Analysis Overview
SHA256
a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115
Threat Level: Known bad
The file NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Detect rhadamanthys stealer shellcode
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
SmokeLoader
AmmyyAdmin payload
Ammyy Admin
FlawedAmmyy RAT
Downloads MZ/PE file
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
outlook_win_path
Modifies system certificate store
Delays execution with timeout.exe
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
outlook_office_path
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-26 19:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-26 19:24
Reported
2023-10-26 19:27
Platform
win7-20231023-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
FlawedAmmyy RAT
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2700 created 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\GX3O6dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1320 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe |
| PID 2928 set thread context of 2676 | N/A | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe
"C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe"
C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe
"C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe"
C:\Users\Admin\AppData\Local\Microsoft\GX3O6dN.exe
"C:\Users\Admin\AppData\Local\Microsoft\GX3O6dN.exe"
C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe
C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe -debug
C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\aa_nts.dll",run
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | matthewsamuel.top | udp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| US | 8.8.8.8:53 | servermlogs27.xyz | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | gitboot234.xyz | udp |
| DE | 91.200.103.49:80 | gitboot234.xyz | tcp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp | |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | www.ammyy.com | udp |
| DE | 136.243.18.118:80 | www.ammyy.com | tcp |
| DE | 136.243.18.118:443 | www.ammyy.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.169:80 | apps.identrust.com | tcp |
Files
memory/1320-0-0x0000000001180000-0x00000000014E2000-memory.dmp
memory/1320-1-0x0000000073F60000-0x000000007464E000-memory.dmp
memory/1320-2-0x0000000000D80000-0x0000000000DC0000-memory.dmp
memory/1320-3-0x0000000004EA0000-0x000000000508E000-memory.dmp
memory/1320-4-0x0000000000D00000-0x0000000000D80000-memory.dmp
memory/1320-5-0x0000000000A80000-0x0000000000AE8000-memory.dmp
memory/1320-6-0x0000000000DC0000-0x0000000000E28000-memory.dmp
memory/1320-7-0x00000000010F0000-0x000000000113C000-memory.dmp
memory/2700-8-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-10-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-12-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-14-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-18-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1320-20-0x0000000073F60000-0x000000007464E000-memory.dmp
memory/2700-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2700-21-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-22-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-23-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2700-25-0x0000000000C20000-0x0000000001020000-memory.dmp
memory/2700-24-0x0000000000C20000-0x0000000001020000-memory.dmp
memory/2700-26-0x0000000000C20000-0x0000000001020000-memory.dmp
memory/2700-27-0x0000000000C20000-0x0000000001020000-memory.dmp
memory/1048-28-0x0000000000060000-0x0000000000063000-memory.dmp
memory/1048-29-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2700-30-0x00000000002A0000-0x00000000002D6000-memory.dmp
memory/2700-35-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-37-0x00000000002A0000-0x00000000002D6000-memory.dmp
memory/2700-38-0x0000000000C20000-0x0000000001020000-memory.dmp
memory/2700-39-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2700-40-0x0000000000C20000-0x0000000001020000-memory.dmp
memory/1048-42-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1048-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-53-0x0000000076E60000-0x0000000077009000-memory.dmp
memory/1048-54-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-55-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-56-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-57-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/1048-58-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe
| MD5 | b690d4e17429538cddb6ff39d5104aa1 |
| SHA1 | 4bfcfd51931cd1f1c7196315cd3e3ebac6c2e425 |
| SHA256 | 2c6e833ee31a0ec3f6a61ea9aaed03cde52ea6d23b9e059d966412c54de38d34 |
| SHA512 | 21d185bd8338a7a70ef1c2b939402395da9296774d732a16c203a24d7715d740113e8ed8027e968d6b9b213af35aab1b81a5964e3dcd0126898365a11fa6d347 |
C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe
| MD5 | 98b5d4c4e238d202f81cffde25e7c836 |
| SHA1 | b5b0021e9e7c52e04f415513ac5b43f290aea314 |
| SHA256 | d1c3c5ff607fa74bedc942818fe4f7b202d7887073a62577f4f1b31375c23b13 |
| SHA512 | 16b762660ba60a1af48705fc39e07de58f94a64b461c353dc60b19844c69aeb25dcdd29ce1c97295cc82e4fa7bdb1be311faa719462c7a7ef78a7c97341c21b6 |
memory/2928-64-0x0000000001380000-0x000000000149A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe
| MD5 | 98b5d4c4e238d202f81cffde25e7c836 |
| SHA1 | b5b0021e9e7c52e04f415513ac5b43f290aea314 |
| SHA256 | d1c3c5ff607fa74bedc942818fe4f7b202d7887073a62577f4f1b31375c23b13 |
| SHA512 | 16b762660ba60a1af48705fc39e07de58f94a64b461c353dc60b19844c69aeb25dcdd29ce1c97295cc82e4fa7bdb1be311faa719462c7a7ef78a7c97341c21b6 |
memory/2928-65-0x0000000073870000-0x0000000073F5E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\GX3O6dN.exe
| MD5 | 2a40a56b3dbe361864baac57a7815de4 |
| SHA1 | a0b67c7eb5bb378010ada7a3cf6bfe4101df9049 |
| SHA256 | 3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99 |
| SHA512 | 6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2 |
memory/1048-68-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2928-69-0x0000000004C50000-0x0000000004C90000-memory.dmp
memory/2928-70-0x0000000000D10000-0x0000000000D5A000-memory.dmp
memory/2928-71-0x0000000000580000-0x00000000005B2000-memory.dmp
memory/2928-72-0x0000000000A70000-0x0000000000AA2000-memory.dmp
memory/2676-73-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2676-74-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2676-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\8uw3fU.exe
| MD5 | 98b5d4c4e238d202f81cffde25e7c836 |
| SHA1 | b5b0021e9e7c52e04f415513ac5b43f290aea314 |
| SHA256 | d1c3c5ff607fa74bedc942818fe4f7b202d7887073a62577f4f1b31375c23b13 |
| SHA512 | 16b762660ba60a1af48705fc39e07de58f94a64b461c353dc60b19844c69aeb25dcdd29ce1c97295cc82e4fa7bdb1be311faa719462c7a7ef78a7c97341c21b6 |
memory/2676-77-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2928-81-0x0000000073870000-0x0000000073F5E000-memory.dmp
memory/2676-80-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1048-79-0x0000000076E60000-0x0000000077009000-memory.dmp
memory/2884-83-0x0000000000840000-0x0000000000940000-memory.dmp
memory/2884-84-0x00000000002B0000-0x00000000002CB000-memory.dmp
memory/2884-85-0x0000000000400000-0x00000000007B5000-memory.dmp
memory/2884-86-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1048-93-0x00000000001A0000-0x00000000001A2000-memory.dmp
memory/1048-95-0x0000000076E60000-0x0000000077009000-memory.dmp
memory/2676-120-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1208-119-0x0000000002AE0000-0x0000000002AF6000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2884-151-0x0000000000840000-0x0000000000940000-memory.dmp
memory/2884-152-0x00000000002B0000-0x00000000002CB000-memory.dmp
memory/2884-161-0x0000000000400000-0x00000000007B5000-memory.dmp
memory/2884-172-0x0000000000400000-0x00000000007B5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\u7FD~fOmF7.exe
| MD5 | b690d4e17429538cddb6ff39d5104aa1 |
| SHA1 | 4bfcfd51931cd1f1c7196315cd3e3ebac6c2e425 |
| SHA256 | 2c6e833ee31a0ec3f6a61ea9aaed03cde52ea6d23b9e059d966412c54de38d34 |
| SHA512 | 21d185bd8338a7a70ef1c2b939402395da9296774d732a16c203a24d7715d740113e8ed8027e968d6b9b213af35aab1b81a5964e3dcd0126898365a11fa6d347 |
memory/1732-183-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1732-181-0x00000000000F0000-0x0000000000165000-memory.dmp
memory/1732-196-0x0000000000080000-0x00000000000EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C3FE.tmp
| MD5 | bcd88b9387ae5e8b043f98f39419492a |
| SHA1 | ff974206dfa84aea28c4ac5feebd113104d702b3 |
| SHA256 | e22a6614d000815d8385859a36678004ffeea90bc34a6a3d80f4703c734e361d |
| SHA512 | 0e9fa8f4e6c2d463ea47c1748995f2318a9054fe5ead3a676b88803a94204f30b4290c4ea3b84c7c7344f89498424a7434436fd9f602524399d67437933e572f |
memory/1516-199-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1516-200-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1516-197-0x0000000000070000-0x0000000000077000-memory.dmp
memory/2876-201-0x00000000000D0000-0x00000000000D4000-memory.dmp
memory/2876-203-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1304-206-0x0000000000080000-0x000000000008B000-memory.dmp
memory/1304-204-0x0000000000090000-0x000000000009A000-memory.dmp
memory/1056-207-0x0000000000090000-0x0000000000097000-memory.dmp
memory/1056-209-0x0000000000080000-0x000000000008B000-memory.dmp
memory/2368-210-0x0000000000070000-0x0000000000079000-memory.dmp
memory/2368-212-0x0000000000060000-0x000000000006F000-memory.dmp
memory/1984-216-0x0000000000080000-0x0000000000089000-memory.dmp
memory/2876-215-0x00000000000D0000-0x00000000000D4000-memory.dmp
memory/1984-213-0x00000000000D0000-0x00000000000D5000-memory.dmp
memory/2460-219-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2460-217-0x00000000000F0000-0x00000000000F6000-memory.dmp
memory/2568-223-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1304-222-0x0000000000080000-0x000000000008B000-memory.dmp
memory/2568-220-0x0000000000090000-0x0000000000094000-memory.dmp
memory/1244-224-0x0000000000070000-0x0000000000075000-memory.dmp
memory/1244-226-0x0000000000060000-0x0000000000069000-memory.dmp
memory/2368-228-0x0000000000060000-0x000000000006F000-memory.dmp
\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\Cab927.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar997.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9a62b20dc4444b9955c09a2f29a9cb1 |
| SHA1 | b5e458d231c9340edfc565382d517e284e170009 |
| SHA256 | 864b3109416ce523121ccbfd3e367dbfe030511d30f98d9d37779cabb0337f6a |
| SHA512 | 9026dba7767fd6bb4eea56e8091e378eca4d72784d856e4e0d52c52d713d2570b9bf833f4fe20228e6d921f18bda7552831a4acd5f46fa9e366e9b5678816208 |
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
\Users\Admin\AppData\Local\Temp\FB9E.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
\Users\Admin\AppData\Local\Temp\FB9E.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
\Users\Admin\AppData\Local\Temp\FB9E.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
\Users\Admin\AppData\Local\Temp\FB9E.tmp\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
C:\Users\Admin\AppData\Local\Temp\FB9E.tmp\aa_nts.msg
| MD5 | 3f05819f995b4dafa1b5d55ce8d1f411 |
| SHA1 | 404449b79a16bfc4f64f2fd55cd73d5d27a85d71 |
| SHA256 | 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0 |
| SHA512 | 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-26 19:24
Reported
2023-10-26 19:27
Platform
win10v2004-20231023-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2736 created 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\4rN8_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2036 set thread context of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe |
| PID 3152 set thread context of 3944 | N/A | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe
C:\Users\Admin\AppData\Local\Temp\NEAS.a75e3f3e506051b9e4313a407c2a993f9d662a142f2ec6265edeca16511bc115exe_JC.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe
"C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe"
C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe
"C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe"
C:\Users\Admin\AppData\Local\Microsoft\4rN8_.exe
"C:\Users\Admin\AppData\Local\Microsoft\4rN8_.exe"
C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe
C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1940 -ip 1940
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 2432
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | matthewsamuel.top | udp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| US | 8.8.8.8:53 | 88.129.139.37.in-addr.arpa | udp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| NL | 37.139.129.88:80 | matthewsamuel.top | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | servermlogs27.xyz | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | gitboot234.xyz | udp |
| DE | 91.200.103.49:80 | gitboot234.xyz | tcp |
| US | 8.8.8.8:53 | 120.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| CA | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 35.20.181.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/2036-0-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/2036-1-0x0000000000D40000-0x00000000010A2000-memory.dmp
memory/2036-2-0x0000000005AA0000-0x0000000005B32000-memory.dmp
memory/2036-3-0x0000000005BD0000-0x0000000005BE0000-memory.dmp
memory/2036-4-0x0000000005BE0000-0x0000000005DCE000-memory.dmp
memory/2036-5-0x0000000005E10000-0x0000000005E90000-memory.dmp
memory/2036-6-0x00000000062C0000-0x0000000006328000-memory.dmp
memory/2036-7-0x0000000005FD0000-0x0000000006038000-memory.dmp
memory/2036-8-0x0000000006040000-0x000000000608C000-memory.dmp
memory/2036-9-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/2036-10-0x00000000068E0000-0x0000000006E84000-memory.dmp
memory/2736-11-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2736-15-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2036-14-0x0000000074660000-0x0000000074E10000-memory.dmp
memory/2736-16-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2736-17-0x0000000002910000-0x0000000002917000-memory.dmp
memory/2736-18-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/2736-19-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/2736-20-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/2736-21-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/2908-22-0x000002C156C00000-0x000002C156C03000-memory.dmp
memory/2736-23-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2736-24-0x0000000003970000-0x00000000039A6000-memory.dmp
memory/2736-30-0x0000000003970000-0x00000000039A6000-memory.dmp
memory/2736-31-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/2736-32-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2736-33-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/2908-34-0x000002C156C00000-0x000002C156C03000-memory.dmp
memory/2908-35-0x000002C156DA0000-0x000002C156DA7000-memory.dmp
memory/2908-36-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-37-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-38-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-39-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-43-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-41-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-40-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-44-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-45-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-46-0x00007FF81F2F0000-0x00007FF81F4E5000-memory.dmp
memory/2908-47-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-48-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-49-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-50-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-51-0x00007FF4BB970000-0x00007FF4BBA9F000-memory.dmp
memory/2908-52-0x00007FF81F2F0000-0x00007FF81F4E5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe
| MD5 | b690d4e17429538cddb6ff39d5104aa1 |
| SHA1 | 4bfcfd51931cd1f1c7196315cd3e3ebac6c2e425 |
| SHA256 | 2c6e833ee31a0ec3f6a61ea9aaed03cde52ea6d23b9e059d966412c54de38d34 |
| SHA512 | 21d185bd8338a7a70ef1c2b939402395da9296774d732a16c203a24d7715d740113e8ed8027e968d6b9b213af35aab1b81a5964e3dcd0126898365a11fa6d347 |
C:\Users\Admin\AppData\Local\Microsoft\TNL0(.exe
| MD5 | b690d4e17429538cddb6ff39d5104aa1 |
| SHA1 | 4bfcfd51931cd1f1c7196315cd3e3ebac6c2e425 |
| SHA256 | 2c6e833ee31a0ec3f6a61ea9aaed03cde52ea6d23b9e059d966412c54de38d34 |
| SHA512 | 21d185bd8338a7a70ef1c2b939402395da9296774d732a16c203a24d7715d740113e8ed8027e968d6b9b213af35aab1b81a5964e3dcd0126898365a11fa6d347 |
C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe
| MD5 | 98b5d4c4e238d202f81cffde25e7c836 |
| SHA1 | b5b0021e9e7c52e04f415513ac5b43f290aea314 |
| SHA256 | d1c3c5ff607fa74bedc942818fe4f7b202d7887073a62577f4f1b31375c23b13 |
| SHA512 | 16b762660ba60a1af48705fc39e07de58f94a64b461c353dc60b19844c69aeb25dcdd29ce1c97295cc82e4fa7bdb1be311faa719462c7a7ef78a7c97341c21b6 |
C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe
| MD5 | 98b5d4c4e238d202f81cffde25e7c836 |
| SHA1 | b5b0021e9e7c52e04f415513ac5b43f290aea314 |
| SHA256 | d1c3c5ff607fa74bedc942818fe4f7b202d7887073a62577f4f1b31375c23b13 |
| SHA512 | 16b762660ba60a1af48705fc39e07de58f94a64b461c353dc60b19844c69aeb25dcdd29ce1c97295cc82e4fa7bdb1be311faa719462c7a7ef78a7c97341c21b6 |
memory/3152-60-0x00000000002D0000-0x00000000003EA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\4rN8_.exe
| MD5 | 2a40a56b3dbe361864baac57a7815de4 |
| SHA1 | a0b67c7eb5bb378010ada7a3cf6bfe4101df9049 |
| SHA256 | 3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99 |
| SHA512 | 6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2 |
C:\Users\Admin\AppData\Local\Microsoft\4rN8_.exe
| MD5 | 2a40a56b3dbe361864baac57a7815de4 |
| SHA1 | a0b67c7eb5bb378010ada7a3cf6bfe4101df9049 |
| SHA256 | 3d62c31dd2a3749a264d72bd87c287c9367d3198d612c5566ca54809b714af99 |
| SHA512 | 6c426f00cac5bbf67fd6e56c95561b8ad94da32d1199cfbf5d9e3b2627b39cdf8e089856fd346a44097006a0f32a78480b32554f39ba4ceaf72182126f78e4b2 |
memory/3152-63-0x0000000074590000-0x0000000074D40000-memory.dmp
memory/3152-64-0x00000000027B0000-0x00000000027C0000-memory.dmp
memory/3152-65-0x0000000005BC0000-0x0000000005C0A000-memory.dmp
memory/3152-66-0x0000000005C10000-0x0000000005C42000-memory.dmp
memory/3152-68-0x0000000005C70000-0x0000000005CA2000-memory.dmp
memory/3152-67-0x00000000027B0000-0x00000000027C0000-memory.dmp
memory/3944-69-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\736oNTd`.exe
| MD5 | 98b5d4c4e238d202f81cffde25e7c836 |
| SHA1 | b5b0021e9e7c52e04f415513ac5b43f290aea314 |
| SHA256 | d1c3c5ff607fa74bedc942818fe4f7b202d7887073a62577f4f1b31375c23b13 |
| SHA512 | 16b762660ba60a1af48705fc39e07de58f94a64b461c353dc60b19844c69aeb25dcdd29ce1c97295cc82e4fa7bdb1be311faa719462c7a7ef78a7c97341c21b6 |
memory/3944-72-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3152-73-0x0000000074590000-0x0000000074D40000-memory.dmp
memory/1940-75-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/1940-76-0x00000000008E0000-0x00000000008FB000-memory.dmp
memory/1940-77-0x0000000000400000-0x00000000007B5000-memory.dmp
memory/2908-78-0x000002C156DA0000-0x000002C156DA5000-memory.dmp
memory/2908-79-0x00007FF81F2F0000-0x00007FF81F4E5000-memory.dmp
memory/1940-80-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3944-90-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3232-84-0x0000000002DD0000-0x0000000002DE6000-memory.dmp
memory/1940-131-0x0000000000400000-0x00000000007B5000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1940-151-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/1940-153-0x00000000008E0000-0x00000000008FB000-memory.dmp
memory/1940-158-0x0000000000400000-0x00000000007B5000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/1940-171-0x0000000000400000-0x00000000007B5000-memory.dmp