Malware Analysis Report

2024-11-13 18:57

Sample ID 240216-w92dpseh33
Target RnnWoAEP9mUhOXN_9mNdOzaP.exe
SHA256 c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b
Tags
amadey smokeloader pub3 backdoor spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b

Threat Level: Known bad

The file RnnWoAEP9mUhOXN_9mNdOzaP.exe was found to be: Known bad.

Malicious Activity Summary

amadey smokeloader pub3 backdoor spyware stealer trojan

SmokeLoader

Amadey

Downloads MZ/PE file

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Program crash

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-16 18:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 18:38

Reported

2024-02-16 18:40

Platform

win7-20231215-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E43.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\reersgu N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\reersgu N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\reersgu N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\reersgu N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E43.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\E43.exe
PID 1240 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\E43.exe
PID 1240 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\E43.exe
PID 1240 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\E43.exe
PID 2812 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\E43.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2812 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\E43.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2812 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\E43.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2812 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\E43.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2572 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2572 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2572 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2572 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 1428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1168 wrote to memory of 1428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1168 wrote to memory of 1428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1168 wrote to memory of 1428 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 884 wrote to memory of 1364 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 884 wrote to memory of 1364 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 884 wrote to memory of 1364 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 884 wrote to memory of 1364 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1364 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1364 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1364 wrote to memory of 1288 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3012 wrote to memory of 776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3012 wrote to memory of 776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3012 wrote to memory of 776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 776 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 776 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 776 wrote to memory of 2276 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2572 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 332 wrote to memory of 2144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 332 wrote to memory of 2144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 332 wrote to memory of 2144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 332 wrote to memory of 2144 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2144 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2144 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2144 wrote to memory of 1940 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2572 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe

"C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"

C:\Users\Admin\AppData\Local\Temp\E43.exe

C:\Users\Admin\AppData\Local\Temp\E43.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\system32\taskeng.exe

taskeng.exe {08135AFD-F759-46F1-8983-72A1540187AC} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1364 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 776 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2144 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Roaming\reersgu

C:\Users\Admin\AppData\Roaming\reersgu

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
BA 185.12.79.25:80 emgvod.com tcp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 rimakc.ru udp
RU 91.189.114.4:80 rimakc.ru tcp
KR 211.119.84.111:80 cbinr.com tcp
KR 211.119.84.111:80 cbinr.com tcp
KR 211.119.84.111:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
KR 211.119.84.111:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
KR 211.119.84.111:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp

Files

memory/2212-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/2212-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2212-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/1240-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/2212-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E43.exe

MD5 de9eed60d051b20487c956a514adbed4
SHA1 2c4c6363c3be184b507265764c1e9765022e6a1b
SHA256 ec2cfa28611f55c9901f26e90774e266854a34ef33d58565e574e0f76284d510
SHA512 86f3efb5dee8c01490a3c2b46996512ca041d463e2a5cbd17d672fdf5b398dfae6a0a3d63b35b003937ae8dddecd7c3c2b3c5c7895cb754975a2fa63d293dc51

memory/2812-18-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/2812-19-0x0000000000260000-0x00000000002CF000-memory.dmp

memory/2812-33-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/2812-34-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/2812-35-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/2812-31-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/2572-37-0x0000000002D20000-0x0000000002E20000-memory.dmp

memory/2572-43-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/2572-44-0x0000000000400000-0x0000000002C0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\427588347149

MD5 383f631c300b0210a162ba24f1f0fe3e
SHA1 c2411fcaebd457088941aae85117ccb490e64ab5
SHA256 d37ba0db2feb9df43061fa172416f77103543f8d7802372d558f5dc3a5397b46
SHA512 9a1646bf66d9f937a6935fa0eb95660632036cc3619177ea2b84888e5d40de13968be555e16a1d27078496db00db68c35e437dbcd1254b5d9396d96892b3801c

memory/2572-57-0x0000000000400000-0x0000000002C0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f5c74c29064ab7e4c2dfacd54617296e
SHA1 cb40f4ea8e0b7b663d4a9d40dd99f720ef470982
SHA256 fbec0faca2cfc2d8637b127f5aff60875c3c9796b34333618f6467fff5d43c0d
SHA512 9b3e7c0d74ddf69ddc1a4ea78cc2058727b3d858a439621f95aea5ac192b640444286d879a593a7a694b1bb87fcb186b9461491b641e953ef37aa27cac0087c0

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 110d2af589eb4b9dedda8677a20bc4da
SHA1 df81c6dccffa61ea30c3d2ee91dfda6493359438
SHA256 e52653197c4da2b83eb8237a1c6d3f153572fde10f5da413391cfc8324d23b89
SHA512 6d47396b679e2dea919a94ff65e844dbfec4497d3f5291105778e4fdfdd4d0701cb15edcd58f3f9637be016ecb80b8dcf99ffb43532be76b36efdbd644324934

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 15d9b810b01a0a4cbe660ff3b667f9b0
SHA1 4300edafb30fd52f76134956338f5d943119b386
SHA256 25d0923b76df4795f9057e29a9e076ef314d5e46ef7b000df4931c23cdd92b2e
SHA512 dca44f8460c51358449144a9c52742c6cc752b064ad22769a390b25db11dccb13caa50358c3509db01c1ae7be5646d07de7f5a777f7adca716d34d0ac8d700e5

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 8cc81b264f2b30012cc6f969eec37860
SHA1 164a2b9fb9358a32f017cf128f72b24eaedeb5ff
SHA256 a184152f0df0cf8c2d687eb3d31a24e8a76e6bcf643fb328af749903ac8cb200
SHA512 d6bc545a0d2d3a764a506394eea60dbc345f8c015b4e84ba4581087d90bda4de8fa5e033db3de4641075e5c74439ceec5e9c57d3a76b313aae0f21e26aa3e0fb

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 4f5eae347aa65048779f3fd5ed451847
SHA1 de7b7f4f788e9c9349282286dbe3fd8b811d7f51
SHA256 4b8a1f49862d5f2bb714c0a9d41f450b71b1931a28d0c9ca3a4fd0be96c1790a
SHA512 1ff48f9989139557f70bf9aff26c6bf2e0582eb8bcca31499223e84bd093eb9e067d8076e513ca8d680a9ee10f7397bb0bb85d7f7c65029204125778097e6acd

memory/2572-80-0x0000000002D20000-0x0000000002E20000-memory.dmp

memory/1428-81-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/1428-79-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/2572-82-0x0000000000400000-0x0000000002C0D000-memory.dmp

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 de3d6dec653d48eeb24b881183ab32f8
SHA1 3167e4d7b66861cb58bddadab48dc4a7ecdbf18a
SHA256 51421a8e715db0f34d2dcf50d622ce5e3f08c7a10917200f3c36896060faff38
SHA512 ad4a74ae2fcb89e89a4b86386c5c2420ed8f8af24fe1896e00a99ec9b6053d8e477974b4351b879b4cb3a087008ee200da9b5fd56b1736bb23f7e03b15e52829

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 726e1f082f555ce5d5e774c3adf6fc21
SHA1 c91eea4ba49e29a183e7cfad119e5f31b2218aa9
SHA256 1201744d0d2cb120527db056b37a3bb25467bc0188c9c4601e5b1d3a32981b04
SHA512 92809f9b740f11c0f0ee258b80cd6835eedb3c9b2bbc731f8921b3b32caa943032a2c9e83b124a589eff0682d17beda11e3a57b0c9d07c039412114adbe0d7f1

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 2ae6563451ceaf5b37850ad7272ebafc
SHA1 f3c97e42104cb1d9ee454c50258ff6276e0ba32f
SHA256 aa48bc8fb3f1702d3d644cb851dcc7e0e09577c21050f82432e8f995f99cb6a3
SHA512 77571c958c81542faf1903774821c6e0a29819245b3dfdb26e8a4472356683f58efefbbe05eda3edb9e8ce3ad9c9c1d49e69ef70984c80d93abe6a9e034c80e6

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 c502c6201c4f93f3954978e850bc300e
SHA1 568fae8484e92a3c7df771a1368359890ecdeadf
SHA256 3fab7b1af00cf5e4b8d6dbaad33377fa706d69f377bc5ad8c18f492051c65d51
SHA512 64b275a34db90b84dd14d6b56e3a8d361b335658c09ac22bb58865da9d555f31094142ffd7838246a6f78f1879f0ab2d8d785933deb483238c874de9c0f09841

memory/2572-93-0x0000000000400000-0x0000000002C0D000-memory.dmp

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 fc2bf5cb0c5bec2316d177ef7e28dfb3
SHA1 7c97b284964cb63e7ecafaf6dadc68e5ee7c8ada
SHA256 3e37429dc814012fd38113fffed5d371383dd1c19ab95d96e33fd25c395affd7
SHA512 6cc3eb8d661d8650c0e140549c6b06737c71143b539a665ca46bd90486ec9894256c62e5451878b7a93c829171078b33e88aa62d15889042eff12a11505f1f3b

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 c293a65c51b22010aedd3c304dc1f88f
SHA1 e38b26bfc24d3723f56baa64cca82da8efa16ef6
SHA256 b284501c6e0a1a3a7f449fb039ae0ee457d5ee5cd03f319a110bfe1757e8c155
SHA512 a4eaca2e0dede9fcbd52c7627f1e8811b2a3f61105a411c3f42ec33a16e78b01b53f25614187ea9867141fbb9640e0fd5007656944293242ee9e00d0473dcb71

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 fe9ca7a9ca209c68e8505b2c3adf6212
SHA1 c3c5c5c8a6055ace48687193653e44c62311e6bb
SHA256 26c87481280348c1b64ad0dde52a1f9189348188abb0a5b79d4888759146e5b5
SHA512 969709ba4d5d1b98731e24c8b26be36843b0ae0777b353090e8e698eb40549f176c4aa68b07be0a9b9937edd3968381c769cde120bd32d6a2f40d15e473f9a52

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 257df8fb038de4ef9a567542dd930855
SHA1 7cedfe8c4ee0b0156a285c3761654018b9f656f9
SHA256 23cd011dc22405983c135ae29115ce29ca6a49c29ca2161e9b81ae43d9102e88
SHA512 b7a2566bf2ba19ac2a94743e6dae138f476b99f506e0d852ac9dc4b1aaa28b9d31f68529b3891b21a6e3ee758d4d41f0f7af6986e6882106426b2938d7918ffc

memory/2572-102-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/1428-105-0x0000000000400000-0x0000000002C0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/2572-121-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/2572-126-0x0000000000400000-0x0000000002C0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\reersgu

MD5 28c17350f0da6941f68bbea0eb5af380
SHA1 42d3ea0b53b6f76b729a9cef45341fae29933d88
SHA256 c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b
SHA512 b1bd4d2d1787575b7d5155926aa248203b317f33e13eb237ecb1d33353c3146e6ed67da239f0e96ff98adf8aa7309e6f37f666107176bb6461621d7287fb750f

memory/2712-135-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2712-136-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/2572-137-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/2000-140-0x0000000003070000-0x0000000003170000-memory.dmp

memory/2000-139-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/1240-141-0x0000000002B10000-0x0000000002B26000-memory.dmp

memory/2712-143-0x0000000000400000-0x0000000002BE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 18:38

Reported

2024-02-16 18:40

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EB3B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EB3B.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jggbgtd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jggbgtd N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jggbgtd N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jggbgtd N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EB3B.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB3B.exe
PID 3416 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB3B.exe
PID 3416 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB3B.exe
PID 3216 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\EB3B.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3216 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\EB3B.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3216 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\EB3B.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 5076 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5076 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5076 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 5076 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4656 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4656 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5076 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4676 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4676 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5076 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1056 wrote to memory of 1884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1056 wrote to memory of 1884 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 5076 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 5076 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe

"C:\Users\Admin\AppData\Local\Temp\RnnWoAEP9mUhOXN_9mNdOzaP.exe"

C:\Users\Admin\AppData\Local\Temp\EB3B.exe

C:\Users\Admin\AppData\Local\Temp\EB3B.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1212

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1012

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 832

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1668

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Roaming\jggbgtd

C:\Users\Admin\AppData\Roaming\jggbgtd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2580 -ip 2580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 444

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 996

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
BA 185.12.79.25:80 emgvod.com tcp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 211.119.84.112:80 sjyey.com tcp
US 8.8.8.8:53 rimakc.ru udp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 anfesq.com udp
RU 91.189.114.4:80 rimakc.ru tcp
AR 190.224.203.37:80 cbinr.com tcp
AR 190.224.203.37:80 cbinr.com tcp
AR 190.224.203.37:80 cbinr.com tcp
US 8.8.8.8:53 4.114.189.91.in-addr.arpa udp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 anfesq.com udp
AR 190.224.203.37:80 cbinr.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
AR 190.224.203.37:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/5112-1-0x0000000002C30000-0x0000000002D30000-memory.dmp

memory/5112-2-0x00000000047E0000-0x00000000047EB000-memory.dmp

memory/5112-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/3416-4-0x0000000001360000-0x0000000001376000-memory.dmp

memory/5112-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB3B.exe

MD5 de9eed60d051b20487c956a514adbed4
SHA1 2c4c6363c3be184b507265764c1e9765022e6a1b
SHA256 ec2cfa28611f55c9901f26e90774e266854a34ef33d58565e574e0f76284d510
SHA512 86f3efb5dee8c01490a3c2b46996512ca041d463e2a5cbd17d672fdf5b398dfae6a0a3d63b35b003937ae8dddecd7c3c2b3c5c7895cb754975a2fa63d293dc51

memory/3216-16-0x0000000002D40000-0x0000000002E40000-memory.dmp

memory/3216-17-0x0000000002CC0000-0x0000000002D2F000-memory.dmp

memory/3216-18-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/3216-33-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/3216-35-0x0000000002CC0000-0x0000000002D2F000-memory.dmp

memory/5076-37-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/5076-38-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/5076-39-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/1888-46-0x0000000002D90000-0x0000000002E90000-memory.dmp

memory/1888-47-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/5076-49-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\969412972279

MD5 727482b1fc22a027c032c7bc91dbf31c
SHA1 f6fb8fb073e1a5c7b8d3628442b8f434ba9b2697
SHA256 4a5e0fe80f35a41d93aeb6a289e27840cb14449479bc6a162a27991e3c695d80
SHA512 214df1563bddf47e2fe2354adeb799568211172d48dd18033b432b8743e771c1dc3a59e321caa6d3e100c0035970326d24014bc0f2d6ba511bd79c3bf5233ab7

memory/5076-54-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/5076-62-0x0000000000400000-0x0000000002C0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/5076-75-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/5076-78-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/5076-81-0x0000000000400000-0x0000000002C0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/5076-94-0x0000000000400000-0x0000000002C0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\jggbgtd

MD5 28c17350f0da6941f68bbea0eb5af380
SHA1 42d3ea0b53b6f76b729a9cef45341fae29933d88
SHA256 c40fe915433c1a8094a858affe62c6079154c668645f8e17751e7f39ebf4d31b
SHA512 b1bd4d2d1787575b7d5155926aa248203b317f33e13eb237ecb1d33353c3146e6ed67da239f0e96ff98adf8aa7309e6f37f666107176bb6461621d7287fb750f

memory/4812-100-0x0000000002C20000-0x0000000002D20000-memory.dmp

memory/4812-101-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/2580-103-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/2580-104-0x0000000000400000-0x0000000002C0D000-memory.dmp

memory/3416-106-0x00000000013B0000-0x00000000013C6000-memory.dmp

memory/4812-109-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/5076-111-0x0000000000400000-0x0000000002C0D000-memory.dmp