42cdd97b333d36f2b18ec2bd5633012aa386dbc6a1d0b1f8b814ad1068e5f55a

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe
Size

5.5MB
MD5

222f7516c7424f05fd0cbbcbdf25cd0b
SHA1

1c0de6486a859d7fc373e294bc893187bf6226d3
SHA256

42cdd97b333d36f2b18ec2bd5633012aa386dbc6a1d0b1f8b814ad1068e5f55a
SHA512

5934f6552b2dc6b1658e0f46b586e25ec744e0a29d63ad124fe1b558f21821270489d97225ec22a0b21c795f291f870e26da68b792c4eee90076b7f9a34c7143
SSDEEP

98304:IGoqTB3ovZVtMnYhWYJgJheWRsFn0iydrEXvZG:Iqg/MYkYOJhjRsF0i+oxG

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2880	hehwbylbhl.exe
2744	gnfvevcsup.exe
3064	SearchUserHost.exe
1152	Explorer.EXE
2864	bindsvc.exe

Loads dropped DLL 12 IoCs

pid	Process
2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe
2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe
2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe
2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe
2288	SearchIndexer.exe
2288	SearchIndexer.exe
2288	SearchIndexer.exe
3064	SearchUserHost.exe
1416	SearchProtocolHost.exe
2744	gnfvevcsup.exe
2744	gnfvevcsup.exe
2056	SearchFilterHost.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2544	ARP.EXE
2488	cmd.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	gnfvevcsup.exe
File created	C:\Windows\system32\msfte.dll	gnfvevcsup.exe
File created	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\System32\bindsvc.exe	gnfvevcsup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File created	C:\Windows\SysWOW64\wimsvc.exe	gnfvevcsup.exe
File created	C:\Windows\SysWOW64\racfg.exe	gnfvevcsup.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	gnfvevcsup.exe
File opened for modification	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\system32\oci.dll	gnfvevcsup.exe
File created	C:\Windows\SysWOW64\wideshut.exe	gnfvevcsup.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2172	tasklist.exe
1200	tasklist.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016df5-10.dat	upx
behavioral1/memory/2316-16-0x00000000035E0000-0x000000000375A000-memory.dmp	upx
behavioral1/memory/2744-24-0x0000000000AC0000-0x0000000000C3A000-memory.dmp	upx
behavioral1/memory/2744-278-0x0000000000AC0000-0x0000000000C3A000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1540	sc.exe
2012	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gnfvevcsup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2512	cmd.exe
1716	PING.EXE

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1012	NETSTAT.EXE
1208	cmd.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1012	NETSTAT.EXE
2116	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2396	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090053d398ea1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10303 = "Enjoy the classic strategy game of Chess. Play against the computer, or compete against a friend. The winner is the first to capture the opponent’s king."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10209 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\NetProjW.dll,-511 = "Display your desktop on a network projector."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\mycomput.dll,-112 = "Manages disks and provides access to other tools to manage local and remote computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msra.exe,-100 = "Windows Remote Assistance"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Wdc.dll,-10025 = "Diagnose performance issues and collect performance data."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\migwiz\wet.dll,-590 = "Transfers files and settings from one computer to another"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rstrui.exe,-102 = "Restore system to a chosen restore point."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\AuthFWGP.dll,-20 = "Windows Firewall with Advanced Security"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-113 = "Windows PowerShell Integrated Scripting Environment. Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\odbcint.dll,-1312 = "Maintains ODBC data sources and drivers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555 = "Windows Speech Recognition"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\DVD Maker\DVDMaker.exe,-61403 = "Windows DVD Maker"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Sidebar\sidebar.exe,-1005 = "Desktop Gadget Gallery"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-102 = "View monitoring and troubleshooting messages from windows and other programs."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\iscsicpl.dll,-5002 = "Connect to remote iSCSI targets and configure connection settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10056 = "Hearts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1716	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2288	SearchIndexer.exe
2288	SearchIndexer.exe
3064	SearchUserHost.exe
2744	gnfvevcsup.exe
2172	tasklist.exe
2172	tasklist.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1152	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2288	SearchIndexer.exe
Token: 33	2288	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2288	SearchIndexer.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	1012	NETSTAT.EXE
Token: SeDebugPrivilege	1200	tasklist.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe
Token: SeDebugPrivilege	3064	SearchUserHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
1416	SearchProtocolHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe
3064	SearchUserHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2880	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	30
PID 2316 wrote to memory of 2880	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	30
PID 2316 wrote to memory of 2880	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	30
PID 2316 wrote to memory of 2880	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	30
PID 2316 wrote to memory of 2744	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	31
PID 2316 wrote to memory of 2744	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	31
PID 2316 wrote to memory of 2744	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	31
PID 2316 wrote to memory of 2744	2316	2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe	31
PID 2288 wrote to memory of 3064	2288	SearchIndexer.exe	33
PID 2288 wrote to memory of 3064	2288	SearchIndexer.exe	33
PID 2288 wrote to memory of 3064	2288	SearchIndexer.exe	33
PID 3064 wrote to memory of 1152	3064	SearchUserHost.exe	20
PID 1152 wrote to memory of 1412	1152	Explorer.EXE	34
PID 1152 wrote to memory of 1412	1152	Explorer.EXE	34
PID 1152 wrote to memory of 1412	1152	Explorer.EXE	34
PID 2288 wrote to memory of 1416	2288	SearchIndexer.exe	35
PID 2288 wrote to memory of 1416	2288	SearchIndexer.exe	35
PID 2288 wrote to memory of 1416	2288	SearchIndexer.exe	35
PID 3064 wrote to memory of 1596	3064	SearchUserHost.exe	36
PID 3064 wrote to memory of 1596	3064	SearchUserHost.exe	36
PID 3064 wrote to memory of 1596	3064	SearchUserHost.exe	36
PID 1596 wrote to memory of 2396	1596	cmd.exe	38
PID 1596 wrote to memory of 2396	1596	cmd.exe	38
PID 1596 wrote to memory of 2396	1596	cmd.exe	38
PID 2288 wrote to memory of 2056	2288	SearchIndexer.exe	39
PID 2288 wrote to memory of 2056	2288	SearchIndexer.exe	39
PID 2288 wrote to memory of 2056	2288	SearchIndexer.exe	39
PID 1152 wrote to memory of 1504	1152	Explorer.EXE	41
PID 1152 wrote to memory of 1504	1152	Explorer.EXE	41
PID 1152 wrote to memory of 1504	1152	Explorer.EXE	41
PID 2744 wrote to memory of 888	2744	gnfvevcsup.exe	42
PID 2744 wrote to memory of 888	2744	gnfvevcsup.exe	42
PID 2744 wrote to memory of 888	2744	gnfvevcsup.exe	42
PID 2744 wrote to memory of 888	2744	gnfvevcsup.exe	42
PID 888 wrote to memory of 1540	888	cmd.exe	44
PID 888 wrote to memory of 1540	888	cmd.exe	44
PID 888 wrote to memory of 1540	888	cmd.exe	44
PID 2744 wrote to memory of 2876	2744	gnfvevcsup.exe	45
PID 2744 wrote to memory of 2876	2744	gnfvevcsup.exe	45
PID 2744 wrote to memory of 2876	2744	gnfvevcsup.exe	45
PID 2744 wrote to memory of 2876	2744	gnfvevcsup.exe	45
PID 2744 wrote to memory of 2864	2744	gnfvevcsup.exe	47
PID 2744 wrote to memory of 2864	2744	gnfvevcsup.exe	47
PID 2744 wrote to memory of 2864	2744	gnfvevcsup.exe	47
PID 2744 wrote to memory of 2864	2744	gnfvevcsup.exe	47
PID 3064 wrote to memory of 2576	3064	SearchUserHost.exe	49
PID 3064 wrote to memory of 2576	3064	SearchUserHost.exe	49
PID 3064 wrote to memory of 2576	3064	SearchUserHost.exe	49
PID 2576 wrote to memory of 2172	2576	cmd.exe	51
PID 2576 wrote to memory of 2172	2576	cmd.exe	51
PID 2576 wrote to memory of 2172	2576	cmd.exe	51
PID 3064 wrote to memory of 1208	3064	SearchUserHost.exe	52
PID 3064 wrote to memory of 1208	3064	SearchUserHost.exe	52
PID 3064 wrote to memory of 1208	3064	SearchUserHost.exe	52
PID 1208 wrote to memory of 1012	1208	cmd.exe	54
PID 1208 wrote to memory of 1012	1208	cmd.exe	54
PID 1208 wrote to memory of 1012	1208	cmd.exe	54
PID 3064 wrote to memory of 992	3064	SearchUserHost.exe	55
PID 3064 wrote to memory of 992	3064	SearchUserHost.exe	55
PID 3064 wrote to memory of 992	3064	SearchUserHost.exe	55
PID 992 wrote to memory of 2116	992	cmd.exe	57
PID 992 wrote to memory of 2116	992	cmd.exe	57
PID 992 wrote to memory of 2116	992	cmd.exe	57
PID 3064 wrote to memory of 2484	3064	SearchUserHost.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\hehwbylbhl.exe
    "C:\Users\Admin\AppData\Local\Temp\hehwbylbhl.exe" "C:\Users\Admin\AppData\Local\Temp\dqdivwwgfy.exe" "C:\Users\Admin\AppData\Local\Temp\2025-03-30_222f7516c7424f05fd0cbbcbdf25cd0b_amadey_rhadamanthys_smoke-loader.exe"
    3⤵
    - Executes dropped EXE
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\gnfvevcsup.exe
    C:\Users\Admin\AppData\Local\Temp\gnfvevcsup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\System32\cmd.exe
      /c sc config msdtc obj= LocalSystem
      4⤵
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        5⤵
        Launches sc.exe
        
        PID:1540
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1srJ3s8e.bat"
      4⤵
      PID:2876
  - - C:\Windows\System32\bindsvc.exe
      "C:\Windows\System32\bindsvc.exe"
      4⤵
      Executes dropped EXE
      PID:2864
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:1412
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:1504

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2396
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2172
- - C:\Windows\system32\cmd.exe
    /c "netstat -ano"
    3⤵
    - System Network Connections Discovery
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1012
- - C:\Windows\system32\cmd.exe
    /c "ipconfig /all"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2116
- - C:\Windows\system32\cmd.exe
    /c "route print"
    3⤵
    PID:2484
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2452
- - C:\Windows\system32\cmd.exe
    /c "arp -a"
    3⤵
    - Network Service Discovery
    PID:2488
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2544
- - C:\Windows\system32\cmd.exe
    /c "tasklist /m msfte.dll"
    3⤵
    PID:860
  - - C:\Windows\system32\tasklist.exe
      tasklist /m msfte.dll
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1200
- - C:\Windows\system32\cmd.exe
    /c "net share"
    3⤵
    PID:1672
  - - C:\Windows\system32\net.exe
      net share
      4⤵
      PID:2676
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:1676
- - C:\Windows\system32\cmd.exe
    /c "ping server"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2512
  - - C:\Windows\system32\PING.EXE
      ping server
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1716
- - C:\Windows\system32\cmd.exe
    /c "sc query hfile.sys"
    3⤵
    PID:2188
  - - C:\Windows\system32\sc.exe
      sc query hfile.sys
      4⤵
      Launches sc.exe
      PID:2012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 548 552 560 65536 556
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
79749c7fe72befefcfd9750d739ef1c4

SHA1
5f37d85b1b55876c3261c888c01f845461abee12

SHA256
920f4c5f40f9ccbddfbaac83cce0056a7b3f165cee9d08f2680cb3f1406db806

SHA512
fc84a9724b2b4075a50a987dc1c504b56af7a99450709c3e95b82511339292b17897b436d4b5960aacb9bfe93fdac83a43b63fb0b107cbfaede698a5216ae89a

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
882379cee1da98a3a501b93c6d3d634f

SHA1
74b6e239d37534304d857375a70a4027541c9fc6

SHA256
2f9b27fd73065e413914ded5a05c922bfb8b8bf486b6b4dc3324b56468bc6549

SHA512
4da49d39b835ad49d1ed181c87943daddf4f053a747431ea312a0054d7f869dd33a0b42c1271506db2524f16d482107d815b03e0d7de1b1290ccc4a21f0baf16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1srJ3s8e.bat

Filesize
196B

MD5
adbd4137cf10df7c5da989efb43c028b

SHA1
6e0521977a9412404a550ef5ecc692e9eb6ced7a

SHA256
256b9cf95ca2e3d2f0cd7c8ee7676609e563e26858e50feb1a4017359f1a0059

SHA512
c7d3bffa1ad458ffd915e5dcb3117151b1861d5cb1cb38ec60e667ea8cd0d9b8a9ab98f877997055c439c16b2c2a159c00ddbbe500e9c55fb3a87ae8ccfdc08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNLOCK~1.ZIP

Filesize
14KB

MD5
0b5757c71fc596a8094d17698c78aca6

SHA1
016486c7f39530850d67a7c9368258672113fe95

SHA256
b34eba18ab56cd4269f48d80ce0d086a2433b1465a21c35672423349bf37d714

SHA512
ea42132640276238c2b23365cd6ebc8adf458c16e7fd010fb1dfe152b2a5a457809c2548881803a544b07cc818057f99763315b64568083b4ba4697eb2c2b693

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
874B

MD5
559c817e6101929bb05d491cfa0e16c9

SHA1
eb4675a5609b04c38cf3f4b98da21ff31e8abd91

SHA256
d733fd353548346ea54d955fff1b68eccc28175792d458f58a8837543188dd1f

SHA512
b83f07e2a9e88e08391c05888338c1ceed7ff0b23f773bcce6a8f4369799c66cb4bac8d3b8d65813e43405db6bbf9876bb2f72e2a0d2fd08be5d29c457d2bf0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
2KB

MD5
2db4cd25983dfecb924c9a0676dc7855

SHA1
033aefd89629a3230e5d3345075c2775f55c7d1c

SHA256
c4e20d534a4fbc7dc0590e95eb53a9757d6f78fe22c04c2a20976ca5f5e08212

SHA512
bd3b915f14d40fc21e5dc1306c7ab67bc4317896538ff91ad8c9cdc2f86afe12a7c79a10ec7a74fdedfb6581d04ad1ac8d92c0584ebab327a8023266e4c6635b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
42e8e61405e70e779ad7c7ec596505aa

SHA1
28facb5d2ee0f5cabdc7843a7c988dd7ebba3458

SHA256
1b93e00ae33c6298a9b74d31aa5f1ef6215c5f716bd2649ceb908ceacc0f2097

SHA512
11e08b28474a7b8865bb006a2dde000d8a84d6b0f16e394812154d08dd07b9a68bd5b79f07624b3d0f17192deb6b8150dc6ab649e81aceb56fe398a92880855e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\SearchJoin.docx

Filesize
15KB

MD5
d30ef127892a41540125e4db7c137510

SHA1
a45447c4cb6b2307a775bfba6432bd24a1a2bf44

SHA256
b73c91669449edd0ec20a7e0cf56cac43df02bb34c9a418522d9721812dc2fd6

SHA512
7b51058206f976f517b39604fb9474d5780a355d3512e053156599785a32eb19b5ddce774f524b940151e2e21cc0698a0f7be4bf23980e94027bba9de74d63c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\SearchJoin.txt

Filesize
4KB

MD5
4fed2feee23ba81e77e0c494cbc79701

SHA1
99b046d55357644a8040e7f5c0a3e6afdac46e15

SHA256
6b45ebdf1066b8ae05bed488d65ac4c0caa2d29ae70751e78e77fe6a2ab38b52

SHA512
9f6f84fb55c74fc2d4d8afcd13b918b0fd793db9acfaa81398a65baa9fb9391d33588d8258b235cb006bbb3d1f0f15f721b509b3ce66676868c51db1aa263e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\UnlockBlock.txt

Filesize
2KB

MD5
ad417e7075ab64293e1bf15149a4f805

SHA1
b2977a18575d6b0ef87f4a77cc373f807bcdfee8

SHA256
77ff6c367416ebcb31f68263b5b2556e8d8639da1769d1c9428f3443bd9c250e

SHA512
fc904beaacee00b153c75fdbce85762cbb2491b8e8fb70526f3c6c4a58b4f13b416a990a907586a67fa46f5eaf73ac21c074326aff04dd5706423b67f2327e62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs

Filesize
1KB

MD5
3439318cedcf37c1bf5fe6d49ddbb2cb

SHA1
e075965bb3b38abdd80668fb6101a0d10b30f080

SHA256
6484a02c2db6c9afb5659ede4047cad10b7102c2bbc4c94bf8482f88d8fd83a8

SHA512
3dffcf24b052a7fffd50ab6c76d081b1c47ba64c20f21650e4bdcf19106518e8b342691711230ba9eea5489994b8ccec8ad11f54b1509b1cd518616254176b61

Download Submit
C:\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
C:\Windows\system32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Users\Admin\AppData\Local\Temp\gnfvevcsup.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
\Users\Admin\AppData\Local\Temp\hehwbylbhl.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
memory/1152-35-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2288-346-0x0000000003E20000-0x0000000003E28000-memory.dmp

Filesize
32KB

Download
memory/2288-43-0x0000000001B80000-0x0000000001B90000-memory.dmp

Filesize
64KB

Download
memory/2288-103-0x0000000003020000-0x0000000003028000-memory.dmp

Filesize
32KB

Download
memory/2288-94-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/2288-92-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/2288-86-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/2288-396-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2288-85-0x0000000003010000-0x0000000003018000-memory.dmp

Filesize
32KB

Download
memory/2288-300-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/2288-366-0x0000000004D20000-0x0000000004D28000-memory.dmp

Filesize
32KB

Download
memory/2288-328-0x0000000003910000-0x0000000003918000-memory.dmp

Filesize
32KB

Download
memory/2288-356-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/2288-347-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/2288-59-0x0000000001C80000-0x0000000001C90000-memory.dmp

Filesize
64KB

Download
memory/2288-354-0x0000000003B80000-0x0000000003B88000-memory.dmp

Filesize
32KB

Download
memory/2288-355-0x0000000003FB0000-0x0000000003FB8000-memory.dmp

Filesize
32KB

Download
memory/2316-16-0x00000000035E0000-0x000000000375A000-memory.dmp

Filesize
1.5MB

Download
memory/2316-304-0x00000000035E0000-0x000000000375A000-memory.dmp

Filesize
1.5MB

Download
memory/2744-24-0x0000000000AC0000-0x0000000000C3A000-memory.dmp

Filesize
1.5MB

Download
memory/2744-278-0x0000000000AC0000-0x0000000000C3A000-memory.dmp

Filesize
1.5MB

Download