amadey | 79403994107dccd355ddf6638cc191b60f05a8b7760a6fc02bf00548a13cd3f3

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2023 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_soft.exe
Size

7.0MB
MD5

6e1e121b326c1fbacdbbfa31dfa9fe2c
SHA1

61a755cb930c4ce7b8aab7106b0aa7b08b427b92
SHA256

79403994107dccd355ddf6638cc191b60f05a8b7760a6fc02bf00548a13cd3f3
SHA512

c1d5d073bf679d8fe3de6e5f681fe0f382ef1d79d6a153e5bf18cd4d166a577b30f493e8e1b7c7063d25e990337dbc5f621efc31db6e88a10be95df43394a98f
SSDEEP

98304:Y5I5x3omArylYOI5CAaT+dPas2Yv0zcBWc1fldTRwaykXf1Dt4:15xqyoaT+dPB2mwq7T5bXfA

Score

10^/10

amadey dcrat redline smokeloader backdoor infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.65

83.217.11.7/8vcWxwwx3/index.php

Extracted

Family

redline

95.217.146.176:4281

Attributes

auth_value
a909e2aaecf96137978fea4f86400b9b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 17 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
736	schtasks.exe
1196	schtasks.exe
1396	schtasks.exe
3856	schtasks.exe
4000	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\SystemCertificates\CA	powershell.exe
5032	schtasks.exe
3888	schtasks.exe
4960	schtasks.exe
4972	schtasks.exe
1156	schtasks.exe
1272	schtasks.exe
1600	schtasks.exe
1760	schtasks.exe
2908	schtasks.exe
4540	schtasks.exe
440	schtasks.exe

Detects Smokeloader packer 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3144-148-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/3144-149-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/3144-150-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

30 4000 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

ProgramStarter.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ProgramStarter.exe
Executes dropped EXE 7 IoCs

Processes:

7B2C.exe7CB4.exenbveek.exe810A.exeProgramStarter.exe88FA.exenbveek.exe

pid process

1276 7B2C.exe
2524 7CB4.exe
4116 nbveek.exe
4188 810A.exe
2248 ProgramStarter.exe
4692 88FA.exe
3056 nbveek.exe

flow	pid	process
30	4000	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ProgramStarter.exe

pid	process
1276	7B2C.exe
2524	7CB4.exe
4116	nbveek.exe
4188	810A.exe
2248	ProgramStarter.exe
4692	88FA.exe
3056	nbveek.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\88FA.exe	upx
C:\Users\Admin\AppData\Local\Temp\88FA.exe	upx
behavioral2/memory/4692-213-0x0000000000B20000-0x0000000001305000-memory.dmp	upx
behavioral2/memory/4692-218-0x0000000000B20000-0x0000000001305000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7CB4.exenbveek.exe810A.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7CB4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	810A.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3384 rundll32.exe
2280 rundll32.exe
5072 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 api.ipify.org
67 api.ipify.org

pid	process
3384	rundll32.exe
2280	rundll32.exe
5072	rundll32.exe

flow	ioc
66	api.ipify.org
67	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

Processes:

powershell.exe

pid	process
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exe7B2C.exe

description	pid	process	target process
PID 4000 set thread context of 3144	4000	powershell.exe	aspnet_compiler.exe
PID 1276 set thread context of 4776	1276	7B2C.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

628 2280 WerFault.exe rundll32.exe

pid	pid_target	process	target process
628	2280	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1156	schtasks.exe
4960	schtasks.exe
1760	schtasks.exe
2908	schtasks.exe
4972	schtasks.exe
1196	schtasks.exe
1396	schtasks.exe
3888	schtasks.exe
4000	schtasks.exe
440	schtasks.exe
1272	schtasks.exe
3856	schtasks.exe
736	schtasks.exe
5032	schtasks.exe
1600	schtasks.exe
4540	schtasks.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

776 taskkill.exe
1948 taskkill.exe
1464 taskkill.exe
404 taskkill.exe
3180 taskkill.exe
892 taskkill.exe

pid	process
776	taskkill.exe
1948	taskkill.exe
1464	taskkill.exe
404	taskkill.exe
3180	taskkill.exe
892	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeaspnet_compiler.exe

pid	process
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
3144	aspnet_compiler.exe
3144	aspnet_compiler.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3092
Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

aspnet_compiler.exe

pid process

3144 aspnet_compiler.exe
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092

pid	process
3092

pid	process
3144	aspnet_compiler.exe
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

powershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeProgramStarter.exetaskkill.exeAppLaunch.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeDebugPrivilege	2248	ProgramStarter.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeDebugPrivilege	4776	AppLaunch.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeShutdownPrivilege	3744	powercfg.exe
Token: SeCreatePagefilePrivilege	3744	powercfg.exe
Token: SeShutdownPrivilege	3596	powercfg.exe
Token: SeCreatePagefilePrivilege	3596	powercfg.exe
Token: SeShutdownPrivilege	4188	powercfg.exe
Token: SeCreatePagefilePrivilege	4188	powercfg.exe
Token: SeShutdownPrivilege	2444	powercfg.exe
Token: SeCreatePagefilePrivilege	2444	powercfg.exe
Token: SeShutdownPrivilege	1496	powercfg.exe
Token: SeCreatePagefilePrivilege	1496	powercfg.exe
Token: SeShutdownPrivilege	1496	powercfg.exe
Token: SeCreatePagefilePrivilege	1496	powercfg.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_soft.exepowershell.execmd.exe7CB4.exe7B2C.exenbveek.execmd.exe810A.exe

description	pid	process	target process
PID 4488 wrote to memory of 4000	4488	Setup_soft.exe	powershell.exe
PID 4488 wrote to memory of 4000	4488	Setup_soft.exe	powershell.exe
PID 4488 wrote to memory of 4000	4488	Setup_soft.exe	powershell.exe
PID 4000 wrote to memory of 3144	4000	powershell.exe	aspnet_compiler.exe
PID 4000 wrote to memory of 3144	4000	powershell.exe	aspnet_compiler.exe
PID 4000 wrote to memory of 3144	4000	powershell.exe	aspnet_compiler.exe
PID 4000 wrote to memory of 3144	4000	powershell.exe	aspnet_compiler.exe
PID 4000 wrote to memory of 3144	4000	powershell.exe	aspnet_compiler.exe
PID 4000 wrote to memory of 3144	4000	powershell.exe	aspnet_compiler.exe
PID 3092 wrote to memory of 3856	3092		cmd.exe
PID 3092 wrote to memory of 3856	3092		cmd.exe
PID 3856 wrote to memory of 1856	3856	cmd.exe	cacls.exe
PID 3856 wrote to memory of 1856	3856	cmd.exe	cacls.exe
PID 3856 wrote to memory of 848	3856	cmd.exe	powershell.exe
PID 3856 wrote to memory of 848	3856	cmd.exe	powershell.exe
PID 3856 wrote to memory of 3208	3856	cmd.exe	reg.exe
PID 3856 wrote to memory of 3208	3856	cmd.exe	reg.exe
PID 3856 wrote to memory of 3796	3856	cmd.exe	reg.exe
PID 3856 wrote to memory of 3796	3856	cmd.exe	reg.exe
PID 3856 wrote to memory of 776	3856	cmd.exe	taskkill.exe
PID 3856 wrote to memory of 776	3856	cmd.exe	taskkill.exe
PID 3092 wrote to memory of 1276	3092		7B2C.exe
PID 3092 wrote to memory of 1276	3092		7B2C.exe
PID 3092 wrote to memory of 1276	3092		7B2C.exe
PID 3856 wrote to memory of 1948	3856	cmd.exe	taskkill.exe
PID 3856 wrote to memory of 1948	3856	cmd.exe	taskkill.exe
PID 3092 wrote to memory of 2524	3092		7CB4.exe
PID 3092 wrote to memory of 2524	3092		7CB4.exe
PID 3092 wrote to memory of 2524	3092		7CB4.exe
PID 3856 wrote to memory of 1464	3856	cmd.exe	taskkill.exe
PID 3856 wrote to memory of 1464	3856	cmd.exe	taskkill.exe
PID 3856 wrote to memory of 404	3856	cmd.exe	taskkill.exe
PID 3856 wrote to memory of 404	3856	cmd.exe	taskkill.exe
PID 2524 wrote to memory of 4116	2524	7CB4.exe	nbveek.exe
PID 2524 wrote to memory of 4116	2524	7CB4.exe	nbveek.exe
PID 2524 wrote to memory of 4116	2524	7CB4.exe	nbveek.exe
PID 1276 wrote to memory of 4776	1276	7B2C.exe	AppLaunch.exe
PID 1276 wrote to memory of 4776	1276	7B2C.exe	AppLaunch.exe
PID 1276 wrote to memory of 4776	1276	7B2C.exe	AppLaunch.exe
PID 1276 wrote to memory of 4776	1276	7B2C.exe	AppLaunch.exe
PID 3092 wrote to memory of 4188	3092		810A.exe
PID 3092 wrote to memory of 4188	3092		810A.exe
PID 3092 wrote to memory of 4188	3092		810A.exe
PID 1276 wrote to memory of 4776	1276	7B2C.exe	AppLaunch.exe
PID 4116 wrote to memory of 736	4116	nbveek.exe	schtasks.exe
PID 4116 wrote to memory of 736	4116	nbveek.exe	schtasks.exe
PID 4116 wrote to memory of 736	4116	nbveek.exe	schtasks.exe
PID 4116 wrote to memory of 4312	4116	nbveek.exe	cmd.exe
PID 4116 wrote to memory of 4312	4116	nbveek.exe	cmd.exe
PID 4116 wrote to memory of 4312	4116	nbveek.exe	cmd.exe
PID 3856 wrote to memory of 3180	3856	cmd.exe	taskkill.exe
PID 3856 wrote to memory of 3180	3856	cmd.exe	taskkill.exe
PID 4312 wrote to memory of 632	4312	cmd.exe	cmd.exe
PID 4312 wrote to memory of 632	4312	cmd.exe	cmd.exe
PID 4312 wrote to memory of 632	4312	cmd.exe	cmd.exe
PID 4312 wrote to memory of 2356	4312	cmd.exe	cacls.exe
PID 4312 wrote to memory of 2356	4312	cmd.exe	cacls.exe
PID 4312 wrote to memory of 2356	4312	cmd.exe	cacls.exe
PID 4188 wrote to memory of 2248	4188	810A.exe	ProgramStarter.exe
PID 4188 wrote to memory of 2248	4188	810A.exe	ProgramStarter.exe
PID 4188 wrote to memory of 2248	4188	810A.exe	ProgramStarter.exe
PID 3092 wrote to memory of 4692	3092		88FA.exe
PID 3092 wrote to memory of 4692	3092		88FA.exe
PID 3092 wrote to memory of 3272	3092		explorer.exe

C:\Users\Admin\AppData\Local\Temp\Setup_soft.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_soft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
2⤵
- DcRat
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F63.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Google\chrome" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:3208

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:3796

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Users\Admin\AppData\Local\Temp\7B2C.exe
C:\Users\Admin\AppData\Local\Temp\7B2C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Users\Admin\AppData\Local\Temp\7CB4.exe
C:\Users\Admin\AppData\Local\Temp\7CB4.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\8682d6c68d" /P "Admin:N"&&CACLS "..\8682d6c68d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:632

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
4⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1716

C:\Windows\SysWOW64\cacls.exe
CACLS "..\8682d6c68d" /P "Admin:R" /E
4⤵
PID:4132

C:\Windows\SysWOW64\cacls.exe
CACLS "..\8682d6c68d" /P "Admin:N"
4⤵
PID:4264

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
4⤵
PID:2040

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:3384

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:2280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2280 -s 684
5⤵
- Program crash
PID:628

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:5072

C:\Users\Admin\AppData\Local\Temp\810A.exe
C:\Users\Admin\AppData\Local\Temp\810A.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
"C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFQAQQBHAE8AYwB6AFkAUgBVAFIAVwBGAFkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBJAEIAYgBnAGkARgBSAFoAbgB4AGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFQAdQBSAHUATwBEAFIAUgBmAE0AYgBIAGwAeABXACMAPgAgAEAAKAAgADwAIwBGAFUAWQBtAFEAaQBEAGcAYwBlAGYAcgBxAG4AIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFMASwBDAHAAUwBZAEYAUwBUAG4AaABtAE0AdwBIAFMAeQBkACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBiAGIAcgBWAFAAZwBkAGYATgB0AFYAYwB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEUAawBQAFUAdQBrAEIAaQBxAGYAaABKACMAPgA="
3⤵
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFQAQQBHAE8AYwB6AFkAUgBVAFIAVwBGAFkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBJAEIAYgBnAGkARgBSAFoAbgB4AGoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFQAdQBSAHUATwBEAFIAUgBmAE0AYgBIAGwAeABXACMAPgAgAEAAKAAgADwAIwBGAFUAWQBtAFEAaQBEAGcAYwBlAGYAcgBxAG4AIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAFMASwBDAHAAUwBZAEYAUwBUAG4AaABtAE0AdwBIAFMAeQBkACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBiAGIAcgBWAFAAZwBkAGYATgB0AFYAYwB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEUAawBQAFUAdQBrAEIAaQBxAGYAaABKACMAPgA="
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4920

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:5032

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:1264

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2752

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:3856

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:3788

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:2908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2536

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:3888

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2440

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1600

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:5100

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1272

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk692" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2360

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk692" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk615" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:736

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk615" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk558" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk558" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1760

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk297" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:560

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk297" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1396

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:632

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4540

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
3⤵
PID:4924

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk711" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:1648

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk711" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1196

C:\Users\Admin\AppData\Local\Temp\88FA.exe
C:\Users\Admin\AppData\Local\Temp\88FA.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\88FA.exe
2⤵
PID:1820

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
3⤵
PID:1156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3272

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5064

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3956

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1348

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2280 -ip 2280
1⤵
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
b3602b7df9c7f37e0ad24d837dda9b42

SHA1
6d99437a35774d75d60894de1949037718584838

SHA256
0e637c6af1835f91c84147bca85efcae5f4bdb1418997be73f8072f04ce9db8a

SHA512
0517ff93c8df96cad0d1dbf595f03763bc65bc7575e354cf682515615be899b313d3e6162145233394508d0d4d609a6afc5945db14d3ccca7800fdc1d02b9bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F63.bat
Filesize
998B

MD5
03ad944d6ba8497c2e69598371b03852

SHA1
fd768cc75ac280b6c0275ee97320916fcc6737a8

SHA256
fc5cd844cdaa40e4f8a522316fcc1d1120877014490aa20a2e0555064fea05fe

SHA512
6ae9f80aa827dfbadaa8f5ab6862beb2d1f937ba9135a180bcf278b1d364ff998eb99f4e8f2cd4f1c61370fdcdab6ce03aebf3d2dc046724aa35e34cc059ef00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B2C.exe
Filesize
3.7MB

MD5
2f0599fdbe497ee53cc19e931dfc488e

SHA1
461437da78493d25efb3e43f5a101af90e9f1a4f

SHA256
e0a6c0ae0e3208dd0dd780a48da43aac97936ed980550be30c22ade79bed4fdb

SHA512
927342d4638bc146c04d5521228b50e2b982dcdb44bf5fb03cac234ad31a48433139834d1a3537c24ffdbaa6ae1269ce5fefe2afb5a521339c10744bf62f2326

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B2C.exe
Filesize
3.7MB

MD5
2f0599fdbe497ee53cc19e931dfc488e

SHA1
461437da78493d25efb3e43f5a101af90e9f1a4f

SHA256
e0a6c0ae0e3208dd0dd780a48da43aac97936ed980550be30c22ade79bed4fdb

SHA512
927342d4638bc146c04d5521228b50e2b982dcdb44bf5fb03cac234ad31a48433139834d1a3537c24ffdbaa6ae1269ce5fefe2afb5a521339c10744bf62f2326

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB4.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CB4.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\810A.exe
Filesize
2.7MB

MD5
7d95e6447af860d34ca00dc9d5448882

SHA1
32d48ea0445920e44a8dd44674060ac4f6dd3906

SHA256
69671aa20e3af82c516d46bc255ec99867f171c9531fc74d4be75fc9c7b39e8f

SHA512
57d9e2584c7b4ea5d44d17f1ebe1a34a99ab3fbf47bd14bfbe67ccc52997e2d12feeed493625d390889b5f38c0354c0213de90817ec462ce57a8df7d00ea1219

Download Submit
C:\Users\Admin\AppData\Local\Temp\810A.exe
Filesize
2.7MB

MD5
7d95e6447af860d34ca00dc9d5448882

SHA1
32d48ea0445920e44a8dd44674060ac4f6dd3906

SHA256
69671aa20e3af82c516d46bc255ec99867f171c9531fc74d4be75fc9c7b39e8f

SHA512
57d9e2584c7b4ea5d44d17f1ebe1a34a99ab3fbf47bd14bfbe67ccc52997e2d12feeed493625d390889b5f38c0354c0213de90817ec462ce57a8df7d00ea1219

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
Filesize
246KB

MD5
52b22168cedfe571d08aff7d0746fefa

SHA1
ae394d63053d15e549c0dc174467d2b5ab5ffc98

SHA256
8429a3a172e5809b3a99c1f5e1817c071e3dfe06beb213e3d04842666470d63b

SHA512
cb84e61492d3d920927782a7f9f24e103a6fc59850adb29b07b6a94d6c2cc7486dacf461d76b908ac6155dd42a71e1d79e99512a299336d19c9c2da371029bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\88FA.exe
Filesize
2.4MB

MD5
b9095b36aebb1f46d374f13267900ce0

SHA1
5f824bd9f4e878055aa595d6d1abdda00ba04aa4

SHA256
747783ba8520d5a835da98c2d9cf3f1a85ee3d57693d7d35c43a2c9ac5dc4375

SHA512
b9737d6b393a0e8d97f93d19c2d03e738ede54cfc35bdb479f52e351daccfc3236855d24796b17b643d2209fb4dc0200837bd55a228ddf03098f37ba53bbb785

Download Submit
C:\Users\Admin\AppData\Local\Temp\88FA.exe
Filesize
2.4MB

MD5
b9095b36aebb1f46d374f13267900ce0

SHA1
5f824bd9f4e878055aa595d6d1abdda00ba04aa4

SHA256
747783ba8520d5a835da98c2d9cf3f1a85ee3d57693d7d35c43a2c9ac5dc4375

SHA512
b9737d6b393a0e8d97f93d19c2d03e738ede54cfc35bdb479f52e351daccfc3236855d24796b17b643d2209fb4dc0200837bd55a228ddf03098f37ba53bbb785

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
Filesize
546KB

MD5
55d37f67671ab37b0c0a395e135ec1ad

SHA1
b533192ff541d4b0df5f79e9c554730ce660c5d0

SHA256
6235750e75a07d6cd69deebe1880a6e2e1173e2b020f45d6eec8344104368f3e

SHA512
dea08d9144fd6613e909b1e7b07d8d6079708b2ff88a957ab2a07c59f42de0e50110086b5b6120e84b0babb591bfe3fcf29753ce5d0a38f1dfc50af5e4d4f832

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
Filesize
546KB

MD5
55d37f67671ab37b0c0a395e135ec1ad

SHA1
b533192ff541d4b0df5f79e9c554730ce660c5d0

SHA256
6235750e75a07d6cd69deebe1880a6e2e1173e2b020f45d6eec8344104368f3e

SHA512
dea08d9144fd6613e909b1e7b07d8d6079708b2ff88a957ab2a07c59f42de0e50110086b5b6120e84b0babb591bfe3fcf29753ce5d0a38f1dfc50af5e4d4f832

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll
Filesize
89KB

MD5
8ee29b714ba490ec4a0828816f15ed4f

SHA1
0556df48a668c35c6611ffce1425f1d9e89d0cd7

SHA256
fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5

SHA512
df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll
Filesize
89KB

MD5
8ee29b714ba490ec4a0828816f15ed4f

SHA1
0556df48a668c35c6611ffce1425f1d9e89d0cd7

SHA256
fff252c139b136ba131fab2db7880c79856d39fce2e9d0d15cd19de8f4b52bc5

SHA512
df90bb9497ff20f13c4d19324af91ec9f6bbf3f9b5055e24e3bae0f77c7df6db58384bff8dbdd88104c05e7c586c489968bcb6b3ef86436704aa4cd2f5c8acc8

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll
Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll
Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll
Filesize
1.0MB

MD5
8e524997f4a2265864cd0b6c4cc450d8

SHA1
234ac78268e7a35d8ca995289f4a8dc27aa1c443

SHA256
95192297102c514f23926e934b0981c8aa8d42195f941a44c49cde1a21a809b0

SHA512
504872731cb14e3b643d039e39f00881be0cf1ba97f8e0077b2a6429f608f05b582531c52e4fa456661da9dade3e1b9f5c9b62326fb03d7b4636ea1db630c6ea

Download Submit
memory/204-277-0x0000000001420000-0x0000000001428000-memory.dmp

Filesize
32KB

Download
memory/204-231-0x0000000001410000-0x000000000141B000-memory.dmp

Filesize
44KB

Download
memory/204-230-0x0000000001420000-0x0000000001428000-memory.dmp

Filesize
32KB

Download
memory/204-229-0x0000000000000000-mapping.dmp

Download
memory/404-176-0x0000000000000000-mapping.dmp

Download
memory/440-257-0x0000000000000000-mapping.dmp

Download
memory/560-253-0x0000000000000000-mapping.dmp

Download
memory/632-196-0x0000000000000000-mapping.dmp

Download
memory/632-254-0x0000000000000000-mapping.dmp

Download
memory/736-251-0x0000000000000000-mapping.dmp

Download
memory/736-190-0x0000000000000000-mapping.dmp

Download
memory/776-165-0x0000000000000000-mapping.dmp

Download
memory/848-158-0x000001A4EBF00000-0x000001A4EBF0A000-memory.dmp

Filesize
40KB

Download
memory/848-154-0x0000000000000000-mapping.dmp

Download
memory/848-155-0x000001A4EA840000-0x000001A4EA862000-memory.dmp

Filesize
136KB

Download
memory/848-157-0x000001A4EBF10000-0x000001A4EBF2C000-memory.dmp

Filesize
112KB

Download
memory/848-159-0x00007FFC99E40000-0x00007FFC9A901000-memory.dmp

Filesize
10.8MB

Download
memory/848-160-0x000001A4EBF30000-0x000001A4EBF38000-memory.dmp

Filesize
32KB

Download
memory/848-162-0x00007FFC99E40000-0x00007FFC9A901000-memory.dmp

Filesize
10.8MB

Download
memory/848-161-0x000001A4EBF40000-0x000001A4EBF4A000-memory.dmp

Filesize
40KB

Download
memory/892-207-0x0000000000000000-mapping.dmp

Download
memory/1156-266-0x0000000000000000-mapping.dmp

Download
memory/1156-219-0x0000000000000000-mapping.dmp

Download
memory/1196-263-0x0000000000000000-mapping.dmp

Download
memory/1264-242-0x0000000000000000-mapping.dmp

Download
memory/1272-268-0x0000000000000000-mapping.dmp

Download
memory/1276-166-0x0000000000000000-mapping.dmp

Download
memory/1276-174-0x0000000000530000-0x0000000000AD3000-memory.dmp

Filesize
5.6MB

Download
memory/1348-226-0x0000000000000000-mapping.dmp

Download
memory/1348-276-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/1348-227-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/1348-228-0x0000000000FF0000-0x0000000000FFD000-memory.dmp

Filesize
52KB

Download
memory/1464-173-0x0000000000000000-mapping.dmp

Download
memory/1600-267-0x0000000000000000-mapping.dmp

Download
memory/1648-249-0x0000000000000000-mapping.dmp

Download
memory/1660-234-0x0000000000000000-mapping.dmp

Download
memory/1716-209-0x0000000000000000-mapping.dmp

Download
memory/1820-215-0x0000000000000000-mapping.dmp

Download
memory/1856-153-0x0000000000000000-mapping.dmp

Download
memory/1880-271-0x0000000007E30000-0x0000000007E4A000-memory.dmp

Filesize
104KB

Download
memory/1880-269-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

Filesize
56KB

Download
memory/1880-272-0x0000000007E20000-0x0000000007E28000-memory.dmp

Filesize
32KB

Download
memory/1880-235-0x0000000000000000-mapping.dmp

Download
memory/1880-262-0x0000000007E70000-0x0000000007F06000-memory.dmp

Filesize
600KB

Download
memory/1880-243-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

Filesize
120KB

Download
memory/1880-239-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/1880-256-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/1880-241-0x000000006DB90000-0x000000006DBDC000-memory.dmp

Filesize
304KB

Download
memory/1948-168-0x0000000000000000-mapping.dmp

Download
memory/2040-208-0x0000000000000000-mapping.dmp

Download
memory/2248-203-0x0000000000900000-0x000000000098E000-memory.dmp

Filesize
568KB

Download
memory/2248-199-0x0000000000000000-mapping.dmp

Download
memory/2356-198-0x0000000000000000-mapping.dmp

Download
memory/2360-250-0x0000000000000000-mapping.dmp

Download
memory/2440-247-0x0000000000000000-mapping.dmp

Download
memory/2524-170-0x0000000000000000-mapping.dmp

Download
memory/2536-246-0x0000000000000000-mapping.dmp

Download
memory/2752-244-0x0000000000000000-mapping.dmp

Download
memory/2760-245-0x0000000000000000-mapping.dmp

Download
memory/2908-258-0x0000000000000000-mapping.dmp

Download
memory/3144-147-0x0000000000000000-mapping.dmp

Download
memory/3144-148-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3144-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3144-150-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3180-192-0x0000000000000000-mapping.dmp

Download
memory/3208-163-0x0000000000000000-mapping.dmp

Download
memory/3272-270-0x00000000007E0000-0x00000000007E5000-memory.dmp

Filesize
20KB

Download
memory/3272-214-0x00000000007E0000-0x00000000007E5000-memory.dmp

Filesize
20KB

Download
memory/3272-206-0x0000000000000000-mapping.dmp

Download
memory/3272-216-0x00000000007D0000-0x00000000007D9000-memory.dmp

Filesize
36KB

Download
memory/3788-240-0x0000000000000000-mapping.dmp

Download
memory/3796-164-0x0000000000000000-mapping.dmp

Download
memory/3856-151-0x0000000000000000-mapping.dmp

Download
memory/3856-259-0x0000000000000000-mapping.dmp

Download
memory/3888-265-0x0000000000000000-mapping.dmp

Download
memory/3956-225-0x0000000000780000-0x000000000078B000-memory.dmp

Filesize
44KB

Download
memory/3956-224-0x0000000000000000-mapping.dmp

Download
memory/3956-275-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/4000-143-0x00000000060D0000-0x0000000006114000-memory.dmp

Filesize
272KB

Download
memory/4000-145-0x0000000007590000-0x0000000007C0A000-memory.dmp

Filesize
6.5MB

Download
memory/4000-146-0x0000000006F10000-0x0000000006F2A000-memory.dmp

Filesize
104KB

Download
memory/4000-144-0x0000000006E90000-0x0000000006F06000-memory.dmp

Filesize
472KB

Download
memory/4000-142-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/4000-141-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/4000-140-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/4000-139-0x0000000004B90000-0x0000000004BB2000-memory.dmp

Filesize
136KB

Download
memory/4000-138-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4000-137-0x0000000000DA0000-0x0000000000DD6000-memory.dmp

Filesize
216KB

Download
memory/4000-136-0x0000000000000000-mapping.dmp

Download
memory/4020-252-0x0000000000000000-mapping.dmp

Download
memory/4116-177-0x0000000000000000-mapping.dmp

Download
memory/4132-211-0x0000000000000000-mapping.dmp

Download
memory/4188-182-0x0000000000000000-mapping.dmp

Download
memory/4188-188-0x0000000000010000-0x00000000002C6000-memory.dmp

Filesize
2.7MB

Download
memory/4264-210-0x0000000000000000-mapping.dmp

Download
memory/4312-191-0x0000000000000000-mapping.dmp

Download
memory/4488-133-0x0000000008210000-0x00000000087B4000-memory.dmp

Filesize
5.6MB

Download
memory/4488-134-0x0000000007D00000-0x0000000007D92000-memory.dmp

Filesize
584KB

Download
memory/4488-135-0x0000000007EA0000-0x0000000007EAA000-memory.dmp

Filesize
40KB

Download
memory/4488-132-0x0000000000280000-0x00000000008EC000-memory.dmp

Filesize
6.4MB

Download
memory/4692-218-0x0000000000B20000-0x0000000001305000-memory.dmp

Filesize
7.9MB

Download
memory/4692-213-0x0000000000B20000-0x0000000001305000-memory.dmp

Filesize
7.9MB

Download
memory/4692-202-0x0000000000000000-mapping.dmp

Download
memory/4776-197-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/4776-181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4776-194-0x00000000050D0000-0x00000000051DA000-memory.dmp

Filesize
1.0MB

Download
memory/4776-195-0x0000000005000000-0x0000000005012000-memory.dmp

Filesize
72KB

Download
memory/4776-193-0x0000000005550000-0x0000000005B68000-memory.dmp

Filesize
6.1MB

Download
memory/4776-180-0x0000000000000000-mapping.dmp

Download
memory/4776-233-0x0000000007050000-0x000000000757C000-memory.dmp

Filesize
5.2MB

Download
memory/4776-232-0x00000000062B0000-0x0000000006472000-memory.dmp

Filesize
1.8MB

Download
memory/4816-274-0x0000000000A00000-0x0000000000A22000-memory.dmp

Filesize
136KB

Download
memory/4816-220-0x0000000000000000-mapping.dmp

Download
memory/4816-222-0x0000000000A00000-0x0000000000A22000-memory.dmp

Filesize
136KB

Download
memory/4816-223-0x00000000007D0000-0x00000000007F7000-memory.dmp

Filesize
156KB

Download
memory/4920-238-0x0000000000000000-mapping.dmp

Download
memory/4924-255-0x0000000000000000-mapping.dmp

Download
memory/4960-264-0x0000000000000000-mapping.dmp

Download
memory/4972-261-0x0000000000000000-mapping.dmp

Download
memory/5032-260-0x0000000000000000-mapping.dmp

Download
memory/5064-273-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/5064-217-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/5064-212-0x0000000000000000-mapping.dmp

Download
memory/5064-221-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/5100-248-0x0000000000000000-mapping.dmp

Download