ca683a7e72f3711bbc60101dc6546af58035bb8edb71b44596832231c68797ed83534dc5b17775 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 234d14c30242cbcab033c2643ff6ed5b |
| SHA1 | 872e049593a042b5b60778ee880bc482fdf47010 |
| SHA256 | 1145f34b1a1af22e900de9d1ba58fead4380cb2c527515cadc090fa076028721 |
| SHA512 | 066e433ac9c488d1078e54340319a89afda2f40192771c01d46a42ac2e480d2c682ef23d822b2f60f33a2d49c1c97c8a034430dadef417627e57b6733cf315b3 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 9e2c6b1746252312c26ea5932ea50276 |
| SHA1 | a76a69375392c6ffa22e813f001cab28f302d463 |
| SHA256 | 3a595a0ab8c850cc7be91df8e984e4731d681db0418a781d588200609422b367 |
| SHA512 | 4c65419b2a749ca4b82ef0c3709c63861ec40a42b6b88be4502a953fb4d7fdc52016b4816ec6f67e8f677450b4328807b55a6ab28f79ea0147900369c53e4e34 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 1b2d9f4d585ec25a019d37b68b27a0fb |
| SHA1 | 6d85693fb876d02a76a414a3dac86ba6a5cfaa4c |
| SHA256 | 358f2fa639c8257f62bbdf1248a4b5314b373bc8d518ed3d33d30321e472c674 |
| SHA512 | 110760a43dc6a2e957d95cbb659fc4a8e5aa6cb6fa7d259679ea329d23733cdf28c0aff7df413527deac24ffc8afce45ff5fbcde07f7176a572f42f53d5be5bf |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 4bb63be223a25221f7bb6842ae82fb23 |
| SHA1 | ec7cd62e6daf98d865bbdc98ac146d09156876c3 |
| SHA256 | a15c8ccda5610fcb7b3de92969bf9e3d3230c79a69ce7b2f446f697b39923385 |
| SHA512 | 642d55aa55eeda0648fb06661b79bdb5c26f5e5477ec52e068ea25e95bed23e82bb9d2df1c766a2a8c51d26dc979509e97a37ad300c5d278b41c1eadb6717dcf |
memory/3024-106-0x0000000000400000-0x0000000002C16000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
| MD5 | 4194e9b8b694b1e9b672c36f0d868e32 |
| SHA1 | 252f27fe313c7bf8e9f36aef0c7b676383872efb |
| SHA256 | 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125 |
| SHA512 | f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7 |
memory/3024-121-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/3024-126-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/3024-131-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/2744-137-0x0000000003060000-0x0000000003160000-memory.dmp
memory/2744-138-0x0000000000400000-0x0000000002C16000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 17:29
Reported
2024-02-16 17:32
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Amadey
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B68E.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B68E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B68E.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe
"C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"
C:\Users\Admin\AppData\Local\Temp\B68E.exe
C:\Users\Admin\AppData\Local\Temp\B68E.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1564
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1020
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1532
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3960 -ip 3960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 452
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1652
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4352 -ip 4352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1052
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | emgvod.com | udp |
| PA | 190.219.88.10:80 | emgvod.com | tcp |
| US | 8.8.8.8:53 | 10.88.219.190.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| AR | 186.13.17.220:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | rimakc.ru | udp |
| US | 8.8.8.8:53 | cbinr.com | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | 4.114.189.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.3.158.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| UZ | 195.158.3.162:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
Files
memory/4968-1-0x0000000002F00000-0x0000000003000000-memory.dmp
memory/4968-2-0x0000000002E80000-0x0000000002E8B000-memory.dmp
memory/4968-3-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/3524-4-0x00000000023D0000-0x00000000023E6000-memory.dmp
memory/4968-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B68E.exe
| MD5 | f6de33f10f890cd3491cb218269b9200 |
| SHA1 | 47e4616e96c9a4d52ae8002a083b6886078b0742 |
| SHA256 | 3ed25603de60da1f4f055ef3496b58c26149563b19d0f7460c7b958db8aca190 |
| SHA512 | 0c8eb82689e386bd2099a38e026dd63f91e5bd652c2c2fee7d8c7e76ece62296682d138da9e7792313c4b2a8ce32250e496caf0b7dd39920d040f209f51f61b4 |
memory/5108-16-0x0000000002ED0000-0x0000000002FD0000-memory.dmp
memory/5108-17-0x0000000004870000-0x00000000048DF000-memory.dmp
memory/5108-18-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/5020-34-0x0000000002F30000-0x0000000003030000-memory.dmp
memory/5020-35-0x0000000004910000-0x000000000497F000-memory.dmp
memory/5020-36-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/5108-37-0x0000000000400000-0x0000000002C16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\497073144238
| MD5 | 314955e83013d35cb2dd458f814733eb |
| SHA1 | 26ada8e47c238d63e3eb1fdae7e3044b17123b9d |
| SHA256 | ef403b0ded17240fa0e24c1840593bcfc6e6f69547e0ad5cd34791f640c3eb8e |
| SHA512 | a42472d1a8b0b9454dc3a638eabcdea4d7cf122bb1ddfd272da3c943c4b0377627d4c443354e9bb38fb71145f58f0230d86d1782729798aa2de335640601f18f |
memory/5020-53-0x0000000000400000-0x0000000002C16000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | f01f5bc76b9596e0cfeab8a272cba3a5 |
| SHA1 | 19cab1291e4e518ae636f2fb3d41567e4e6e4722 |
| SHA256 | 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938 |
| SHA512 | ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63 |
memory/5020-66-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/5020-67-0x0000000002F30000-0x0000000003030000-memory.dmp
memory/3960-72-0x0000000002C90000-0x0000000002D90000-memory.dmp
memory/3960-73-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/5020-74-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/5020-78-0x0000000000400000-0x0000000002C16000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
| MD5 | 4194e9b8b694b1e9b672c36f0d868e32 |
| SHA1 | 252f27fe313c7bf8e9f36aef0c7b676383872efb |
| SHA256 | 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125 |
| SHA512 | f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7 |
memory/5020-90-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/5020-93-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/5020-95-0x0000000000400000-0x0000000002C16000-memory.dmp
memory/4352-98-0x0000000002EA0000-0x0000000002FA0000-memory.dmp
memory/4352-99-0x0000000000400000-0x0000000002C16000-memory.dmp