Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 03:54
Static task
static1
Behavioral task
behavioral1
Sample
smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
smokeloader/9afc600899956fa4398dc67bf2d8cc6990b2b3fc5e0e1ccd6ffc0156dbc2e04d.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
smokeloader/cbb7b0ba1d08a9f6e6e881f0b658bfe7fd5d3dbcb2c47682a13cf550eba845a0.exe
Resource
win10v2004-20230221-en
General
-
Target
smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
-
Size
194KB
-
MD5
de2cc5ab0c1b901b1d57a0e10c0185be
-
SHA1
f7d3144acc8e7473b8fb0c93cdc69632ea2de3ac
-
SHA256
a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
-
SHA512
492fea5d91d8121432779fb4e01c6a5371b9fbe6675ecc9a32e416c583107e60ea160eeaa010cc83e7ace640ed7e31172ab1f4a3217526412cc9810960510be7
-
SSDEEP
3072:lSbONVWNIbrL8vTk1Wi5XiKR0Cf6MzjN+C1HQJISv5f9juaQE4nL:lSbFcrL8o1fikjNzQJn51juaQE
Malware Config
Extracted
smokeloader
2023
Extracted
smokeloader
2022
http://c3g6gx853u6j.xyz/
http://04yh16065cdi.xyz/
http://33qd2w560vnx.xyz/
http://neriir0f76gr.com/
http://b4y08hrp3jdb.com/
http://swp6fbywla09.com/
http://7iqt53dr345u.com/
http://mj4aj8r55mho.com/
http://ne4ym7bjn1ts.com/
Extracted
redline
02-700-2
167.235.133.96:43849
-
auth_value
8af50b3310e79fa317eef66b1e92900f
Extracted
redline
2
51.81.126.50:19836
-
auth_value
7be92ecdf2c2f5400aa90f72d61cb2a4
Extracted
amadey
3.65
hellomr.observer/7gjD0Vs3d/index.php
researchersgokick.rocks/7gjD0Vs3d/index.php
pleasetake.pictures/7gjD0Vs3d/index.php
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exeschtasks.exeE8DE.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe 4436 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fnfmgj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ifpyahw\\Fnfmgj.exe\"" E8DE.exe 3500 schtasks.exe -
Detect rhadamanthys stealer shellcode 3 IoCs
Processes:
resource yara_rule behavioral4/memory/4848-1837-0x00000000010E0000-0x00000000010FC000-memory.dmp family_rhadamanthys behavioral4/memory/4848-1844-0x00000000028F0000-0x00000000038F0000-memory.dmp family_rhadamanthys behavioral4/memory/4848-2079-0x00000000010E0000-0x00000000010FC000-memory.dmp family_rhadamanthys -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 30 IoCs
Processes:
resource yara_rule behavioral4/memory/4348-183-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-184-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-186-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-188-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-190-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-192-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-194-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-196-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-198-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-200-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-202-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-204-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-206-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-208-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-210-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-214-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-212-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-217-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-223-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-220-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-225-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-227-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-229-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-231-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-233-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-241-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-244-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4348-247-0x00000000026C0000-0x00000000026FE000-memory.dmp family_redline behavioral4/memory/4804-1115-0x0000000000040000-0x0000000000828000-memory.dmp family_redline behavioral4/memory/4804-1446-0x0000000000040000-0x0000000000828000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
F3BC.exedescription pid process target process PID 472 created 2408 472 F3BC.exe taskhostw.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
1BC9.exe2DFB.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1BC9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2DFB.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1BC9.exe2DFB.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1BC9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1BC9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2DFB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2DFB.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E8DE.exe2291.exenbveek.exenewbots.exenbveek.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation E8DE.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 2291.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation nbveek.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation newbots.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation nbveek.exe -
Executes dropped EXE 13 IoCs
Processes:
E8DE.exeF3BC.exeF747.exeFEDA.exe1BC9.exe2291.exenbveek.exe2DFB.exenewbots.exeE8DE.exe552C.exenewbots.exenbveek.exepid process 3332 E8DE.exe 472 F3BC.exe 3668 F747.exe 4348 FEDA.exe 4804 1BC9.exe 4904 2291.exe 372 nbveek.exe 2808 2DFB.exe 3132 newbots.exe 2420 E8DE.exe 4680 552C.exe 4604 newbots.exe 1984 nbveek.exe -
Loads dropped DLL 1 IoCs
Processes:
F3BC.exepid process 472 F3BC.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral4/memory/4804-1116-0x0000000000040000-0x0000000000828000-memory.dmp agile_net behavioral4/memory/4804-1117-0x0000000000040000-0x0000000000828000-memory.dmp agile_net behavioral4/memory/4804-1531-0x0000000000040000-0x0000000000828000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1BC9.exe themida C:\Users\Admin\AppData\Local\Temp\1BC9.exe themida behavioral4/memory/4804-1116-0x0000000000040000-0x0000000000828000-memory.dmp themida behavioral4/memory/4804-1117-0x0000000000040000-0x0000000000828000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\2DFB.exe themida C:\Users\Admin\AppData\Local\Temp\2DFB.exe themida behavioral4/memory/2808-1218-0x0000000000FD0000-0x000000000143A000-memory.dmp themida behavioral4/memory/2808-1325-0x0000000000FD0000-0x000000000143A000-memory.dmp themida behavioral4/memory/4804-1531-0x0000000000040000-0x0000000000828000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
E8DE.exenewbots.exeE8DE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fnfmgj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ifpyahw\\Fnfmgj.exe\"" E8DE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yzritvgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nllsqglz\\Yzritvgr.exe\"" newbots.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E8DE.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\E8DE.exe\"" E8DE.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
1BC9.exe2DFB.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1BC9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2DFB.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 146 ip-api.com 148 icanhazip.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
1BC9.exe2DFB.exefontview.exepid process 4804 1BC9.exe 2808 2DFB.exe 4848 fontview.exe 4848 fontview.exe 4848 fontview.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
F3BC.exeE8DE.exenewbots.exedescription pid process target process PID 472 set thread context of 1796 472 F3BC.exe ngentask.exe PID 3332 set thread context of 2420 3332 E8DE.exe E8DE.exe PID 3132 set thread context of 4604 3132 newbots.exe newbots.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4016 2808 WerFault.exe 2DFB.exe 1100 4348 WerFault.exe FEDA.exe 3232 472 WerFault.exe F3BC.exe 5020 472 WerFault.exe F3BC.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exefontview.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1BC9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1BC9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1BC9.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 1BC9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 1BC9.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4436 schtasks.exe 3500 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exepid process 4476 a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe 4476 a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3080 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exepid process 4476 a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 3080 -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
powershell.exeFEDA.exe1BC9.exemsiexec.exenewbots.exeE8DE.exepowershell.exefontview.exeE8DE.exedescription pid process Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 4348 FEDA.exe Token: SeDebugPrivilege 4804 1BC9.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeSecurityPrivilege 764 msiexec.exe Token: SeDebugPrivilege 3132 newbots.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeDebugPrivilege 3332 E8DE.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeDebugPrivilege 4232 powershell.exe Token: SeShutdownPrivilege 4848 fontview.exe Token: SeCreatePagefilePrivilege 4848 fontview.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeDebugPrivilege 2420 E8DE.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
E8DE.exeF3BC.exe2291.exenbveek.execmd.exedescription pid process target process PID 3080 wrote to memory of 3332 3080 E8DE.exe PID 3080 wrote to memory of 3332 3080 E8DE.exe PID 3332 wrote to memory of 1880 3332 E8DE.exe powershell.exe PID 3332 wrote to memory of 1880 3332 E8DE.exe powershell.exe PID 3080 wrote to memory of 472 3080 F3BC.exe PID 3080 wrote to memory of 472 3080 F3BC.exe PID 3080 wrote to memory of 472 3080 F3BC.exe PID 3080 wrote to memory of 3668 3080 F747.exe PID 3080 wrote to memory of 3668 3080 F747.exe PID 3080 wrote to memory of 3668 3080 F747.exe PID 3080 wrote to memory of 4348 3080 FEDA.exe PID 3080 wrote to memory of 4348 3080 FEDA.exe PID 3080 wrote to memory of 4348 3080 FEDA.exe PID 472 wrote to memory of 1796 472 F3BC.exe ngentask.exe PID 472 wrote to memory of 1796 472 F3BC.exe ngentask.exe PID 472 wrote to memory of 1796 472 F3BC.exe ngentask.exe PID 472 wrote to memory of 1796 472 F3BC.exe ngentask.exe PID 472 wrote to memory of 1796 472 F3BC.exe ngentask.exe PID 472 wrote to memory of 4848 472 F3BC.exe fontview.exe PID 472 wrote to memory of 4848 472 F3BC.exe fontview.exe PID 472 wrote to memory of 4848 472 F3BC.exe fontview.exe PID 472 wrote to memory of 4848 472 F3BC.exe fontview.exe PID 3080 wrote to memory of 4804 3080 1BC9.exe PID 3080 wrote to memory of 4804 3080 1BC9.exe PID 3080 wrote to memory of 4804 3080 1BC9.exe PID 3080 wrote to memory of 4904 3080 2291.exe PID 3080 wrote to memory of 4904 3080 2291.exe PID 3080 wrote to memory of 4904 3080 2291.exe PID 4904 wrote to memory of 372 4904 2291.exe nbveek.exe PID 4904 wrote to memory of 372 4904 2291.exe nbveek.exe PID 4904 wrote to memory of 372 4904 2291.exe nbveek.exe PID 372 wrote to memory of 4436 372 nbveek.exe schtasks.exe PID 372 wrote to memory of 4436 372 nbveek.exe schtasks.exe PID 372 wrote to memory of 4436 372 nbveek.exe schtasks.exe PID 372 wrote to memory of 3820 372 nbveek.exe cmd.exe PID 372 wrote to memory of 3820 372 nbveek.exe cmd.exe PID 372 wrote to memory of 3820 372 nbveek.exe cmd.exe PID 3820 wrote to memory of 3356 3820 cmd.exe cmd.exe PID 3820 wrote to memory of 3356 3820 cmd.exe cmd.exe PID 3820 wrote to memory of 3356 3820 cmd.exe cmd.exe PID 3820 wrote to memory of 112 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 112 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 112 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 2708 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 2708 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 2708 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 532 3820 cmd.exe cmd.exe PID 3820 wrote to memory of 532 3820 cmd.exe cmd.exe PID 3820 wrote to memory of 532 3820 cmd.exe cmd.exe PID 3820 wrote to memory of 4308 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 4308 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 4308 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 3720 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 3720 3820 cmd.exe cacls.exe PID 3820 wrote to memory of 3720 3820 cmd.exe cacls.exe PID 3080 wrote to memory of 2808 3080 2DFB.exe PID 3080 wrote to memory of 2808 3080 2DFB.exe PID 3080 wrote to memory of 2808 3080 2DFB.exe PID 372 wrote to memory of 3132 372 nbveek.exe newbots.exe PID 372 wrote to memory of 3132 372 nbveek.exe newbots.exe PID 3332 wrote to memory of 2420 3332 E8DE.exe E8DE.exe PID 3332 wrote to memory of 2420 3332 E8DE.exe E8DE.exe PID 3332 wrote to memory of 2420 3332 E8DE.exe E8DE.exe PID 3332 wrote to memory of 2420 3332 E8DE.exe E8DE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\smokeloader\a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe"C:\Users\Admin\AppData\Local\Temp\smokeloader\a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E8DE.exeC:\Users\Admin\AppData\Local\Temp\E8DE.exe1⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E8DE.exeC:\Users\Admin\AppData\Local\Temp\E8DE.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F3BC.exeC:\Users\Admin\AppData\Local\Temp\F3BC.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 11522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 10602⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\F747.exeC:\Users\Admin\AppData\Local\Temp\F747.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FEDA.exeC:\Users\Admin\AppData\Local\Temp\FEDA.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 12162⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1BC9.exeC:\Users\Admin\AppData\Local\Temp\1BC9.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2291.exeC:\Users\Admin\AppData\Local\Temp\2291.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe" /F3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c1e3594748" /P "Admin:N"&&CACLS "..\c1e3594748" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c1e3594748" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c1e3594748" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe"C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exeC:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2DFB.exeC:\Users\Admin\AppData\Local\Temp\2DFB.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 5802⤵
- Program crash
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2808 -ip 28081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4348 -ip 43481⤵
-
C:\Users\Admin\AppData\Local\Temp\552C.exeC:\Users\Admin\AppData\Local\Temp\552C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 472 -ip 4721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 472 -ip 4721⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeC:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe" /F2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c1e3594748" /P "Admin:N"&&CACLS "..\c1e3594748" /P "Admin:R" /E&&Exit2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"3⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c1e3594748" /P "Admin:N"3⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c1e3594748" /P "Admin:R" /E3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\6OQZGLY38OL4JTRNPTSG\IN_Windows 10 Pro (64 Bit)_R3E4EJ5Y2YRY99YWLQR9\InstalledApp.txtFilesize
2KB
MD56663276c1da7e9c18116cf5ade6dfdce
SHA13f6b4e377dc16b1a957bc3afffc5eee4e6ab6f19
SHA2562bbb710d13901ef441fce2a62b0d14a92f3ff03a8f8965a4d31271e327f687a6
SHA51264859282ad16eebaa1f8f37c72a50710e1f9e5464a58f782b879a86cacd44d866457177283bd6236b83f4e27a60f780249928a14eb6974f617ef8d495e31c7a2
-
C:\Users\Admin\AppData\Local\6OQZGLY38OL4JTRNPTSG\IN_Windows 10 Pro (64 Bit)_R3E4EJ5Y2YRY99YWLQR9\ProcessList.txtFilesize
4KB
MD5c987555474a2af1219fc5db3b5cd5267
SHA160b65da368d122010a47916b5864d885f6088dbc
SHA256029fb43ce597e4bc964aebaf700442ab958cb5753525a3c53009735f1ed8ad9b
SHA512c5e823449c348e381f0165fc5dcd96aa2d6cdd847c7ebc27ea4c679f459ab896f95956f491f81f4d4f5c65ae299607f3e7d7c332e93203d917c200316b8ed427
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\E8DE.exe.logFilesize
1KB
MD5cbe207895aa962105ca913568f7d2135
SHA1c62bcc9aac6f6ad0b14457d3d51c0a474528b106
SHA256bd468d112dd92eab9177b172cb46016d96c6d85fe567734852f8c07733c14a24
SHA5123a93a75b1c3a93d8466a7b2f5b0433805d7055e829834203b3b6ae48ecb899f3aaf68610057a0ce0f9a29647cd7c6577dcb4c89124dc368e91f5866a5dbf1e44
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fc28168b916bf9744961653d503e1164
SHA171deadab13b81a414582f931e9af010152463644
SHA256a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9
SHA51208d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9
-
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exeFilesize
680KB
MD5285154a54ffba21bfb4a2d8f54aa3e3c
SHA13337353913ec67941060ace6b34f4bc6de938b7e
SHA25625ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756
SHA5127f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a
-
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exeFilesize
680KB
MD5285154a54ffba21bfb4a2d8f54aa3e3c
SHA13337353913ec67941060ace6b34f4bc6de938b7e
SHA25625ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756
SHA5127f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a
-
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exeFilesize
680KB
MD5285154a54ffba21bfb4a2d8f54aa3e3c
SHA13337353913ec67941060ace6b34f4bc6de938b7e
SHA25625ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756
SHA5127f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a
-
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exeFilesize
680KB
MD5285154a54ffba21bfb4a2d8f54aa3e3c
SHA13337353913ec67941060ace6b34f4bc6de938b7e
SHA25625ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756
SHA5127f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a
-
C:\Users\Admin\AppData\Local\Temp\1BC9.exeFilesize
3.1MB
MD5145c17e590635b43bc7af1d43cf8bac8
SHA155e17b8d5e99e1c895da6c7c0c60fc5a5143b9e3
SHA2569c404c78e697cb370c9d84b492feb0dd601e5099afd0f26e09b89c5d855cc5d6
SHA5129701999d3a2276868351cfcd1ecb2163ababf812ddc43c6f2445aa6ff4e8d16d78d12d8dc19aff32216532e9d083e65bd772fba26c8395c8daa811c18ebfdf0c
-
C:\Users\Admin\AppData\Local\Temp\1BC9.exeFilesize
3.1MB
MD5145c17e590635b43bc7af1d43cf8bac8
SHA155e17b8d5e99e1c895da6c7c0c60fc5a5143b9e3
SHA2569c404c78e697cb370c9d84b492feb0dd601e5099afd0f26e09b89c5d855cc5d6
SHA5129701999d3a2276868351cfcd1ecb2163ababf812ddc43c6f2445aa6ff4e8d16d78d12d8dc19aff32216532e9d083e65bd772fba26c8395c8daa811c18ebfdf0c
-
C:\Users\Admin\AppData\Local\Temp\2291.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\2291.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\240584937.dllFilesize
334KB
MD54cb75f40755bf606f8a5f1b0bc1db511
SHA10e4fd3965245063a55ab411016a98c52e3498bca
SHA2564c3b45b602867d875c6377fca5823a5134f991858d69efce61cccf63b3eadc3f
SHA5122e54c0c7dba5cd54362a0d9a9407431faed52aba86acefe3843e509c316e9f51f12f6f17d2762f42d3c5e1f588bb774d0c9683c7f9527cf33a8a0c12634cef48
-
C:\Users\Admin\AppData\Local\Temp\275444769369Filesize
79KB
MD5da9cab753d6143a6fb6090d7a5795292
SHA1221f5707beb8701ca1d3c20ede2a6013f8d55655
SHA2564279b13385bcf915974a7d175be9ec5cf9efae1694bd92621153f9454467026e
SHA5120367cb28bbfaf1f90850a2a4de87000994c0f6df5c50c9ca4ba5301140fe02300620a4140610c17ba16f357c9b2e472df9ab3d2627c6055e654f7a96cda3c04a
-
C:\Users\Admin\AppData\Local\Temp\2DFB.exeFilesize
4.2MB
MD5ae75a902d204f6b27ef4c142d690277c
SHA17b4ed1d2672d547bdc6c522381c83027d4f59106
SHA256b86c151f8c83b6e4d167a03e008d80c1cd741c8618e1a8434054cd0721c804c2
SHA51210d9fb69bc999210562892affa04639c0cc499397a302c9d1c1689657a0ad6b4471115ef4cb47a5ea17b52bc8b1033068de1838c703be84d41986301ab24cc9c
-
C:\Users\Admin\AppData\Local\Temp\2DFB.exeFilesize
4.2MB
MD5ae75a902d204f6b27ef4c142d690277c
SHA17b4ed1d2672d547bdc6c522381c83027d4f59106
SHA256b86c151f8c83b6e4d167a03e008d80c1cd741c8618e1a8434054cd0721c804c2
SHA51210d9fb69bc999210562892affa04639c0cc499397a302c9d1c1689657a0ad6b4471115ef4cb47a5ea17b52bc8b1033068de1838c703be84d41986301ab24cc9c
-
C:\Users\Admin\AppData\Local\Temp\552C.exeFilesize
2.9MB
MD5063b8d5cfe89fb322507db7ec1dc1a22
SHA1bcfe687a85512a319bcd1d803e6c0301c89f58d9
SHA256d5bead63cdd30bfbbef15b67a279f604b8ac6a8a5402ef0223d2cd80482b46d2
SHA51268808df550e0fc1090bb1cb7f1c73812b863fb61d9b50dd4456d9755ecd4a7cb1b9cf0a9e2e4e2a97a5e54bd32c53630d267f5b2a3f4e1869a6eca4a68c9f8cb
-
C:\Users\Admin\AppData\Local\Temp\552C.exeFilesize
2.9MB
MD5063b8d5cfe89fb322507db7ec1dc1a22
SHA1bcfe687a85512a319bcd1d803e6c0301c89f58d9
SHA256d5bead63cdd30bfbbef15b67a279f604b8ac6a8a5402ef0223d2cd80482b46d2
SHA51268808df550e0fc1090bb1cb7f1c73812b863fb61d9b50dd4456d9755ecd4a7cb1b9cf0a9e2e4e2a97a5e54bd32c53630d267f5b2a3f4e1869a6eca4a68c9f8cb
-
C:\Users\Admin\AppData\Local\Temp\E8DE.exeFilesize
2.5MB
MD53e83cfe5cd166c724ff586d9467c13f9
SHA1159f4f7b658b7967babb83ffba43ce3c00ab76c0
SHA256287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e
SHA512621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07
-
C:\Users\Admin\AppData\Local\Temp\E8DE.exeFilesize
2.5MB
MD53e83cfe5cd166c724ff586d9467c13f9
SHA1159f4f7b658b7967babb83ffba43ce3c00ab76c0
SHA256287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e
SHA512621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07
-
C:\Users\Admin\AppData\Local\Temp\E8DE.exeFilesize
2.5MB
MD53e83cfe5cd166c724ff586d9467c13f9
SHA1159f4f7b658b7967babb83ffba43ce3c00ab76c0
SHA256287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e
SHA512621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07
-
C:\Users\Admin\AppData\Local\Temp\F3BC.exeFilesize
1.4MB
MD590b876266f4ba0fb897bb98e089a94b9
SHA15a460ffde15b92317df351a7ef2bad25648f7e93
SHA256c742a3f9b5b3683da2e462eb4f778defce3d52f44a28e3b1a37ca368fea9811e
SHA51289f419a4d8abb37bf19b9916a84f709d7d64e5178533e63c0ef42885783c1c89b7ffe6dc62a09064cc36869abd68b60fa7d4e3e2431b522f9dea7bd3fde120ad
-
C:\Users\Admin\AppData\Local\Temp\F3BC.exeFilesize
1.4MB
MD590b876266f4ba0fb897bb98e089a94b9
SHA15a460ffde15b92317df351a7ef2bad25648f7e93
SHA256c742a3f9b5b3683da2e462eb4f778defce3d52f44a28e3b1a37ca368fea9811e
SHA51289f419a4d8abb37bf19b9916a84f709d7d64e5178533e63c0ef42885783c1c89b7ffe6dc62a09064cc36869abd68b60fa7d4e3e2431b522f9dea7bd3fde120ad
-
C:\Users\Admin\AppData\Local\Temp\F747.exeFilesize
102KB
MD519468026f92b3efcfc92b1a0c9f48913
SHA18ade3bc4c79febe87f74674a4d90499d55ba21a8
SHA256d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16
SHA5124b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5
-
C:\Users\Admin\AppData\Local\Temp\F747.exeFilesize
102KB
MD519468026f92b3efcfc92b1a0c9f48913
SHA18ade3bc4c79febe87f74674a4d90499d55ba21a8
SHA256d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16
SHA5124b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5
-
C:\Users\Admin\AppData\Local\Temp\FEDA.exeFilesize
289KB
MD5addadd44a657d8f48cdfcb5c26e4219b
SHA13d97e85c6a087a9d78477434a67a8f7da7c7bc32
SHA256a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb
SHA512936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8
-
C:\Users\Admin\AppData\Local\Temp\FEDA.exeFilesize
289KB
MD5addadd44a657d8f48cdfcb5c26e4219b
SHA13d97e85c6a087a9d78477434a67a8f7da7c7bc32
SHA256a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb
SHA512936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smuna4ta.0jb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exeFilesize
427KB
MD575869356855ebaf69df70c48c2d4c455
SHA1a39a1e3077a7f6a0679c6b2963625a555f0fb435
SHA256e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848
SHA512e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4
-
memory/372-1618-0x0000000000A40000-0x0000000000A84000-memory.dmpFilesize
272KB
-
memory/372-1154-0x0000000000A40000-0x0000000000A84000-memory.dmpFilesize
272KB
-
memory/472-172-0x000000000DD90000-0x000000000DEDA000-memory.dmpFilesize
1.3MB
-
memory/1796-240-0x0000000005400000-0x0000000005A18000-memory.dmpFilesize
6.1MB
-
memory/1796-274-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/1796-245-0x0000000004F70000-0x000000000507A000-memory.dmpFilesize
1.0MB
-
memory/1796-1258-0x0000000005210000-0x0000000005220000-memory.dmpFilesize
64KB
-
memory/1796-248-0x0000000004EA0000-0x0000000004EB2000-memory.dmpFilesize
72KB
-
memory/1796-215-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1796-221-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/1796-252-0x0000000004F00000-0x0000000004F3C000-memory.dmpFilesize
240KB
-
memory/1880-1094-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmpFilesize
64KB
-
memory/1880-1089-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmpFilesize
64KB
-
memory/1880-1092-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmpFilesize
64KB
-
memory/1880-161-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmpFilesize
64KB
-
memory/1880-162-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmpFilesize
64KB
-
memory/2380-1730-0x0000000000940000-0x000000000094B000-memory.dmpFilesize
44KB
-
memory/2380-1728-0x0000000000950000-0x0000000000957000-memory.dmpFilesize
28KB
-
memory/2420-1294-0x0000000140000000-0x0000000140092000-memory.dmpFilesize
584KB
-
memory/2420-1343-0x000001C7282C0000-0x000001C7282D0000-memory.dmpFilesize
64KB
-
memory/2420-2077-0x000001C7282C0000-0x000001C7282D0000-memory.dmpFilesize
64KB
-
memory/2676-1848-0x00000000005B0000-0x00000000005BF000-memory.dmpFilesize
60KB
-
memory/2676-1846-0x00000000005C0000-0x00000000005C9000-memory.dmpFilesize
36KB
-
memory/2808-1218-0x0000000000FD0000-0x000000000143A000-memory.dmpFilesize
4.4MB
-
memory/2808-1325-0x0000000000FD0000-0x000000000143A000-memory.dmpFilesize
4.4MB
-
memory/3080-135-0x0000000002D00000-0x0000000002D16000-memory.dmpFilesize
88KB
-
memory/3132-1271-0x000001AC99F30000-0x000001AC99FDE000-memory.dmpFilesize
696KB
-
memory/3332-608-0x000001CDF92C0000-0x000001CDF92D0000-memory.dmpFilesize
64KB
-
memory/3332-149-0x000001CDF54B0000-0x000001CDF5740000-memory.dmpFilesize
2.6MB
-
memory/3332-150-0x000001CDF74C0000-0x000001CDF74E2000-memory.dmpFilesize
136KB
-
memory/3332-151-0x000001CDF92C0000-0x000001CDF92D0000-memory.dmpFilesize
64KB
-
memory/3372-1980-0x0000000000A10000-0x0000000000A16000-memory.dmpFilesize
24KB
-
memory/3372-1982-0x0000000000A00000-0x0000000000A0C000-memory.dmpFilesize
48KB
-
memory/4232-1517-0x0000026DF31B0000-0x0000026DF31C0000-memory.dmpFilesize
64KB
-
memory/4232-1584-0x0000026DF31B0000-0x0000026DF31C0000-memory.dmpFilesize
64KB
-
memory/4324-1985-0x00000000009D0000-0x00000000009F7000-memory.dmpFilesize
156KB
-
memory/4348-190-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-1363-0x00000000076D0000-0x0000000007BFC000-memory.dmpFilesize
5.2MB
-
memory/4348-214-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-210-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-233-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-208-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-206-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-204-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-244-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-231-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-202-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-200-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-198-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-247-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-1180-0x0000000002560000-0x0000000002570000-memory.dmpFilesize
64KB
-
memory/4348-1183-0x0000000002560000-0x0000000002570000-memory.dmpFilesize
64KB
-
memory/4348-1207-0x0000000002560000-0x0000000002570000-memory.dmpFilesize
64KB
-
memory/4348-229-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-196-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-194-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-192-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-241-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-188-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-227-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-186-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-184-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-183-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-225-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-220-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-1112-0x0000000002560000-0x0000000002570000-memory.dmpFilesize
64KB
-
memory/4348-1356-0x0000000007500000-0x00000000076C2000-memory.dmpFilesize
1.8MB
-
memory/4348-223-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-178-0x0000000004D60000-0x0000000005304000-memory.dmpFilesize
5.6MB
-
memory/4348-182-0x0000000002560000-0x0000000002570000-memory.dmpFilesize
64KB
-
memory/4348-179-0x0000000000810000-0x000000000085B000-memory.dmpFilesize
300KB
-
memory/4348-217-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-180-0x0000000002560000-0x0000000002570000-memory.dmpFilesize
64KB
-
memory/4348-212-0x00000000026C0000-0x00000000026FE000-memory.dmpFilesize
248KB
-
memory/4348-181-0x0000000002560000-0x0000000002570000-memory.dmpFilesize
64KB
-
memory/4476-136-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/4476-134-0x0000000002150000-0x0000000002159000-memory.dmpFilesize
36KB
-
memory/4680-1595-0x0000000000E00000-0x00000000010E2000-memory.dmpFilesize
2.9MB
-
memory/4804-1487-0x0000000006580000-0x000000000658A000-memory.dmpFilesize
40KB
-
memory/4804-1167-0x00000000064C0000-0x0000000006552000-memory.dmpFilesize
584KB
-
memory/4804-1446-0x0000000000040000-0x0000000000828000-memory.dmpFilesize
7.9MB
-
memory/4804-1118-0x0000000005160000-0x00000000051C6000-memory.dmpFilesize
408KB
-
memory/4804-1115-0x0000000000040000-0x0000000000828000-memory.dmpFilesize
7.9MB
-
memory/4804-1490-0x0000000006760000-0x0000000006772000-memory.dmpFilesize
72KB
-
memory/4804-1519-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/4804-1531-0x0000000000040000-0x0000000000828000-memory.dmpFilesize
7.9MB
-
memory/4804-1123-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/4804-1116-0x0000000000040000-0x0000000000828000-memory.dmpFilesize
7.9MB
-
memory/4804-1117-0x0000000000040000-0x0000000000828000-memory.dmpFilesize
7.9MB
-
memory/4804-1139-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/4848-1839-0x0000000000E90000-0x0000000000E92000-memory.dmpFilesize
8KB
-
memory/4848-2079-0x00000000010E0000-0x00000000010FC000-memory.dmpFilesize
112KB
-
memory/4848-1844-0x00000000028F0000-0x00000000038F0000-memory.dmpFilesize
16.0MB
-
memory/4848-1837-0x00000000010E0000-0x00000000010FC000-memory.dmpFilesize
112KB
-
memory/4848-239-0x0000000000C20000-0x0000000000C53000-memory.dmpFilesize
204KB
-
memory/4904-1134-0x00000000010D0000-0x0000000001114000-memory.dmpFilesize
272KB
-
memory/5064-1918-0x0000000000340000-0x0000000000349000-memory.dmpFilesize
36KB
-
memory/5064-1916-0x0000000000350000-0x0000000000355000-memory.dmpFilesize
20KB