betabot | b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded

General

Target

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Size

225KB
MD5

7b7efe9132956a5517e1e6b7ee89d302
SHA1

308f11a98895940845ef9a5af333bcc1d9f38260
SHA256

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded
SHA512

87d85fcc0b1d1e42a89a39ece64051269d7e75c9bc366f940059d33cf8b551f0d342537c2eb46a75549472ad5418c1f8691b42c8d5c0b728dfc7a631c74f7b99
SSDEEP

6144:WAsBZRjd0+yiRUeq2KdtlHrsk9/u6r89sMT3QrEY:m5+iRUefKzlHrbtu6rJMbQD

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sau79ky9c79e.exe\DisableExceptionChainValidation	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "hcgyxlolft.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sau79ky9c79e.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Loads dropped DLL 4 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

pid	process
1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Search 5.3.10 = "C:\\ProgramData\\Windows Search 5.3.10\\sau79ky9c79e.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search 5.3.10 = "\"C:\\ProgramData\\Windows Search 5.3.10\\sau79ky9c79e.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

description	ioc	process
File created	C:\ProgramData\Windows Search 5.3.10\desktop.ini	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
File opened for modification	C:\ProgramData\Windows Search 5.3.10\desktop.ini	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exe

pid	process
820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

description	pid	process	target process
PID 1380 set thread context of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

explorer.exe

pid	process
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exe

pid	process
820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

pid process

820 b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeRestorePrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeBackupPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeLoadDriverPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeCreatePagefilePrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeShutdownPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeTakeOwnershipPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeChangeNotifyPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeCreateTokenPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeMachineAccountPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeSecurityPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeAssignPrimaryTokenPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeCreateGlobalPrivilege	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: 33	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
Token: SeDebugPrivilege	760	explorer.exe
Token: SeRestorePrivilege	760	explorer.exe
Token: SeBackupPrivilege	760	explorer.exe
Token: SeLoadDriverPrivilege	760	explorer.exe
Token: SeCreatePagefilePrivilege	760	explorer.exe
Token: SeShutdownPrivilege	760	explorer.exe
Token: SeTakeOwnershipPrivilege	760	explorer.exe
Token: SeChangeNotifyPrivilege	760	explorer.exe
Token: SeCreateTokenPrivilege	760	explorer.exe
Token: SeMachineAccountPrivilege	760	explorer.exe
Token: SeSecurityPrivilege	760	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	760	explorer.exe
Token: SeCreateGlobalPrivilege	760	explorer.exe
Token: 33	760	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeb94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exeexplorer.exe

description	pid	process	target process
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 1380 wrote to memory of 820	1380	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
PID 820 wrote to memory of 760	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	explorer.exe
PID 820 wrote to memory of 760	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	explorer.exe
PID 820 wrote to memory of 760	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	explorer.exe
PID 820 wrote to memory of 760	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	explorer.exe
PID 820 wrote to memory of 760	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	explorer.exe
PID 820 wrote to memory of 760	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	explorer.exe
PID 820 wrote to memory of 760	820	b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe	explorer.exe
PID 760 wrote to memory of 1144	760	explorer.exe	Dwm.exe
PID 760 wrote to memory of 1144	760	explorer.exe	Dwm.exe
PID 760 wrote to memory of 1144	760	explorer.exe	Dwm.exe
PID 760 wrote to memory of 1144	760	explorer.exe	Dwm.exe
PID 760 wrote to memory of 1144	760	explorer.exe	Dwm.exe
PID 760 wrote to memory of 1144	760	explorer.exe	Dwm.exe
PID 760 wrote to memory of 1212	760	explorer.exe	Explorer.EXE
PID 760 wrote to memory of 1212	760	explorer.exe	Explorer.EXE
PID 760 wrote to memory of 1212	760	explorer.exe	Explorer.EXE
PID 760 wrote to memory of 1212	760	explorer.exe	Explorer.EXE
PID 760 wrote to memory of 1212	760	explorer.exe	Explorer.EXE
PID 760 wrote to memory of 1212	760	explorer.exe	Explorer.EXE
PID 760 wrote to memory of 960	760	explorer.exe	DllHost.exe
PID 760 wrote to memory of 960	760	explorer.exe	DllHost.exe
PID 760 wrote to memory of 960	760	explorer.exe	DllHost.exe
PID 760 wrote to memory of 960	760	explorer.exe	DllHost.exe
PID 760 wrote to memory of 960	760	explorer.exe	DllHost.exe
PID 760 wrote to memory of 960	760	explorer.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
"C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe
"C:\Users\Admin\AppData\Local\Temp\b94410f72a616a50600c2a45dcef47961b427b15c3b535baf447ae60895e5ded.exe"
3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\dotations.dll
Filesize
19KB

MD5
cae5dfec13610999c9d2ae836dbe57ec

SHA1
7dc43e60e03d1dd8348c9328b56ad0546c26ca45

SHA256
999e4591567c5537a36759f15108f1c3279cecdc88e520a6086269e67f73a76a

SHA512
6549aedd952797db3875d69e7bf96dc4b4aa530131d56600b78e4dca237c5ea86fd3a3a358fa1ad15175ee98535e5dcc05277f0ab819969f1451372122c1a082

Download Submit
memory/760-78-0x0000000000000000-mapping.dmp

Download
memory/760-87-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/760-86-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/760-84-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/760-83-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/760-82-0x0000000077210000-0x0000000077390000-memory.dmp

Filesize
1.5MB

Download
memory/760-80-0x00000000746B1000-0x00000000746B3000-memory.dmp

Filesize
8KB

Download
memory/820-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-61-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-72-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/820-74-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-75-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/820-76-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/820-77-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/820-67-0x00000000004015C6-mapping.dmp

Download
memory/820-66-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-81-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/820-65-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-59-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/820-60-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1212-85-0x0000000002680000-0x0000000002686000-memory.dmp

Filesize
24KB

Download
memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads