Analysis Overview
SHA256
c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b
Threat Level: Known bad
The file RnnWoAEP9mUhOXN_9mNdOzaP.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Amadey
Downloads MZ/PE file
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Program crash
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-16 18:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 18:38
Reported
2024-02-16 18:40
Platform
win7-20231215-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Amadey
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\reersgu | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\reersgu | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\reersgu | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\reersgu | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\reersgu | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E43.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe
"C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"
C:\Users\Admin\AppData\Local\Temp\E43.exe
C:\Users\Admin\AppData\Local\Temp\E43.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
C:\Windows\system32\taskeng.exe
taskeng.exe {08135AFD-F759-46F1-8983-72A1540187AC} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1364 -s 312
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 776 -s 312
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2144 -s 312
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Roaming\reersgu
C:\Users\Admin\AppData\Roaming\reersgu
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | emgvod.com | udp |
| BA | 185.12.79.25:80 | emgvod.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | cbinr.com | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| US | 8.8.8.8:53 | rimakc.ru | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| KR | 211.119.84.111:80 | cbinr.com | tcp |
| KR | 211.119.84.111:80 | cbinr.com | tcp |
| KR | 211.119.84.111:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| KR | 211.119.84.111:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| KR | 211.119.84.111:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
Files
memory/2212-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp
memory/2212-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2212-3-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/1240-4-0x00000000029A0000-0x00000000029B6000-memory.dmp
memory/2212-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E43.exe
| MD5 | de9eed60d051b20487c956a514adbed4 |
| SHA1 | 2c4c6363c3be184b507265764c1e9765022e6a1b |
| SHA256 | ec2cfa28611f55c9901f26e90774e266854a34ef33d58565e574e0f76284d510 |
| SHA512 | 86f3efb5dee8c01490a3c2b46996512ca041d463e2a5cbd17d672fdf5b398dfae6a0a3d63b35b003937ae8dddecd7c3c2b3c5c7895cb754975a2fa63d293dc51 |
memory/2812-18-0x0000000002D90000-0x0000000002E90000-memory.dmp
memory/2812-19-0x0000000000260000-0x00000000002CF000-memory.dmp
memory/2812-33-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/2812-34-0x0000000002D80000-0x0000000002D81000-memory.dmp
memory/2812-35-0x0000000002D90000-0x0000000002E90000-memory.dmp
memory/2812-31-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/2572-37-0x0000000002D20000-0x0000000002E20000-memory.dmp
memory/2572-43-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/2572-44-0x0000000000400000-0x0000000002C0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\427588347149
| MD5 | 383f631c300b0210a162ba24f1f0fe3e |
| SHA1 | c2411fcaebd457088941aae85117ccb490e64ab5 |
| SHA256 | d37ba0db2feb9df43061fa172416f77103543f8d7802372d558f5dc3a5397b46 |
| SHA512 | 9a1646bf66d9f937a6935fa0eb95660632036cc3619177ea2b84888e5d40de13968be555e16a1d27078496db00db68c35e437dbcd1254b5d9396d96892b3801c |
memory/2572-57-0x0000000000400000-0x0000000002C0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | f01f5bc76b9596e0cfeab8a272cba3a5 |
| SHA1 | 19cab1291e4e518ae636f2fb3d41567e4e6e4722 |
| SHA256 | 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938 |
| SHA512 | ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63 |
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | f5c74c29064ab7e4c2dfacd54617296e |
| SHA1 | cb40f4ea8e0b7b663d4a9d40dd99f720ef470982 |
| SHA256 | fbec0faca2cfc2d8637b127f5aff60875c3c9796b34333618f6467fff5d43c0d |
| SHA512 | 9b3e7c0d74ddf69ddc1a4ea78cc2058727b3d858a439621f95aea5ac192b640444286d879a593a7a694b1bb87fcb186b9461491b641e953ef37aa27cac0087c0 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 110d2af589eb4b9dedda8677a20bc4da |
| SHA1 | df81c6dccffa61ea30c3d2ee91dfda6493359438 |
| SHA256 | e52653197c4da2b83eb8237a1c6d3f153572fde10f5da413391cfc8324d23b89 |
| SHA512 | 6d47396b679e2dea919a94ff65e844dbfec4497d3f5291105778e4fdfdd4d0701cb15edcd58f3f9637be016ecb80b8dcf99ffb43532be76b36efdbd644324934 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 15d9b810b01a0a4cbe660ff3b667f9b0 |
| SHA1 | 4300edafb30fd52f76134956338f5d943119b386 |
| SHA256 | 25d0923b76df4795f9057e29a9e076ef314d5e46ef7b000df4931c23cdd92b2e |
| SHA512 | dca44f8460c51358449144a9c52742c6cc752b064ad22769a390b25db11dccb13caa50358c3509db01c1ae7be5646d07de7f5a777f7adca716d34d0ac8d700e5 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 8cc81b264f2b30012cc6f969eec37860 |
| SHA1 | 164a2b9fb9358a32f017cf128f72b24eaedeb5ff |
| SHA256 | a184152f0df0cf8c2d687eb3d31a24e8a76e6bcf643fb328af749903ac8cb200 |
| SHA512 | d6bc545a0d2d3a764a506394eea60dbc345f8c015b4e84ba4581087d90bda4de8fa5e033db3de4641075e5c74439ceec5e9c57d3a76b313aae0f21e26aa3e0fb |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 4f5eae347aa65048779f3fd5ed451847 |
| SHA1 | de7b7f4f788e9c9349282286dbe3fd8b811d7f51 |
| SHA256 | 4b8a1f49862d5f2bb714c0a9d41f450b71b1931a28d0c9ca3a4fd0be96c1790a |
| SHA512 | 1ff48f9989139557f70bf9aff26c6bf2e0582eb8bcca31499223e84bd093eb9e067d8076e513ca8d680a9ee10f7397bb0bb85d7f7c65029204125778097e6acd |
memory/2572-80-0x0000000002D20000-0x0000000002E20000-memory.dmp
memory/1428-81-0x0000000002D50000-0x0000000002E50000-memory.dmp
memory/1428-79-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/2572-82-0x0000000000400000-0x0000000002C0D000-memory.dmp
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | de3d6dec653d48eeb24b881183ab32f8 |
| SHA1 | 3167e4d7b66861cb58bddadab48dc4a7ecdbf18a |
| SHA256 | 51421a8e715db0f34d2dcf50d622ce5e3f08c7a10917200f3c36896060faff38 |
| SHA512 | ad4a74ae2fcb89e89a4b86386c5c2420ed8f8af24fe1896e00a99ec9b6053d8e477974b4351b879b4cb3a087008ee200da9b5fd56b1736bb23f7e03b15e52829 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 726e1f082f555ce5d5e774c3adf6fc21 |
| SHA1 | c91eea4ba49e29a183e7cfad119e5f31b2218aa9 |
| SHA256 | 1201744d0d2cb120527db056b37a3bb25467bc0188c9c4601e5b1d3a32981b04 |
| SHA512 | 92809f9b740f11c0f0ee258b80cd6835eedb3c9b2bbc731f8921b3b32caa943032a2c9e83b124a589eff0682d17beda11e3a57b0c9d07c039412114adbe0d7f1 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 2ae6563451ceaf5b37850ad7272ebafc |
| SHA1 | f3c97e42104cb1d9ee454c50258ff6276e0ba32f |
| SHA256 | aa48bc8fb3f1702d3d644cb851dcc7e0e09577c21050f82432e8f995f99cb6a3 |
| SHA512 | 77571c958c81542faf1903774821c6e0a29819245b3dfdb26e8a4472356683f58efefbbe05eda3edb9e8ce3ad9c9c1d49e69ef70984c80d93abe6a9e034c80e6 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | c502c6201c4f93f3954978e850bc300e |
| SHA1 | 568fae8484e92a3c7df771a1368359890ecdeadf |
| SHA256 | 3fab7b1af00cf5e4b8d6dbaad33377fa706d69f377bc5ad8c18f492051c65d51 |
| SHA512 | 64b275a34db90b84dd14d6b56e3a8d361b335658c09ac22bb58865da9d555f31094142ffd7838246a6f78f1879f0ab2d8d785933deb483238c874de9c0f09841 |
memory/2572-93-0x0000000000400000-0x0000000002C0D000-memory.dmp
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | fc2bf5cb0c5bec2316d177ef7e28dfb3 |
| SHA1 | 7c97b284964cb63e7ecafaf6dadc68e5ee7c8ada |
| SHA256 | 3e37429dc814012fd38113fffed5d371383dd1c19ab95d96e33fd25c395affd7 |
| SHA512 | 6cc3eb8d661d8650c0e140549c6b06737c71143b539a665ca46bd90486ec9894256c62e5451878b7a93c829171078b33e88aa62d15889042eff12a11505f1f3b |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | c293a65c51b22010aedd3c304dc1f88f |
| SHA1 | e38b26bfc24d3723f56baa64cca82da8efa16ef6 |
| SHA256 | b284501c6e0a1a3a7f449fb039ae0ee457d5ee5cd03f319a110bfe1757e8c155 |
| SHA512 | a4eaca2e0dede9fcbd52c7627f1e8811b2a3f61105a411c3f42ec33a16e78b01b53f25614187ea9867141fbb9640e0fd5007656944293242ee9e00d0473dcb71 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | fe9ca7a9ca209c68e8505b2c3adf6212 |
| SHA1 | c3c5c5c8a6055ace48687193653e44c62311e6bb |
| SHA256 | 26c87481280348c1b64ad0dde52a1f9189348188abb0a5b79d4888759146e5b5 |
| SHA512 | 969709ba4d5d1b98731e24c8b26be36843b0ae0777b353090e8e698eb40549f176c4aa68b07be0a9b9937edd3968381c769cde120bd32d6a2f40d15e473f9a52 |
\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | 257df8fb038de4ef9a567542dd930855 |
| SHA1 | 7cedfe8c4ee0b0156a285c3761654018b9f656f9 |
| SHA256 | 23cd011dc22405983c135ae29115ce29ca6a49c29ca2161e9b81ae43d9102e88 |
| SHA512 | b7a2566bf2ba19ac2a94743e6dae138f476b99f506e0d852ac9dc4b1aaa28b9d31f68529b3891b21a6e3ee758d4d41f0f7af6986e6882106426b2938d7918ffc |
memory/2572-102-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/1428-105-0x0000000000400000-0x0000000002C0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
| MD5 | 4194e9b8b694b1e9b672c36f0d868e32 |
| SHA1 | 252f27fe313c7bf8e9f36aef0c7b676383872efb |
| SHA256 | 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125 |
| SHA512 | f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7 |
memory/2572-121-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/2572-126-0x0000000000400000-0x0000000002C0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\reersgu
| MD5 | 28c17350f0da6941f68bbea0eb5af380 |
| SHA1 | 42d3ea0b53b6f76b729a9cef45341fae29933d88 |
| SHA256 | c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b |
| SHA512 | b1bd4d2d1787575b7d5155926aa248203b317f33e13eb237ecb1d33353c3146e6ed67da239f0e96ff98adf8aa7309e6f37f666107176bb6461621d7287fb750f |
memory/2712-135-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2712-136-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/2572-137-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/2000-140-0x0000000003070000-0x0000000003170000-memory.dmp
memory/2000-139-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/1240-141-0x0000000002B10000-0x0000000002B26000-memory.dmp
memory/2712-143-0x0000000000400000-0x0000000002BE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 18:38
Reported
2024-02-16 18:40
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
SmokeLoader
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EB3B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EB3B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jggbgtd | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jggbgtd | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jggbgtd | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jggbgtd | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jggbgtd | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EB3B.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe
"C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"
C:\Users\Admin\AppData\Local\Temp\EB3B.exe
C:\Users\Admin\AppData\Local\Temp\EB3B.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1212
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1012
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 832
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1888 -ip 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1668
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Users\Admin\AppData\Roaming\jggbgtd
C:\Users\Admin\AppData\Roaming\jggbgtd
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2580 -ip 2580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 444
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 996
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 112.84.119.211.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | emgvod.com | udp |
| BA | 185.12.79.25:80 | emgvod.com | tcp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 25.79.12.185.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| KR | 211.119.84.112:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | rimakc.ru | udp |
| US | 8.8.8.8:53 | cbinr.com | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| RU | 91.189.114.4:80 | rimakc.ru | tcp |
| AR | 190.224.203.37:80 | cbinr.com | tcp |
| AR | 190.224.203.37:80 | cbinr.com | tcp |
| AR | 190.224.203.37:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | 4.114.189.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.203.224.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | anfesq.com | udp |
| AR | 190.224.203.37:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| AR | 190.224.203.37:80 | cbinr.com | tcp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | tceducn.com | udp |
| US | 8.8.8.8:53 | arrunda.ru | udp |
| US | 8.8.8.8:53 | soetegem.com | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/5112-1-0x0000000002C30000-0x0000000002D30000-memory.dmp
memory/5112-2-0x00000000047E0000-0x00000000047EB000-memory.dmp
memory/5112-3-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/3416-4-0x0000000001360000-0x0000000001376000-memory.dmp
memory/5112-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB3B.exe
| MD5 | de9eed60d051b20487c956a514adbed4 |
| SHA1 | 2c4c6363c3be184b507265764c1e9765022e6a1b |
| SHA256 | ec2cfa28611f55c9901f26e90774e266854a34ef33d58565e574e0f76284d510 |
| SHA512 | 86f3efb5dee8c01490a3c2b46996512ca041d463e2a5cbd17d672fdf5b398dfae6a0a3d63b35b003937ae8dddecd7c3c2b3c5c7895cb754975a2fa63d293dc51 |
memory/3216-16-0x0000000002D40000-0x0000000002E40000-memory.dmp
memory/3216-17-0x0000000002CC0000-0x0000000002D2F000-memory.dmp
memory/3216-18-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/3216-33-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/3216-35-0x0000000002CC0000-0x0000000002D2F000-memory.dmp
memory/5076-37-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/5076-38-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/5076-39-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/1888-46-0x0000000002D90000-0x0000000002E90000-memory.dmp
memory/1888-47-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/5076-49-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\969412972279
| MD5 | 727482b1fc22a027c032c7bc91dbf31c |
| SHA1 | f6fb8fb073e1a5c7b8d3628442b8f434ba9b2697 |
| SHA256 | 4a5e0fe80f35a41d93aeb6a289e27840cb14449479bc6a162a27991e3c695d80 |
| SHA512 | 214df1563bddf47e2fe2354adeb799568211172d48dd18033b432b8743e771c1dc3a59e321caa6d3e100c0035970326d24014bc0f2d6ba511bd79c3bf5233ab7 |
memory/5076-54-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/5076-62-0x0000000000400000-0x0000000002C0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
| MD5 | f01f5bc76b9596e0cfeab8a272cba3a5 |
| SHA1 | 19cab1291e4e518ae636f2fb3d41567e4e6e4722 |
| SHA256 | 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938 |
| SHA512 | ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63 |
memory/5076-75-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/5076-78-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/5076-81-0x0000000000400000-0x0000000002C0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
| MD5 | 4194e9b8b694b1e9b672c36f0d868e32 |
| SHA1 | 252f27fe313c7bf8e9f36aef0c7b676383872efb |
| SHA256 | 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125 |
| SHA512 | f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7 |
memory/5076-94-0x0000000000400000-0x0000000002C0D000-memory.dmp
C:\Users\Admin\AppData\Roaming\jggbgtd
| MD5 | 28c17350f0da6941f68bbea0eb5af380 |
| SHA1 | 42d3ea0b53b6f76b729a9cef45341fae29933d88 |
| SHA256 | c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b |
| SHA512 | b1bd4d2d1787575b7d5155926aa248203b317f33e13eb237ecb1d33353c3146e6ed67da239f0e96ff98adf8aa7309e6f37f666107176bb6461621d7287fb750f |
memory/4812-100-0x0000000002C20000-0x0000000002D20000-memory.dmp
memory/4812-101-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/2580-103-0x0000000002D10000-0x0000000002E10000-memory.dmp
memory/2580-104-0x0000000000400000-0x0000000002C0D000-memory.dmp
memory/3416-106-0x00000000013B0000-0x00000000013C6000-memory.dmp
memory/4812-109-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/5076-111-0x0000000000400000-0x0000000002C0D000-memory.dmp