Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 21:47
Static task
static1
Behavioral task
behavioral1
Sample
ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe
-
Size
468KB
-
MD5
e6f506f57365deb1b24b84eafbd9271f
-
SHA1
d120720527f6d02f2c6e058bc95cc18d8c23f269
-
SHA256
ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
-
SHA512
3273f5720d13ae0c77eb9e35ef52368f187b4acfe1e40471629c6e51e0f7c442f420bd0cbbe1f5e21918760fdd260cb86b7086eb93d92e28d00b502cd3e066e9
-
SSDEEP
12288:zPmdD7nWjmGR5iErreKOOkLsxhDzfrroATRwJJ:7mN7u5iEKOKalroATRwX
Malware Config
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023223-180.dat family_ammyyadmin behavioral2/files/0x0006000000023223-184.dat family_ammyyadmin -
Detect rhadamanthys stealer shellcode 6 IoCs
resource yara_rule behavioral2/memory/4820-14-0x0000000002CD0000-0x00000000030D0000-memory.dmp family_rhadamanthys behavioral2/memory/4820-15-0x0000000002CD0000-0x00000000030D0000-memory.dmp family_rhadamanthys behavioral2/memory/4820-16-0x0000000002CD0000-0x00000000030D0000-memory.dmp family_rhadamanthys behavioral2/memory/4820-17-0x0000000002CD0000-0x00000000030D0000-memory.dmp family_rhadamanthys behavioral2/memory/4820-27-0x0000000002CD0000-0x00000000030D0000-memory.dmp family_rhadamanthys behavioral2/memory/4820-29-0x0000000002CD0000-0x00000000030D0000-memory.dmp family_rhadamanthys -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4820 created 3196 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 60 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation svchost.exe -
Deletes itself 1 IoCs
pid Process 3048 certreq.exe -
Executes dropped EXE 14 IoCs
pid Process 4324 K8t)0KVw.exe 2688 K8t)0KVw.exe 1548 K8t)0KVw.exe 4368 K8t)0KVw.exe 180 K8t)0KVw.exe 464 K8t)0KVw.exe 584 K8t)0KVw.exe 4728 K8t)0KVw.exe 3680 K8t)0KVw.exe 4532 K8t)0KVw.exe 2296 K8t)0KVw.exe 1436 q[h1`.exe 4724 q[h1`.exe 2944 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 4280 rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3080 set thread context of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 1436 set thread context of 4724 1436 q[h1`.exe 108 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI q[h1`.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI q[h1`.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI q[h1`.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 3048 certreq.exe 3048 certreq.exe 3048 certreq.exe 3048 certreq.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4324 K8t)0KVw.exe 4724 q[h1`.exe 4724 q[h1`.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 33 IoCs
pid Process 4724 q[h1`.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 116 explorer.exe 116 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe Token: SeDebugPrivilege 4324 K8t)0KVw.exe Token: SeDebugPrivilege 1436 q[h1`.exe Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2944 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 3080 wrote to memory of 4820 3080 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 84 PID 4820 wrote to memory of 3048 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 90 PID 4820 wrote to memory of 3048 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 90 PID 4820 wrote to memory of 3048 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 90 PID 4820 wrote to memory of 3048 4820 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe 90 PID 4324 wrote to memory of 2688 4324 K8t)0KVw.exe 97 PID 4324 wrote to memory of 2688 4324 K8t)0KVw.exe 97 PID 4324 wrote to memory of 2688 4324 K8t)0KVw.exe 97 PID 4324 wrote to memory of 1548 4324 K8t)0KVw.exe 98 PID 4324 wrote to memory of 1548 4324 K8t)0KVw.exe 98 PID 4324 wrote to memory of 1548 4324 K8t)0KVw.exe 98 PID 4324 wrote to memory of 4368 4324 K8t)0KVw.exe 99 PID 4324 wrote to memory of 4368 4324 K8t)0KVw.exe 99 PID 4324 wrote to memory of 4368 4324 K8t)0KVw.exe 99 PID 4324 wrote to memory of 180 4324 K8t)0KVw.exe 100 PID 4324 wrote to memory of 180 4324 K8t)0KVw.exe 100 PID 4324 wrote to memory of 180 4324 K8t)0KVw.exe 100 PID 4324 wrote to memory of 464 4324 K8t)0KVw.exe 101 PID 4324 wrote to memory of 464 4324 K8t)0KVw.exe 101 PID 4324 wrote to memory of 464 4324 K8t)0KVw.exe 101 PID 4324 wrote to memory of 584 4324 K8t)0KVw.exe 102 PID 4324 wrote to memory of 584 4324 K8t)0KVw.exe 102 PID 4324 wrote to memory of 584 4324 K8t)0KVw.exe 102 PID 4324 wrote to memory of 4728 4324 K8t)0KVw.exe 103 PID 4324 wrote to memory of 4728 4324 K8t)0KVw.exe 103 PID 4324 wrote to memory of 4728 4324 K8t)0KVw.exe 103 PID 4324 wrote to memory of 3680 4324 K8t)0KVw.exe 104 PID 4324 wrote to memory of 3680 4324 K8t)0KVw.exe 104 PID 4324 wrote to memory of 3680 4324 K8t)0KVw.exe 104 PID 4324 wrote to memory of 4532 4324 K8t)0KVw.exe 105 PID 4324 wrote to memory of 4532 4324 K8t)0KVw.exe 105 PID 4324 wrote to memory of 4532 4324 K8t)0KVw.exe 105 PID 4324 wrote to memory of 2296 4324 K8t)0KVw.exe 106 PID 4324 wrote to memory of 2296 4324 K8t)0KVw.exe 106 PID 4324 wrote to memory of 2296 4324 K8t)0KVw.exe 106 PID 1436 wrote to memory of 4724 1436 q[h1`.exe 108 PID 1436 wrote to memory of 4724 1436 q[h1`.exe 108 PID 1436 wrote to memory of 4724 1436 q[h1`.exe 108 PID 1436 wrote to memory of 4724 1436 q[h1`.exe 108 PID 1436 wrote to memory of 4724 1436 q[h1`.exe 108 PID 1436 wrote to memory of 4724 1436 q[h1`.exe 108 PID 3196 wrote to memory of 2904 3196 Explorer.EXE 109 PID 3196 wrote to memory of 2904 3196 Explorer.EXE 109 PID 3196 wrote to memory of 2904 3196 Explorer.EXE 109 PID 3196 wrote to memory of 2904 3196 Explorer.EXE 109 PID 3196 wrote to memory of 3184 3196 Explorer.EXE 110 PID 3196 wrote to memory of 3184 3196 Explorer.EXE 110 PID 3196 wrote to memory of 3184 3196 Explorer.EXE 110 PID 3196 wrote to memory of 5028 3196 Explorer.EXE 111 PID 3196 wrote to memory of 5028 3196 Explorer.EXE 111 PID 3196 wrote to memory of 5028 3196 Explorer.EXE 111 PID 3196 wrote to memory of 5028 3196 Explorer.EXE 111 PID 3196 wrote to memory of 4668 3196 Explorer.EXE 112 PID 3196 wrote to memory of 4668 3196 Explorer.EXE 112 PID 3196 wrote to memory of 4668 3196 Explorer.EXE 112 PID 3196 wrote to memory of 4668 3196 Explorer.EXE 112 PID 3196 wrote to memory of 4952 3196 Explorer.EXE 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe"C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exeC:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6_JC.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2904
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3184
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:5028
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4668
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4952
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3020
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2104
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:216
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1588
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4720
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3944
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4204
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:5052
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:736
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious behavior: MapViewOfSection
PID:116 -
C:\Users\Admin\AppData\Local\Temp\E025.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\E025.tmp\svchost.exe -debug3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:2944 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\E025.tmp\aa_nts.dll",run4⤵
- Loads dropped DLL
PID:4280
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe"C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:1548
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:4368
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:180
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:464
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:584
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:4728
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:3680
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:4532
-
-
C:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exeC:\Users\Admin\AppData\Local\Microsoft\K8t)0KVw.exe2⤵
- Executes dropped EXE
PID:2296
-
-
C:\Users\Admin\AppData\Local\Microsoft\q[h1`.exe"C:\Users\Admin\AppData\Local\Microsoft\q[h1`.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Microsoft\q[h1`.exeC:\Users\Admin\AppData\Local\Microsoft\q[h1`.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
227KB
MD52544c951135bba7846e943cf22a7eb59
SHA1099bf354174088d2c0cf68638bb441be60d7775f
SHA25614eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff
-
Filesize
389KB
MD54a97cfd7be5c68006c2e09dd71343ecd
SHA1db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA2565a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9
-
Filesize
389KB
MD54a97cfd7be5c68006c2e09dd71343ecd
SHA1db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA2565a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9
-
Filesize
389KB
MD54a97cfd7be5c68006c2e09dd71343ecd
SHA1db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA2565a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
46B
MD53f05819f995b4dafa1b5d55ce8d1f411
SHA1404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA2567e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA51234abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be