amadey | 3f428f05c1b7bb9e2d893d7c196eefec5e6cff1d1c1b761fea5ccec17e1bab3c

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smokeloader/a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Size

194KB
MD5

de2cc5ab0c1b901b1d57a0e10c0185be
SHA1

f7d3144acc8e7473b8fb0c93cdc69632ea2de3ac
SHA256

a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4
SHA512

492fea5d91d8121432779fb4e01c6a5371b9fbe6675ecc9a32e416c583107e60ea160eeaa010cc83e7ace640ed7e31172ab1f4a3217526412cc9810960510be7
SSDEEP

3072:lSbONVWNIbrL8vTk1Wi5XiKR0Cf6MzjN+C1HQJISv5f9juaQE4nL:lSbFcrL8o1fikjNzQJn51juaQE

Score

10^/10

amadey dcrat redline rhadamanthys smokeloader 02-700-2 2 2023 agilenet backdoor discovery evasion infostealer persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Botnet

2023

Extracted

Family

smokeloader

Version

2022

http://c3g6gx853u6j.xyz/

http://04yh16065cdi.xyz/

http://33qd2w560vnx.xyz/

http://neriir0f76gr.com/

http://b4y08hrp3jdb.com/

http://swp6fbywla09.com/

http://7iqt53dr345u.com/

http://mj4aj8r55mho.com/

http://ne4ym7bjn1ts.com/

rc4.i32

Extracted

Family

redline

Botnet

02-700-2

167.235.133.96:43849

Attributes

auth_value
8af50b3310e79fa317eef66b1e92900f

Extracted

Family

redline

Botnet

51.81.126.50:19836

Attributes

auth_value
7be92ecdf2c2f5400aa90f72d61cb2a4

Extracted

Family

amadey

Version

3.65

hellomr.observer/7gjD0Vs3d/index.php

researchersgokick.rocks/7gjD0Vs3d/index.php

pleasetake.pictures/7gjD0Vs3d/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exeschtasks.exeE8DE.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
4436	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fnfmgj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ifpyahw\\Fnfmgj.exe\""	E8DE.exe
3500	schtasks.exe

Detect rhadamanthys stealer shellcode 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4848-1837-0x00000000010E0000-0x00000000010FC000-memory.dmp	family_rhadamanthys
behavioral4/memory/4848-1844-0x00000000028F0000-0x00000000038F0000-memory.dmp	family_rhadamanthys
behavioral4/memory/4848-2079-0x00000000010E0000-0x00000000010FC000-memory.dmp	family_rhadamanthys

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 30 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4348-183-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-184-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-186-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-188-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-190-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-192-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-194-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-196-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-198-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-200-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-202-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-204-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-206-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-208-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-210-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-214-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-212-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-217-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-223-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-220-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-225-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-227-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-229-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-231-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-233-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-241-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-244-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4348-247-0x00000000026C0000-0x00000000026FE000-memory.dmp	family_redline
behavioral4/memory/4804-1115-0x0000000000040000-0x0000000000828000-memory.dmp	family_redline
behavioral4/memory/4804-1446-0x0000000000040000-0x0000000000828000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

F3BC.exe

description pid process target process

PID 472 created 2408 472 F3BC.exe taskhostw.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1BC9.exe2DFB.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1BC9.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2DFB.exe
Downloads MZ/PE file

description	pid	process	target process
PID 472 created 2408	472	F3BC.exe	taskhostw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1BC9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2DFB.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1BC9.exe2DFB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1BC9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1BC9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2DFB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2DFB.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E8DE.exe2291.exenbveek.exenewbots.exenbveek.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	E8DE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	2291.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	newbots.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	nbveek.exe

Executes dropped EXE 13 IoCs

Processes:

E8DE.exeF3BC.exeF747.exeFEDA.exe1BC9.exe2291.exenbveek.exe2DFB.exenewbots.exeE8DE.exe552C.exenewbots.exenbveek.exe

pid	process
3332	E8DE.exe
472	F3BC.exe
3668	F747.exe
4348	FEDA.exe
4804	1BC9.exe
4904	2291.exe
372	nbveek.exe
2808	2DFB.exe
3132	newbots.exe
2420	E8DE.exe
4680	552C.exe
4604	newbots.exe
1984	nbveek.exe

Loads dropped DLL 1 IoCs

Processes:

F3BC.exe

pid process

472 F3BC.exe

pid	process
472	F3BC.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral4/memory/4804-1116-0x0000000000040000-0x0000000000828000-memory.dmp	agile_net
behavioral4/memory/4804-1117-0x0000000000040000-0x0000000000828000-memory.dmp	agile_net
behavioral4/memory/4804-1531-0x0000000000040000-0x0000000000828000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1BC9.exe	themida
C:\Users\Admin\AppData\Local\Temp\1BC9.exe	themida
behavioral4/memory/4804-1116-0x0000000000040000-0x0000000000828000-memory.dmp	themida
behavioral4/memory/4804-1117-0x0000000000040000-0x0000000000828000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\2DFB.exe	themida
C:\Users\Admin\AppData\Local\Temp\2DFB.exe	themida
behavioral4/memory/2808-1218-0x0000000000FD0000-0x000000000143A000-memory.dmp	themida
behavioral4/memory/2808-1325-0x0000000000FD0000-0x000000000143A000-memory.dmp	themida
behavioral4/memory/4804-1531-0x0000000000040000-0x0000000000828000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E8DE.exenewbots.exeE8DE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fnfmgj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ifpyahw\\Fnfmgj.exe\""	E8DE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yzritvgr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nllsqglz\\Yzritvgr.exe\""	newbots.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E8DE.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\E8DE.exe\""	E8DE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1BC9.exe2DFB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1BC9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2DFB.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

146 ip-api.com
148 icanhazip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

1BC9.exe2DFB.exefontview.exe

pid process

4804 1BC9.exe
2808 2DFB.exe
4848 fontview.exe
4848 fontview.exe
4848 fontview.exe

flow	ioc
146	ip-api.com
148	icanhazip.com

pid	process
4804	1BC9.exe
2808	2DFB.exe
4848	fontview.exe
4848	fontview.exe
4848	fontview.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

F3BC.exeE8DE.exenewbots.exe

description	pid	process	target process
PID 472 set thread context of 1796	472	F3BC.exe	ngentask.exe
PID 3332 set thread context of 2420	3332	E8DE.exe	E8DE.exe
PID 3132 set thread context of 4604	3132	newbots.exe	newbots.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4016 2808 WerFault.exe 2DFB.exe
1100 4348 WerFault.exe FEDA.exe
3232 472 WerFault.exe F3BC.exe
5020 472 WerFault.exe F3BC.exe

pid	pid_target	process	target process
4016	2808	WerFault.exe	2DFB.exe
1100	4348	WerFault.exe	FEDA.exe
3232	472	WerFault.exe	F3BC.exe
5020	472	WerFault.exe	F3BC.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exefontview.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1BC9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1BC9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1BC9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1BC9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1BC9.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4436 schtasks.exe
3500 schtasks.exe

pid	process
4436	schtasks.exe
3500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe

pid	process
4476	a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
4476	a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3080

pid	process
3080

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe

pid	process
4476	a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080
3080

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

powershell.exeFEDA.exe1BC9.exemsiexec.exenewbots.exeE8DE.exepowershell.exefontview.exeE8DE.exe

description	pid	process
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	4348	FEDA.exe
Token: SeDebugPrivilege	4804	1BC9.exe
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeSecurityPrivilege	764	msiexec.exe
Token: SeDebugPrivilege	3132	newbots.exe
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeDebugPrivilege	3332	E8DE.exe
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeShutdownPrivilege	4848	fontview.exe
Token: SeCreatePagefilePrivilege	4848	fontview.exe
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeDebugPrivilege	2420	E8DE.exe
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080
Token: SeShutdownPrivilege	3080
Token: SeCreatePagefilePrivilege	3080

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E8DE.exeF3BC.exe2291.exenbveek.execmd.exe

description	pid	process	target process
PID 3080 wrote to memory of 3332	3080		E8DE.exe
PID 3080 wrote to memory of 3332	3080		E8DE.exe
PID 3332 wrote to memory of 1880	3332	E8DE.exe	powershell.exe
PID 3332 wrote to memory of 1880	3332	E8DE.exe	powershell.exe
PID 3080 wrote to memory of 472	3080		F3BC.exe
PID 3080 wrote to memory of 472	3080		F3BC.exe
PID 3080 wrote to memory of 472	3080		F3BC.exe
PID 3080 wrote to memory of 3668	3080		F747.exe
PID 3080 wrote to memory of 3668	3080		F747.exe
PID 3080 wrote to memory of 3668	3080		F747.exe
PID 3080 wrote to memory of 4348	3080		FEDA.exe
PID 3080 wrote to memory of 4348	3080		FEDA.exe
PID 3080 wrote to memory of 4348	3080		FEDA.exe
PID 472 wrote to memory of 1796	472	F3BC.exe	ngentask.exe
PID 472 wrote to memory of 1796	472	F3BC.exe	ngentask.exe
PID 472 wrote to memory of 1796	472	F3BC.exe	ngentask.exe
PID 472 wrote to memory of 1796	472	F3BC.exe	ngentask.exe
PID 472 wrote to memory of 1796	472	F3BC.exe	ngentask.exe
PID 472 wrote to memory of 4848	472	F3BC.exe	fontview.exe
PID 472 wrote to memory of 4848	472	F3BC.exe	fontview.exe
PID 472 wrote to memory of 4848	472	F3BC.exe	fontview.exe
PID 472 wrote to memory of 4848	472	F3BC.exe	fontview.exe
PID 3080 wrote to memory of 4804	3080		1BC9.exe
PID 3080 wrote to memory of 4804	3080		1BC9.exe
PID 3080 wrote to memory of 4804	3080		1BC9.exe
PID 3080 wrote to memory of 4904	3080		2291.exe
PID 3080 wrote to memory of 4904	3080		2291.exe
PID 3080 wrote to memory of 4904	3080		2291.exe
PID 4904 wrote to memory of 372	4904	2291.exe	nbveek.exe
PID 4904 wrote to memory of 372	4904	2291.exe	nbveek.exe
PID 4904 wrote to memory of 372	4904	2291.exe	nbveek.exe
PID 372 wrote to memory of 4436	372	nbveek.exe	schtasks.exe
PID 372 wrote to memory of 4436	372	nbveek.exe	schtasks.exe
PID 372 wrote to memory of 4436	372	nbveek.exe	schtasks.exe
PID 372 wrote to memory of 3820	372	nbveek.exe	cmd.exe
PID 372 wrote to memory of 3820	372	nbveek.exe	cmd.exe
PID 372 wrote to memory of 3820	372	nbveek.exe	cmd.exe
PID 3820 wrote to memory of 3356	3820	cmd.exe	cmd.exe
PID 3820 wrote to memory of 3356	3820	cmd.exe	cmd.exe
PID 3820 wrote to memory of 3356	3820	cmd.exe	cmd.exe
PID 3820 wrote to memory of 112	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 112	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 112	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 2708	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 2708	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 2708	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 532	3820	cmd.exe	cmd.exe
PID 3820 wrote to memory of 532	3820	cmd.exe	cmd.exe
PID 3820 wrote to memory of 532	3820	cmd.exe	cmd.exe
PID 3820 wrote to memory of 4308	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 4308	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 4308	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 3720	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 3720	3820	cmd.exe	cacls.exe
PID 3820 wrote to memory of 3720	3820	cmd.exe	cacls.exe
PID 3080 wrote to memory of 2808	3080		2DFB.exe
PID 3080 wrote to memory of 2808	3080		2DFB.exe
PID 3080 wrote to memory of 2808	3080		2DFB.exe
PID 372 wrote to memory of 3132	372	nbveek.exe	newbots.exe
PID 372 wrote to memory of 3132	372	nbveek.exe	newbots.exe
PID 3332 wrote to memory of 2420	3332	E8DE.exe	E8DE.exe
PID 3332 wrote to memory of 2420	3332	E8DE.exe	E8DE.exe
PID 3332 wrote to memory of 2420	3332	E8DE.exe	E8DE.exe
PID 3332 wrote to memory of 2420	3332	E8DE.exe	E8DE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2408

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\smokeloader\a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe
"C:\Users\Admin\AppData\Local\Temp\smokeloader\a754e3d045adbd88b59a7b80ea127636f710c4183001cce2b7614611b7c141e4.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4476

C:\Users\Admin\AppData\Local\Temp\E8DE.exe
C:\Users\Admin\AppData\Local\Temp\E8DE.exe
1⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Users\Admin\AppData\Local\Temp\E8DE.exe
C:\Users\Admin\AppData\Local\Temp\E8DE.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Local\Temp\F3BC.exe
C:\Users\Admin\AppData\Local\Temp\F3BC.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1152
2⤵
- Program crash
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 1060
2⤵
- Program crash
PID:5020

C:\Users\Admin\AppData\Local\Temp\F747.exe
C:\Users\Admin\AppData\Local\Temp\F747.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Users\Admin\AppData\Local\Temp\FEDA.exe
C:\Users\Admin\AppData\Local\Temp\FEDA.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1216
2⤵
- Program crash
PID:1100

C:\Users\Admin\AppData\Local\Temp\1BC9.exe
C:\Users\Admin\AppData\Local\Temp\1BC9.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Users\Admin\AppData\Local\Temp\2291.exe
C:\Users\Admin\AppData\Local\Temp\2291.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:4436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c1e3594748" /P "Admin:N"&&CACLS "..\c1e3594748" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3356

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
4⤵
PID:112

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
4⤵
PID:2708

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c1e3594748" /P "Admin:N"
4⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:532

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c1e3594748" /P "Admin:R" /E
4⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe
"C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
PID:792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe
4⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\AppData\Local\Temp\2DFB.exe
C:\Users\Admin\AppData\Local\Temp\2DFB.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 580
2⤵
- Program crash
PID:4016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2808 -ip 2808
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4348 -ip 4348
1⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\552C.exe
C:\Users\Admin\AppData\Local\Temp\552C.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2380

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 472 -ip 472
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 472 -ip 472
1⤵
PID:1412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe" /F
2⤵
- DcRat
- Creates scheduled task(s)
PID:3500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c1e3594748" /P "Admin:N"&&CACLS "..\c1e3594748" /P "Admin:R" /E&&Exit
2⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:532

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
3⤵
PID:5092

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
3⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3984

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c1e3594748" /P "Admin:N"
3⤵
PID:112

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c1e3594748" /P "Admin:R" /E
3⤵
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6OQZGLY38OL4JTRNPTSG\IN_Windows 10 Pro (64 Bit)_R3E4EJ5Y2YRY99YWLQR9\InstalledApp.txt
Filesize
2KB

MD5
6663276c1da7e9c18116cf5ade6dfdce

SHA1
3f6b4e377dc16b1a957bc3afffc5eee4e6ab6f19

SHA256
2bbb710d13901ef441fce2a62b0d14a92f3ff03a8f8965a4d31271e327f687a6

SHA512
64859282ad16eebaa1f8f37c72a50710e1f9e5464a58f782b879a86cacd44d866457177283bd6236b83f4e27a60f780249928a14eb6974f617ef8d495e31c7a2

Download Submit
C:\Users\Admin\AppData\Local\6OQZGLY38OL4JTRNPTSG\IN_Windows 10 Pro (64 Bit)_R3E4EJ5Y2YRY99YWLQR9\ProcessList.txt
Filesize
4KB

MD5
c987555474a2af1219fc5db3b5cd5267

SHA1
60b65da368d122010a47916b5864d885f6088dbc

SHA256
029fb43ce597e4bc964aebaf700442ab958cb5753525a3c53009735f1ed8ad9b

SHA512
c5e823449c348e381f0165fc5dcd96aa2d6cdd847c7ebc27ea4c679f459ab896f95956f491f81f4d4f5c65ae299607f3e7d7c332e93203d917c200316b8ed427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\E8DE.exe.log
Filesize
1KB

MD5
cbe207895aa962105ca913568f7d2135

SHA1
c62bcc9aac6f6ad0b14457d3d51c0a474528b106

SHA256
bd468d112dd92eab9177b172cb46016d96c6d85fe567734852f8c07733c14a24

SHA512
3a93a75b1c3a93d8466a7b2f5b0433805d7055e829834203b3b6ae48ecb899f3aaf68610057a0ce0f9a29647cd7c6577dcb4c89124dc368e91f5866a5dbf1e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fc28168b916bf9744961653d503e1164

SHA1
71deadab13b81a414582f931e9af010152463644

SHA256
a2a78e9fb30fe365d454ca6bbbf950355049c978262fdf0e80cd683622cf00e9

SHA512
08d828e18ccb2892f12dcbbaf5a5ffcafb4e2e768536fc46b3d2fce788c52b2f61058e1ef0a47e648e2308f4f1aeb8799bef9472726d2800fa9b775f401e08c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe
Filesize
680KB

MD5
285154a54ffba21bfb4a2d8f54aa3e3c

SHA1
3337353913ec67941060ace6b34f4bc6de938b7e

SHA256
25ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756

SHA512
7f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe
Filesize
680KB

MD5
285154a54ffba21bfb4a2d8f54aa3e3c

SHA1
3337353913ec67941060ace6b34f4bc6de938b7e

SHA256
25ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756

SHA512
7f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe
Filesize
680KB

MD5
285154a54ffba21bfb4a2d8f54aa3e3c

SHA1
3337353913ec67941060ace6b34f4bc6de938b7e

SHA256
25ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756

SHA512
7f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071101\newbots.exe
Filesize
680KB

MD5
285154a54ffba21bfb4a2d8f54aa3e3c

SHA1
3337353913ec67941060ace6b34f4bc6de938b7e

SHA256
25ac8cb6569569c648742ee845b72dd147e035e2a491145bc770c95422d3b756

SHA512
7f983375c309e52d79cc56c44e05cd7324150ebd9adea1604da3cc994b3345324e1c8160c78940ac7798b5c92d2941b863d7d0f09cc42dc171ebeca56a89b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BC9.exe
Filesize
3.1MB

MD5
145c17e590635b43bc7af1d43cf8bac8

SHA1
55e17b8d5e99e1c895da6c7c0c60fc5a5143b9e3

SHA256
9c404c78e697cb370c9d84b492feb0dd601e5099afd0f26e09b89c5d855cc5d6

SHA512
9701999d3a2276868351cfcd1ecb2163ababf812ddc43c6f2445aa6ff4e8d16d78d12d8dc19aff32216532e9d083e65bd772fba26c8395c8daa811c18ebfdf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BC9.exe
Filesize
3.1MB

MD5
145c17e590635b43bc7af1d43cf8bac8

SHA1
55e17b8d5e99e1c895da6c7c0c60fc5a5143b9e3

SHA256
9c404c78e697cb370c9d84b492feb0dd601e5099afd0f26e09b89c5d855cc5d6

SHA512
9701999d3a2276868351cfcd1ecb2163ababf812ddc43c6f2445aa6ff4e8d16d78d12d8dc19aff32216532e9d083e65bd772fba26c8395c8daa811c18ebfdf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2291.exe
Filesize
427KB

MD5
75869356855ebaf69df70c48c2d4c455

SHA1
a39a1e3077a7f6a0679c6b2963625a555f0fb435

SHA256
e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848

SHA512
e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2291.exe
Filesize
427KB

MD5
75869356855ebaf69df70c48c2d4c455

SHA1
a39a1e3077a7f6a0679c6b2963625a555f0fb435

SHA256
e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848

SHA512
e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\240584937.dll
Filesize
334KB

MD5
4cb75f40755bf606f8a5f1b0bc1db511

SHA1
0e4fd3965245063a55ab411016a98c52e3498bca

SHA256
4c3b45b602867d875c6377fca5823a5134f991858d69efce61cccf63b3eadc3f

SHA512
2e54c0c7dba5cd54362a0d9a9407431faed52aba86acefe3843e509c316e9f51f12f6f17d2762f42d3c5e1f588bb774d0c9683c7f9527cf33a8a0c12634cef48

Download Submit
C:\Users\Admin\AppData\Local\Temp\275444769369
Filesize
79KB

MD5
da9cab753d6143a6fb6090d7a5795292

SHA1
221f5707beb8701ca1d3c20ede2a6013f8d55655

SHA256
4279b13385bcf915974a7d175be9ec5cf9efae1694bd92621153f9454467026e

SHA512
0367cb28bbfaf1f90850a2a4de87000994c0f6df5c50c9ca4ba5301140fe02300620a4140610c17ba16f357c9b2e472df9ab3d2627c6055e654f7a96cda3c04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DFB.exe
Filesize
4.2MB

MD5
ae75a902d204f6b27ef4c142d690277c

SHA1
7b4ed1d2672d547bdc6c522381c83027d4f59106

SHA256
b86c151f8c83b6e4d167a03e008d80c1cd741c8618e1a8434054cd0721c804c2

SHA512
10d9fb69bc999210562892affa04639c0cc499397a302c9d1c1689657a0ad6b4471115ef4cb47a5ea17b52bc8b1033068de1838c703be84d41986301ab24cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DFB.exe
Filesize
4.2MB

MD5
ae75a902d204f6b27ef4c142d690277c

SHA1
7b4ed1d2672d547bdc6c522381c83027d4f59106

SHA256
b86c151f8c83b6e4d167a03e008d80c1cd741c8618e1a8434054cd0721c804c2

SHA512
10d9fb69bc999210562892affa04639c0cc499397a302c9d1c1689657a0ad6b4471115ef4cb47a5ea17b52bc8b1033068de1838c703be84d41986301ab24cc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\552C.exe
Filesize
2.9MB

MD5
063b8d5cfe89fb322507db7ec1dc1a22

SHA1
bcfe687a85512a319bcd1d803e6c0301c89f58d9

SHA256
d5bead63cdd30bfbbef15b67a279f604b8ac6a8a5402ef0223d2cd80482b46d2

SHA512
68808df550e0fc1090bb1cb7f1c73812b863fb61d9b50dd4456d9755ecd4a7cb1b9cf0a9e2e4e2a97a5e54bd32c53630d267f5b2a3f4e1869a6eca4a68c9f8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\552C.exe
Filesize
2.9MB

MD5
063b8d5cfe89fb322507db7ec1dc1a22

SHA1
bcfe687a85512a319bcd1d803e6c0301c89f58d9

SHA256
d5bead63cdd30bfbbef15b67a279f604b8ac6a8a5402ef0223d2cd80482b46d2

SHA512
68808df550e0fc1090bb1cb7f1c73812b863fb61d9b50dd4456d9755ecd4a7cb1b9cf0a9e2e4e2a97a5e54bd32c53630d267f5b2a3f4e1869a6eca4a68c9f8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8DE.exe
Filesize
2.5MB

MD5
3e83cfe5cd166c724ff586d9467c13f9

SHA1
159f4f7b658b7967babb83ffba43ce3c00ab76c0

SHA256
287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e

SHA512
621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8DE.exe
Filesize
2.5MB

MD5
3e83cfe5cd166c724ff586d9467c13f9

SHA1
159f4f7b658b7967babb83ffba43ce3c00ab76c0

SHA256
287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e

SHA512
621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8DE.exe
Filesize
2.5MB

MD5
3e83cfe5cd166c724ff586d9467c13f9

SHA1
159f4f7b658b7967babb83ffba43ce3c00ab76c0

SHA256
287590908ed9a89235fd66d1ee9b8feca0a560880bece04ee8f268103129a57e

SHA512
621c1d7e80a9660ca232c9487bdb343dfa80414bb0ffd05e9843b7fbb49308f150a6cb121b39318ee5b481d664d2f32057c8a890329f0c78dee3566f6dda3f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3BC.exe
Filesize
1.4MB

MD5
90b876266f4ba0fb897bb98e089a94b9

SHA1
5a460ffde15b92317df351a7ef2bad25648f7e93

SHA256
c742a3f9b5b3683da2e462eb4f778defce3d52f44a28e3b1a37ca368fea9811e

SHA512
89f419a4d8abb37bf19b9916a84f709d7d64e5178533e63c0ef42885783c1c89b7ffe6dc62a09064cc36869abd68b60fa7d4e3e2431b522f9dea7bd3fde120ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3BC.exe
Filesize
1.4MB

MD5
90b876266f4ba0fb897bb98e089a94b9

SHA1
5a460ffde15b92317df351a7ef2bad25648f7e93

SHA256
c742a3f9b5b3683da2e462eb4f778defce3d52f44a28e3b1a37ca368fea9811e

SHA512
89f419a4d8abb37bf19b9916a84f709d7d64e5178533e63c0ef42885783c1c89b7ffe6dc62a09064cc36869abd68b60fa7d4e3e2431b522f9dea7bd3fde120ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\F747.exe
Filesize
102KB

MD5
19468026f92b3efcfc92b1a0c9f48913

SHA1
8ade3bc4c79febe87f74674a4d90499d55ba21a8

SHA256
d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16

SHA512
4b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F747.exe
Filesize
102KB

MD5
19468026f92b3efcfc92b1a0c9f48913

SHA1
8ade3bc4c79febe87f74674a4d90499d55ba21a8

SHA256
d0f797a4e2020680e6462f761249f067e7a57007bb821aaf2fda9eba47cffd16

SHA512
4b033ab117d15f09b64aace17b2405c9373c70bd817019419332184529ccdbf80779d4d19704337965eac63400047b5c70ff9924bb440aa01ac8de467d1f53a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEDA.exe
Filesize
289KB

MD5
addadd44a657d8f48cdfcb5c26e4219b

SHA1
3d97e85c6a087a9d78477434a67a8f7da7c7bc32

SHA256
a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb

SHA512
936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEDA.exe
Filesize
289KB

MD5
addadd44a657d8f48cdfcb5c26e4219b

SHA1
3d97e85c6a087a9d78477434a67a8f7da7c7bc32

SHA256
a4655626303cc7aad16cf9c32ba02b74a5950c73a89d41757817bcb38da141eb

SHA512
936c5dd3698f646344a2bbe9a7ff6722c5a30056d387a8db01cdca090da4bf1ce0c5127a809f2ad5f7f24249b8ded32f5497974e65d7f0fa64f178270f9a77c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smuna4ta.0jb.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
Filesize
427KB

MD5
75869356855ebaf69df70c48c2d4c455

SHA1
a39a1e3077a7f6a0679c6b2963625a555f0fb435

SHA256
e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848

SHA512
e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
Filesize
427KB

MD5
75869356855ebaf69df70c48c2d4c455

SHA1
a39a1e3077a7f6a0679c6b2963625a555f0fb435

SHA256
e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848

SHA512
e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
Filesize
427KB

MD5
75869356855ebaf69df70c48c2d4c455

SHA1
a39a1e3077a7f6a0679c6b2963625a555f0fb435

SHA256
e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848

SHA512
e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1e3594748\nbveek.exe
Filesize
427KB

MD5
75869356855ebaf69df70c48c2d4c455

SHA1
a39a1e3077a7f6a0679c6b2963625a555f0fb435

SHA256
e66fa43e03d6f2691d3d1bb9101ece58a412dda09710716ea2a479bbcffc0848

SHA512
e20c0f06e7b7e41f2e2c3afefc4a2c1fb4d83eeb874bfef9e94953cc58485d6422b0182b67619dfb5b7e6acdac5da1e9cbe9d9fb8a5d6999044424f63691a4d4

Download Submit
memory/372-1618-0x0000000000A40000-0x0000000000A84000-memory.dmp

Filesize
272KB

Download
memory/372-1154-0x0000000000A40000-0x0000000000A84000-memory.dmp

Filesize
272KB

Download
memory/472-172-0x000000000DD90000-0x000000000DEDA000-memory.dmp

Filesize
1.3MB

Download
memory/1796-240-0x0000000005400000-0x0000000005A18000-memory.dmp

Filesize
6.1MB

Download
memory/1796-274-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1796-245-0x0000000004F70000-0x000000000507A000-memory.dmp

Filesize
1.0MB

Download
memory/1796-1258-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1796-248-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

Filesize
72KB

Download
memory/1796-215-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1796-221-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1796-252-0x0000000004F00000-0x0000000004F3C000-memory.dmp

Filesize
240KB

Download
memory/1880-1094-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmp

Filesize
64KB

Download
memory/1880-1089-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmp

Filesize
64KB

Download
memory/1880-1092-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmp

Filesize
64KB

Download
memory/1880-161-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmp

Filesize
64KB

Download
memory/1880-162-0x000001A9EBBB0000-0x000001A9EBBC0000-memory.dmp

Filesize
64KB

Download
memory/2380-1730-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/2380-1728-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/2420-1294-0x0000000140000000-0x0000000140092000-memory.dmp

Filesize
584KB

Download
memory/2420-1343-0x000001C7282C0000-0x000001C7282D0000-memory.dmp

Filesize
64KB

Download
memory/2420-2077-0x000001C7282C0000-0x000001C7282D0000-memory.dmp

Filesize
64KB

Download
memory/2676-1848-0x00000000005B0000-0x00000000005BF000-memory.dmp

Filesize
60KB

Download
memory/2676-1846-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/2808-1218-0x0000000000FD0000-0x000000000143A000-memory.dmp

Filesize
4.4MB

Download
memory/2808-1325-0x0000000000FD0000-0x000000000143A000-memory.dmp

Filesize
4.4MB

Download
memory/3080-135-0x0000000002D00000-0x0000000002D16000-memory.dmp

Filesize
88KB

Download
memory/3132-1271-0x000001AC99F30000-0x000001AC99FDE000-memory.dmp

Filesize
696KB

Download
memory/3332-608-0x000001CDF92C0000-0x000001CDF92D0000-memory.dmp

Filesize
64KB

Download
memory/3332-149-0x000001CDF54B0000-0x000001CDF5740000-memory.dmp

Filesize
2.6MB

Download
memory/3332-150-0x000001CDF74C0000-0x000001CDF74E2000-memory.dmp

Filesize
136KB

Download
memory/3332-151-0x000001CDF92C0000-0x000001CDF92D0000-memory.dmp

Filesize
64KB

Download
memory/3372-1980-0x0000000000A10000-0x0000000000A16000-memory.dmp

Filesize
24KB

Download
memory/3372-1982-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/4232-1517-0x0000026DF31B0000-0x0000026DF31C0000-memory.dmp

Filesize
64KB

Download
memory/4232-1584-0x0000026DF31B0000-0x0000026DF31C0000-memory.dmp

Filesize
64KB

Download
memory/4324-1985-0x00000000009D0000-0x00000000009F7000-memory.dmp

Filesize
156KB

Download
memory/4348-190-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-1363-0x00000000076D0000-0x0000000007BFC000-memory.dmp

Filesize
5.2MB

Download
memory/4348-214-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-210-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-233-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-208-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-206-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-204-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-244-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-231-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-202-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-200-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-198-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-247-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-1180-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4348-1183-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4348-1207-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4348-229-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-196-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-194-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-192-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-241-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-188-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-227-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-186-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-184-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-183-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-225-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-220-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-1112-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4348-1356-0x0000000007500000-0x00000000076C2000-memory.dmp

Filesize
1.8MB

Download
memory/4348-223-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-178-0x0000000004D60000-0x0000000005304000-memory.dmp

Filesize
5.6MB

Download
memory/4348-182-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4348-179-0x0000000000810000-0x000000000085B000-memory.dmp

Filesize
300KB

Download
memory/4348-217-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-180-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4348-212-0x00000000026C0000-0x00000000026FE000-memory.dmp

Filesize
248KB

Download
memory/4348-181-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4476-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4476-134-0x0000000002150000-0x0000000002159000-memory.dmp

Filesize
36KB

Download
memory/4680-1595-0x0000000000E00000-0x00000000010E2000-memory.dmp

Filesize
2.9MB

Download
memory/4804-1487-0x0000000006580000-0x000000000658A000-memory.dmp

Filesize
40KB

Download
memory/4804-1167-0x00000000064C0000-0x0000000006552000-memory.dmp

Filesize
584KB

Download
memory/4804-1446-0x0000000000040000-0x0000000000828000-memory.dmp

Filesize
7.9MB

Download
memory/4804-1118-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/4804-1115-0x0000000000040000-0x0000000000828000-memory.dmp

Filesize
7.9MB

Download
memory/4804-1490-0x0000000006760000-0x0000000006772000-memory.dmp

Filesize
72KB

Download
memory/4804-1519-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/4804-1531-0x0000000000040000-0x0000000000828000-memory.dmp

Filesize
7.9MB

Download
memory/4804-1123-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/4804-1116-0x0000000000040000-0x0000000000828000-memory.dmp

Filesize
7.9MB

Download
memory/4804-1117-0x0000000000040000-0x0000000000828000-memory.dmp

Filesize
7.9MB

Download
memory/4804-1139-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/4848-1839-0x0000000000E90000-0x0000000000E92000-memory.dmp

Filesize
8KB

Download
memory/4848-2079-0x00000000010E0000-0x00000000010FC000-memory.dmp

Filesize
112KB

Download
memory/4848-1844-0x00000000028F0000-0x00000000038F0000-memory.dmp

Filesize
16.0MB

Download
memory/4848-1837-0x00000000010E0000-0x00000000010FC000-memory.dmp

Filesize
112KB

Download
memory/4848-239-0x0000000000C20000-0x0000000000C53000-memory.dmp

Filesize
204KB

Download
memory/4904-1134-0x00000000010D0000-0x0000000001114000-memory.dmp

Filesize
272KB

Download
memory/5064-1918-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/5064-1916-0x0000000000350000-0x0000000000355000-memory.dmp

Filesize
20KB

Download