Analysis Overview
SHA256
819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c
Threat Level: Known bad
The file 819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c was found to be: Known bad.
Malicious Activity Summary
Detects Smokeloader packer
AsyncRat
Detect PureCrypter injector
SmokeLoader
PureCrypter
Modifies WinLogon for persistence
Async RAT payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-27 06:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-27 06:43
Reported
2023-02-27 06:46
Platform
win7-20230220-en
Max time kernel
82s
Max time network
152s
Command Line
Signatures
AsyncRat
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Vipertex\\Saten.exe\"," | C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Meow\\Meow.exe\"," | C:\Users\Admin\AppData\Local\Temp\qekjvo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bvhjvkvjer\\vvhkvkjre.exe\"," | C:\Users\Admin\AppData\Local\Temp\rzaylm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Colors\\Pink.exe\"," | C:\Users\Admin\AppData\Local\Temp\tjmotg.exe | N/A |
PureCrypter
SmokeLoader
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qekjvo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rzaylm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tjmotg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 1076 | N/A | C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 808 set thread context of 1088 | N/A | C:\Users\Admin\AppData\Local\Temp\qekjvo.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
| PID 1684 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\rzaylm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 964 set thread context of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\tjmotg.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe
"C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qekjvo.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qekjvo.exe"'
C:\Users\Admin\AppData\Local\Temp\qekjvo.exe
"C:\Users\Admin\AppData\Local\Temp\qekjvo.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rzaylm.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rzaylm.exe"'
C:\Users\Admin\AppData\Local\Temp\rzaylm.exe
"C:\Users\Admin\AppData\Local\Temp\rzaylm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjmotg.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjmotg.exe"'
C:\Users\Admin\AppData\Local\Temp\tjmotg.exe
"C:\Users\Admin\AppData\Local\Temp\tjmotg.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe"'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe
"C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update-checker-status.cc | udp |
| NL | 84.32.190.34:80 | update-checker-status.cc | tcp |
| NL | 193.142.146.212:8808 | tcp | |
| NL | 193.142.146.212:8808 | tcp | |
| NL | 193.142.146.212:8808 | tcp | |
| NL | 193.142.146.212:8808 | tcp | |
| NL | 193.142.146.212:8808 | tcp |
Files
memory/1484-54-0x0000000000D20000-0x0000000000EFA000-memory.dmp
memory/1484-55-0x0000000004300000-0x00000000043D2000-memory.dmp
memory/1484-57-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-56-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-59-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-61-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-63-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-65-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-67-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-69-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-71-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-73-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-75-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-77-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-79-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-81-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-83-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-85-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-87-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-89-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-91-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-93-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-95-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-97-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-99-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-101-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-103-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-105-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-107-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-109-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-111-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-113-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-115-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-117-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-119-0x0000000004300000-0x00000000043CB000-memory.dmp
memory/1484-2400-0x00000000043D0000-0x0000000004462000-memory.dmp
memory/1484-2401-0x0000000004E70000-0x0000000004EB0000-memory.dmp
memory/1076-2413-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1076-2414-0x0000000004E00000-0x0000000004E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAE8A.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
memory/1076-2431-0x0000000000810000-0x000000000081C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarB438.tmp
| MD5 | 73b4b714b42fc9a6aaefd0ae59adb009 |
| SHA1 | efdaffd5b0ad21913d22001d91bf6c19ecb4ac41 |
| SHA256 | c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd |
| SHA512 | 73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd |
memory/1732-2453-0x0000000001D90000-0x0000000001DD0000-memory.dmp
memory/1732-2454-0x0000000001D90000-0x0000000001DD0000-memory.dmp
memory/1732-2455-0x0000000001D90000-0x0000000001DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qekjvo.exe
| MD5 | 494969d84ee004227da4051403cbc098 |
| SHA1 | befd216439b68c83899476ea7bf5c7eff025bdc6 |
| SHA256 | c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48 |
| SHA512 | ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676 |
\Users\Admin\AppData\Local\Temp\qekjvo.exe
| MD5 | 494969d84ee004227da4051403cbc098 |
| SHA1 | befd216439b68c83899476ea7bf5c7eff025bdc6 |
| SHA256 | c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48 |
| SHA512 | ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676 |
C:\Users\Admin\AppData\Local\Temp\qekjvo.exe
| MD5 | 494969d84ee004227da4051403cbc098 |
| SHA1 | befd216439b68c83899476ea7bf5c7eff025bdc6 |
| SHA256 | c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48 |
| SHA512 | ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676 |
memory/808-2459-0x000000013FB30000-0x000000013FC02000-memory.dmp
memory/808-2460-0x000000001ACC0000-0x000000001AD84000-memory.dmp
memory/808-2461-0x000000001B2C0000-0x000000001B340000-memory.dmp
memory/1076-2463-0x0000000004E00000-0x0000000004E40000-memory.dmp
memory/1088-2474-0x0000000140000000-0x00000001400D9000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 899bb4e811f6db63886060304509fb54 |
| SHA1 | 86f72a84a4421ec4d48733385c644d61ab0dbecd |
| SHA256 | dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b |
| SHA512 | 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SEYUE17MLALUHN0ZH03H.temp
| MD5 | 899bb4e811f6db63886060304509fb54 |
| SHA1 | 86f72a84a4421ec4d48733385c644d61ab0dbecd |
| SHA256 | dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b |
| SHA512 | 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44 |
C:\Users\Admin\AppData\Local\Temp\rzaylm.exe
| MD5 | 7bf2898f75b3974d2c53999f8d3f40fb |
| SHA1 | c406aeef85ed1ce026b98b858af4be62da421119 |
| SHA256 | c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208 |
| SHA512 | 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676 |
\Users\Admin\AppData\Local\Temp\rzaylm.exe
| MD5 | 7bf2898f75b3974d2c53999f8d3f40fb |
| SHA1 | c406aeef85ed1ce026b98b858af4be62da421119 |
| SHA256 | c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208 |
| SHA512 | 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676 |
C:\Users\Admin\AppData\Local\Temp\rzaylm.exe
| MD5 | 7bf2898f75b3974d2c53999f8d3f40fb |
| SHA1 | c406aeef85ed1ce026b98b858af4be62da421119 |
| SHA256 | c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208 |
| SHA512 | 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676 |
memory/1808-2505-0x00000000023D0000-0x0000000002410000-memory.dmp
memory/1684-2506-0x0000000004830000-0x00000000048DA000-memory.dmp
memory/1808-2504-0x00000000023D0000-0x0000000002410000-memory.dmp
memory/1684-2503-0x0000000000990000-0x0000000000AE0000-memory.dmp
memory/1684-2507-0x00000000002F0000-0x0000000000302000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 899bb4e811f6db63886060304509fb54 |
| SHA1 | 86f72a84a4421ec4d48733385c644d61ab0dbecd |
| SHA256 | dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b |
| SHA512 | 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1684-2518-0x0000000004960000-0x00000000049A0000-memory.dmp
memory/1012-2520-0x00000000027B0000-0x00000000027F0000-memory.dmp
memory/1012-2522-0x00000000027B0000-0x00000000027F0000-memory.dmp
memory/1012-2524-0x00000000027B0000-0x00000000027F0000-memory.dmp
memory/2012-2529-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2012-2530-0x0000000004F20000-0x0000000004F60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 899bb4e811f6db63886060304509fb54 |
| SHA1 | 86f72a84a4421ec4d48733385c644d61ab0dbecd |
| SHA256 | dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b |
| SHA512 | 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44 |
C:\Users\Admin\AppData\Local\Temp\tjmotg.exe
| MD5 | a08e5952ddaaabe4b7deaf30e3e522d3 |
| SHA1 | d111978b9e2ea04f53ce48a36a4fde0e0e900ba3 |
| SHA256 | 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f |
| SHA512 | 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea |
\Users\Admin\AppData\Local\Temp\tjmotg.exe
| MD5 | a08e5952ddaaabe4b7deaf30e3e522d3 |
| SHA1 | d111978b9e2ea04f53ce48a36a4fde0e0e900ba3 |
| SHA256 | 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f |
| SHA512 | 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea |
C:\Users\Admin\AppData\Local\Temp\tjmotg.exe
| MD5 | a08e5952ddaaabe4b7deaf30e3e522d3 |
| SHA1 | d111978b9e2ea04f53ce48a36a4fde0e0e900ba3 |
| SHA256 | 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f |
| SHA512 | 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea |
memory/964-2558-0x0000000001390000-0x00000000015E6000-memory.dmp
memory/964-2559-0x0000000000C10000-0x0000000000CB8000-memory.dmp
memory/964-2560-0x0000000000570000-0x00000000005B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 899bb4e811f6db63886060304509fb54 |
| SHA1 | 86f72a84a4421ec4d48733385c644d61ab0dbecd |
| SHA256 | dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b |
| SHA512 | 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2012-2567-0x0000000004F20000-0x0000000004F60000-memory.dmp
memory/1196-2569-0x00000000026A0000-0x00000000026E0000-memory.dmp
memory/1196-2568-0x00000000026A0000-0x00000000026E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 899bb4e811f6db63886060304509fb54 |
| SHA1 | 86f72a84a4421ec4d48733385c644d61ab0dbecd |
| SHA256 | dbc060b11450bc2716443019944d28ad25f3254fc45fa533cde0a17fada74e6b |
| SHA512 | 26197246e8ab91acb5d692fda233d93d95825f5b394fd210be907b268676c1c4e20457bacaa47f19ec349bac8c5308df7e794c767e6016e64281f8f0d5912c44 |
C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe
| MD5 | a4f3e603a335cbd6d8f9ff11c8f9a9c2 |
| SHA1 | a5de59863fb4acc05a9253562172f802420ed21b |
| SHA256 | 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e |
| SHA512 | 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2 |
\Users\Admin\AppData\Local\Temp\tjlmuu.exe
| MD5 | a4f3e603a335cbd6d8f9ff11c8f9a9c2 |
| SHA1 | a5de59863fb4acc05a9253562172f802420ed21b |
| SHA256 | 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e |
| SHA512 | 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2 |
memory/1680-2602-0x0000000002840000-0x0000000002880000-memory.dmp
memory/1752-2603-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tjlmuu.exe
| MD5 | a4f3e603a335cbd6d8f9ff11c8f9a9c2 |
| SHA1 | a5de59863fb4acc05a9253562172f802420ed21b |
| SHA256 | 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e |
| SHA512 | 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2 |
memory/1020-2605-0x0000000000CC0000-0x000000000129A000-memory.dmp
memory/1020-2606-0x000000001CAD0000-0x000000001D1D8000-memory.dmp
memory/1020-2607-0x000000001C470000-0x000000001C4F0000-memory.dmp
memory/1752-2674-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1020-2946-0x000000001C470000-0x000000001C4F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-27 06:43
Reported
2023-02-27 06:46
Platform
win10v2004-20230220-en
Max time kernel
151s
Max time network
152s
Command Line
Signatures
AsyncRat
Detects Smokeloader packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Vipertex\\Saten.exe\"," | C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Meow\\Meow.exe\"," | C:\Users\Admin\AppData\Local\Temp\rtimlm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\bvhjvkvjer\\vvhkvkjre.exe\"," | C:\Users\Admin\AppData\Local\Temp\ezciiu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Colors\\Pink.exe\"," | C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe | N/A |
SmokeLoader
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ezciiu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rtimlm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ezciiu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fkytby.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4400 set thread context of 3336 | N/A | C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3572 set thread context of 2472 | N/A | C:\Users\Admin\AppData\Local\Temp\rtimlm.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe |
| PID 2948 set thread context of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\ezciiu.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 3612 set thread context of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe
"C:\Users\Admin\AppData\Local\Temp\819d812044fccc25692d6f0919850536d3486bdfdf296bea08ea3291fe1d425c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rtimlm.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\rtimlm.exe"'
C:\Users\Admin\AppData\Local\Temp\rtimlm.exe
"C:\Users\Admin\AppData\Local\Temp\rtimlm.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ezciiu.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ezciiu.exe"'
C:\Users\Admin\AppData\Local\Temp\ezciiu.exe
"C:\Users\Admin\AppData\Local\Temp\ezciiu.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe"'
C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe
"C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fkytby.exe"' & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\fkytby.exe"'
C:\Users\Admin\AppData\Local\Temp\fkytby.exe
"C:\Users\Admin\AppData\Local\Temp\fkytby.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update-checker-status.cc | udp |
| NL | 84.32.190.34:80 | update-checker-status.cc | tcp |
| NL | 193.142.146.212:8808 | tcp | |
| US | 8.8.8.8:53 | 34.190.32.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.146.142.193.in-addr.arpa | udp |
| NL | 193.142.146.212:8808 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 20.189.173.5:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| NL | 193.142.146.212:8808 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 193.142.146.212:8808 | tcp | |
| NL | 8.238.177.126:80 | tcp | |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| NL | 193.142.146.212:8808 | tcp | |
| US | 8.8.8.8:53 | glueberry-og.cc | udp |
| DE | 193.142.147.59:80 | glueberry-og.cc | tcp |
| US | 8.8.8.8:53 | glueberry-og.co | udp |
| DE | 193.142.147.59:80 | glueberry-og.co | tcp |
Files
memory/4400-133-0x0000000000490000-0x000000000066A000-memory.dmp
memory/4400-134-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-135-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-137-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-139-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-141-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-143-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-145-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-147-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-149-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-151-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-153-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-155-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-157-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-159-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-161-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-163-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-165-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-167-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-169-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-171-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-173-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-175-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-177-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-179-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-181-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-183-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-185-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-187-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-189-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-191-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-193-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-195-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-197-0x0000000004FD0000-0x000000000509B000-memory.dmp
memory/4400-2478-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4400-2479-0x0000000005250000-0x0000000005272000-memory.dmp
memory/4400-2480-0x0000000005330000-0x0000000005396000-memory.dmp
memory/4400-2481-0x0000000031950000-0x00000000319E2000-memory.dmp
memory/4400-2482-0x0000000031FA0000-0x0000000032544000-memory.dmp
memory/3336-2486-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3336-2487-0x00000000051E0000-0x00000000051F0000-memory.dmp
memory/3336-2488-0x0000000005990000-0x0000000005A2C000-memory.dmp
memory/3336-2489-0x0000000006B90000-0x0000000006C06000-memory.dmp
memory/3336-2490-0x0000000006B40000-0x0000000006B5E000-memory.dmp
memory/4580-2492-0x0000000002AC0000-0x0000000002AF6000-memory.dmp
memory/4580-2493-0x0000000005720000-0x0000000005D48000-memory.dmp
memory/4580-2494-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/4580-2495-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/4580-2501-0x0000000005D50000-0x0000000005DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1teaz35.rwq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4580-2506-0x0000000006400000-0x000000000641E000-memory.dmp
memory/4580-2507-0x00000000075C0000-0x0000000007656000-memory.dmp
memory/4580-2509-0x0000000006940000-0x0000000006962000-memory.dmp
memory/4580-2508-0x00000000068F0000-0x000000000690A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rtimlm.exe
| MD5 | 494969d84ee004227da4051403cbc098 |
| SHA1 | befd216439b68c83899476ea7bf5c7eff025bdc6 |
| SHA256 | c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48 |
| SHA512 | ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676 |
memory/4580-2511-0x0000000002D80000-0x0000000002D90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rtimlm.exe
| MD5 | 494969d84ee004227da4051403cbc098 |
| SHA1 | befd216439b68c83899476ea7bf5c7eff025bdc6 |
| SHA256 | c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48 |
| SHA512 | ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676 |
memory/3572-2515-0x0000000000510000-0x00000000005E2000-memory.dmp
memory/3572-2516-0x00000000027F0000-0x0000000002812000-memory.dmp
memory/3336-2517-0x00000000051E0000-0x00000000051F0000-memory.dmp
memory/3572-2518-0x000000001C9E0000-0x000000001C9F0000-memory.dmp
memory/2472-2524-0x0000000140000000-0x00000001400D9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 5315900105942deb090a358a315b06fe |
| SHA1 | 22fe5d2e1617c31afbafb91c117508d41ef0ce44 |
| SHA256 | e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7 |
| SHA512 | 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6 |
memory/3744-2527-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
memory/3744-2528-0x0000000004EC0000-0x0000000004ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b65221b1b05b3d92a6d4bedba9014eb0 |
| SHA1 | 34203816996d5e47c16893720d98de88e6df2802 |
| SHA256 | e95abbdf7deacde619683f68c9010500d6e47f9de79ff7f98e4ae1e1bbbb36a5 |
| SHA512 | 1d6e4a99d65a37a56f50b8926a6fb04afdef362ddee3606680e52429b961db70a0c5cc1bece080f241ccd776c6ea751a6be6c2cf2dabc449924e1f9836bef820 |
C:\Users\Admin\AppData\Local\Temp\ezciiu.exe
| MD5 | 7bf2898f75b3974d2c53999f8d3f40fb |
| SHA1 | c406aeef85ed1ce026b98b858af4be62da421119 |
| SHA256 | c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208 |
| SHA512 | 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676 |
C:\Users\Admin\AppData\Local\Temp\ezciiu.exe
| MD5 | 7bf2898f75b3974d2c53999f8d3f40fb |
| SHA1 | c406aeef85ed1ce026b98b858af4be62da421119 |
| SHA256 | c1a074fed48daff62eefa0cadc7e5f77186dd437acac684b379946c09cc6d208 |
| SHA512 | 20ec8430d1b1695ca943b1c9c759339be2facec42ff0086703a9f90ed7c684c1097dfed2a0dec9820d8949c4216c33767f9ef147aa38ba30e01cf9b5fe6f0676 |
memory/2948-2541-0x0000000000970000-0x0000000000AC0000-memory.dmp
memory/2948-2543-0x00000000054D0000-0x00000000054E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c3804deb057a26588c01312d798f46c |
| SHA1 | c1bce310e3fcb8942bdea4538a051160ce5c7bd0 |
| SHA256 | ce672f64c78d0bd00b42f11aea454eecc925ec9397f109d08909089eeda68719 |
| SHA512 | 1a1b3f18ed9ec3923c42b669cb08134855995244a57ab1c4df1734543bcbaf2785ab1d3acfb5eb3cc16c1d9c873198b4e074d004de5577c247016185cd5fc505 |
memory/4676-2557-0x0000000000400000-0x0000000000436000-memory.dmp
memory/4676-2559-0x00000000052D0000-0x00000000052E0000-memory.dmp
memory/4764-2560-0x0000000002D90000-0x0000000002DA0000-memory.dmp
memory/4676-2558-0x00000000052A0000-0x00000000052AA000-memory.dmp
memory/4764-2561-0x0000000002D90000-0x0000000002DA0000-memory.dmp
memory/4764-2562-0x0000000007560000-0x0000000007592000-memory.dmp
memory/4764-2563-0x000000006F1B0000-0x000000006F1FC000-memory.dmp
memory/4764-2573-0x0000000007520000-0x000000000753E000-memory.dmp
memory/4764-2574-0x0000000002D90000-0x0000000002DA0000-memory.dmp
memory/4764-2575-0x000000007FCC0000-0x000000007FCD0000-memory.dmp
memory/4764-2576-0x0000000007D80000-0x00000000083FA000-memory.dmp
memory/4764-2577-0x0000000007730000-0x000000000773A000-memory.dmp
memory/4764-2578-0x00000000078F0000-0x00000000078FE000-memory.dmp
memory/4764-2579-0x0000000007A00000-0x0000000007A1A000-memory.dmp
memory/4764-2580-0x00000000079E0000-0x00000000079E8000-memory.dmp
memory/4676-2582-0x00000000052D0000-0x00000000052E0000-memory.dmp
memory/3880-2593-0x0000000004980000-0x0000000004990000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2a8f20e557c24c99a1a67ebd0fa15de2 |
| SHA1 | 89be00be2a5971c9b5a2ac689a9c1e3bce57be49 |
| SHA256 | 79cae3451465615e6488677cefd9f814acdf00df32a33df3760acaf5352f5c60 |
| SHA512 | 3254664c4195e9ca21e634ca75645207c88b9ad0672b54bdeb1eb1c13b3b09c9c3c37a6830f2ad8d6048b7dee96e04e6597e22b93ac76213a8c94029e26071c5 |
memory/3880-2595-0x0000000004980000-0x0000000004990000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe
| MD5 | a08e5952ddaaabe4b7deaf30e3e522d3 |
| SHA1 | d111978b9e2ea04f53ce48a36a4fde0e0e900ba3 |
| SHA256 | 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f |
| SHA512 | 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea |
C:\Users\Admin\AppData\Local\Temp\vxhqbm.exe
| MD5 | a08e5952ddaaabe4b7deaf30e3e522d3 |
| SHA1 | d111978b9e2ea04f53ce48a36a4fde0e0e900ba3 |
| SHA256 | 52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f |
| SHA512 | 2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea |
memory/3612-2599-0x0000000000060000-0x00000000002B6000-memory.dmp
memory/3612-2600-0x0000000004B80000-0x0000000004B90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b687ef43eeeef6b2c7593b4ee9c04934 |
| SHA1 | f3df62b9c57b8d7025cdf0557a5b09e9e8257fc4 |
| SHA256 | e6201c20476964e81a9283981aca9322199bcabaeecb683b3184d93ef6ec4cde |
| SHA512 | d7fc2466760a8f73e718c52fcc5a6be060c69aabb8e12e43761bb3a309a5b2ed419f56d0a70871d04f2b868fdc3d653fbae81b742b78cede1714e0567a90d9c4 |
memory/4252-2611-0x0000000004870000-0x0000000004880000-memory.dmp
memory/4252-2612-0x0000000004870000-0x0000000004880000-memory.dmp
memory/4252-2613-0x0000000004870000-0x0000000004880000-memory.dmp
memory/3612-2614-0x0000000004B80000-0x0000000004B90000-memory.dmp
memory/4252-2615-0x0000000004870000-0x0000000004880000-memory.dmp
memory/4252-2616-0x0000000004870000-0x0000000004880000-memory.dmp
memory/4252-2618-0x000000006ED20000-0x000000006ED6C000-memory.dmp
memory/4252-2633-0x0000000004870000-0x0000000004880000-memory.dmp
memory/4252-2638-0x000000007F010000-0x000000007F020000-memory.dmp
memory/4540-2639-0x00000000027E0000-0x00000000027F0000-memory.dmp
memory/4540-2640-0x00000000027E0000-0x00000000027F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fkytby.exe
| MD5 | a4f3e603a335cbd6d8f9ff11c8f9a9c2 |
| SHA1 | a5de59863fb4acc05a9253562172f802420ed21b |
| SHA256 | 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e |
| SHA512 | 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b22d1c5159fa97764f06b9bf25710c3c |
| SHA1 | 78df3f3d3edbec3c1126ecf65c3f0db9403065f3 |
| SHA256 | a116123461640b3e53e88727026e835e15d3a9def2a95f2ecde06ef0d4e69d89 |
| SHA512 | 785c5ac714fd7aeed8fc60f0d82331e3b5c9b3515092e61fef4aedf51a505431e3d72e06b6ac2d2e2ab35b45d9d30bdbf4ab6f947cc17ac29f6f1a88477b5f0d |
C:\Users\Admin\AppData\Local\Temp\fkytby.exe
| MD5 | a4f3e603a335cbd6d8f9ff11c8f9a9c2 |
| SHA1 | a5de59863fb4acc05a9253562172f802420ed21b |
| SHA256 | 2c1b6a652a62f7fde53d2e84e1211fef21dfde9eb0d4e2879bd997733af77a3e |
| SHA512 | 659d0175f4f496f5af6846f0af20345dec842c29eec7e78870b96d96bc712a39684be7a2cff1decabb6e447a477ddf8b92a1b22a12fe6ca07b1fd762540452f2 |
memory/4176-2646-0x00000000002E0000-0x00000000008BA000-memory.dmp
memory/4176-2647-0x000000001DB20000-0x000000001DB30000-memory.dmp
memory/4500-2657-0x0000000000400000-0x0000000000409000-memory.dmp