5bb314b25061f56152e69b96ce60ff0cdde1e9fa92accfa56aa64e15fee506d8

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
Size

8.0MB
MD5

721a90101f7ce597a9fa16501def6950
SHA1

f14e6a307a929e8e6a17d9e4ec0a3d388dae01b8
SHA256

5bb314b25061f56152e69b96ce60ff0cdde1e9fa92accfa56aa64e15fee506d8
SHA512

70960ab66b7084dce11632f4f0230d98798f372d046fbcc39c78690d85f101cc0ceff91f5dd997aa314ed38cca36d74606305719c4e32b4699c99f03825aa3dc
SSDEEP

98304:nCHNToqTB3xuPzVXAhN0EczQqzaAzganpL8UHdCHNcFLOAkGkzdnEVomFHKnP0:nC9sPJ3zQqLCOFLOyomFHKnP0

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2948	ysybneppiq.exe
2736	bneuknmxqm.exe
1992	SearchUserHost.exe
1236	Explorer.EXE
2616	bindsvc.exe

Loads dropped DLL 12 IoCs

pid	Process
2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
2824	SearchIndexer.exe
2824	SearchIndexer.exe
2824	SearchIndexer.exe
1992	SearchUserHost.exe
1076	SearchProtocolHost.exe
2736	bneuknmxqm.exe
2736	bneuknmxqm.exe
2980	SearchFilterHost.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2280	cmd.exe
1872	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\system32\oci.dll	bneuknmxqm.exe
File created	C:\Windows\System32\bindsvc.exe	bneuknmxqm.exe
File created	C:\Windows\SysWOW64\racfg.exe	bneuknmxqm.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	bneuknmxqm.exe
File created	C:\Windows\system32\msfte.dll	bneuknmxqm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe
File created	C:\Windows\SysWOW64\wideshut.exe	bneuknmxqm.exe
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	bneuknmxqm.exe
File created	C:\Windows\SysWOW64\wimsvc.exe	bneuknmxqm.exe
File created	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2676	tasklist.exe
2148	tasklist.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000019397-17.dat	upx
behavioral1/memory/2676-16-0x0000000002B00000-0x0000000002C7A000-memory.dmp	upx
behavioral1/memory/2736-291-0x0000000001210000-0x000000000138A000-memory.dmp	upx
behavioral1/memory/2736-307-0x0000000001210000-0x000000000138A000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2352	sc.exe
2484	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bneuknmxqm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2100	cmd.exe
2204	PING.EXE

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2932	cmd.exe
2740	NETSTAT.EXE

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2740	NETSTAT.EXE
1360	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2928	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\miguiresource.dll,-202 = "Schedule computer tasks to run automatically."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-105 = "Koala"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291 = "Math Input Panel"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\sud.dll,-10 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Burn pictures and video to DVD."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\FXSRESM.dll,-114 = "Windows Fax and Scan"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10057 = "Minesweeper"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32820 = "Indexed Locations"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\odbcint.dll,-1310 = "Data Sources (ODBC)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Learn about Windows features and start using them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Sidebar\sidebar.exe,-1012 = "Add Desktop Gadgets that display personalized slideshows, news feeds, and other customized information."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-588 = "Windows Easy Transfer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10021 = "Performance Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10306 = "Overturn blank squares and avoid those that conceal hidden mines in this simple game of memory and reasoning. Once you click on a mine, the game is over."	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080c069d98ea1db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msinfo32.exe,-100 = "System Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\dfrgui.exe,-103 = "Disk Defragmenter"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000 = "Sync Center"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\NetProjW.dll,-501 = "Connect to a Network Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10302 = "Compete with - and against - online opponents at the classic trick-taking, partnership card game of Spades. Score the most points to win."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-4 = "Windows Media Player"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\msconfig.exe,-1601 = "Perform advanced troubleshooting and system configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\mip.exe,-292 = "Math Input Panel"	SearchProtocolHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2204	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2824	SearchIndexer.exe
2824	SearchIndexer.exe
1992	SearchUserHost.exe
2676	tasklist.exe
2676	tasklist.exe
2736	bneuknmxqm.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2824	SearchIndexer.exe
Token: 33	2824	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2824	SearchIndexer.exe
Token: SeDebugPrivilege	2676	tasklist.exe
Token: SeDebugPrivilege	2740	NETSTAT.EXE
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe
Token: SeDebugPrivilege	1992	SearchUserHost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1076	SearchProtocolHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe
1992	SearchUserHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2948	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	30
PID 2676 wrote to memory of 2948	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	30
PID 2676 wrote to memory of 2948	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	30
PID 2676 wrote to memory of 2948	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	30
PID 2676 wrote to memory of 2736	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	31
PID 2676 wrote to memory of 2736	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	31
PID 2676 wrote to memory of 2736	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	31
PID 2676 wrote to memory of 2736	2676	2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe	31
PID 2824 wrote to memory of 1992	2824	SearchIndexer.exe	33
PID 2824 wrote to memory of 1992	2824	SearchIndexer.exe	33
PID 2824 wrote to memory of 1992	2824	SearchIndexer.exe	33
PID 1992 wrote to memory of 1236	1992	SearchUserHost.exe	21
PID 1236 wrote to memory of 2000	1236	Explorer.EXE	34
PID 1236 wrote to memory of 2000	1236	Explorer.EXE	34
PID 1236 wrote to memory of 2000	1236	Explorer.EXE	34
PID 2824 wrote to memory of 1076	2824	SearchIndexer.exe	35
PID 2824 wrote to memory of 1076	2824	SearchIndexer.exe	35
PID 2824 wrote to memory of 1076	2824	SearchIndexer.exe	35
PID 1992 wrote to memory of 1568	1992	SearchUserHost.exe	36
PID 1992 wrote to memory of 1568	1992	SearchUserHost.exe	36
PID 1992 wrote to memory of 1568	1992	SearchUserHost.exe	36
PID 2824 wrote to memory of 2980	2824	SearchIndexer.exe	38
PID 2824 wrote to memory of 2980	2824	SearchIndexer.exe	38
PID 2824 wrote to memory of 2980	2824	SearchIndexer.exe	38
PID 1568 wrote to memory of 2928	1568	cmd.exe	39
PID 1568 wrote to memory of 2928	1568	cmd.exe	39
PID 1568 wrote to memory of 2928	1568	cmd.exe	39
PID 1236 wrote to memory of 824	1236	Explorer.EXE	41
PID 1236 wrote to memory of 824	1236	Explorer.EXE	41
PID 1236 wrote to memory of 824	1236	Explorer.EXE	41
PID 1992 wrote to memory of 2780	1992	SearchUserHost.exe	43
PID 1992 wrote to memory of 2780	1992	SearchUserHost.exe	43
PID 1992 wrote to memory of 2780	1992	SearchUserHost.exe	43
PID 2780 wrote to memory of 2676	2780	cmd.exe	45
PID 2780 wrote to memory of 2676	2780	cmd.exe	45
PID 2780 wrote to memory of 2676	2780	cmd.exe	45
PID 1992 wrote to memory of 2932	1992	SearchUserHost.exe	46
PID 1992 wrote to memory of 2932	1992	SearchUserHost.exe	46
PID 1992 wrote to memory of 2932	1992	SearchUserHost.exe	46
PID 2932 wrote to memory of 2740	2932	cmd.exe	48
PID 2932 wrote to memory of 2740	2932	cmd.exe	48
PID 2932 wrote to memory of 2740	2932	cmd.exe	48
PID 1992 wrote to memory of 2564	1992	SearchUserHost.exe	49
PID 1992 wrote to memory of 2564	1992	SearchUserHost.exe	49
PID 1992 wrote to memory of 2564	1992	SearchUserHost.exe	49
PID 2564 wrote to memory of 1360	2564	cmd.exe	51
PID 2564 wrote to memory of 1360	2564	cmd.exe	51
PID 2564 wrote to memory of 1360	2564	cmd.exe	51
PID 1992 wrote to memory of 2012	1992	SearchUserHost.exe	52
PID 1992 wrote to memory of 2012	1992	SearchUserHost.exe	52
PID 1992 wrote to memory of 2012	1992	SearchUserHost.exe	52
PID 2012 wrote to memory of 656	2012	cmd.exe	54
PID 2012 wrote to memory of 656	2012	cmd.exe	54
PID 2012 wrote to memory of 656	2012	cmd.exe	54
PID 1992 wrote to memory of 2280	1992	SearchUserHost.exe	55
PID 1992 wrote to memory of 2280	1992	SearchUserHost.exe	55
PID 1992 wrote to memory of 2280	1992	SearchUserHost.exe	55
PID 2280 wrote to memory of 1872	2280	cmd.exe	57
PID 2280 wrote to memory of 1872	2280	cmd.exe	57
PID 2280 wrote to memory of 1872	2280	cmd.exe	57
PID 1992 wrote to memory of 2392	1992	SearchUserHost.exe	58
PID 1992 wrote to memory of 2392	1992	SearchUserHost.exe	58
PID 1992 wrote to memory of 2392	1992	SearchUserHost.exe	58
PID 2392 wrote to memory of 2148	2392	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\ysybneppiq.exe
    "C:\Users\Admin\AppData\Local\Temp\ysybneppiq.exe" "C:\Users\Admin\AppData\Local\Temp\astylhblud.exe" "C:\Users\Admin\AppData\Local\Temp\2025-03-30_721a90101f7ce597a9fa16501def6950_amadey_black-basta_luca-stealer_rhadamanthys_smoke-loader.exe"
    3⤵
    - Executes dropped EXE
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\bneuknmxqm.exe
    C:\Users\Admin\AppData\Local\Temp\bneuknmxqm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2736
  - - C:\Windows\System32\cmd.exe
      /c sc config msdtc obj= LocalSystem
      4⤵
      PID:1988
    - - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        5⤵
        Launches sc.exe
        
        PID:2352
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\BECIaRca.bat"
      4⤵
      PID:2844
  - - C:\Windows\System32\bindsvc.exe
      "C:\Windows\System32\bindsvc.exe"
      4⤵
      Executes dropped EXE
      PID:2616
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:2000
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:824

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2928
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2676
- - C:\Windows\system32\cmd.exe
    /c "netstat -ano"
    3⤵
    - System Network Connections Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2740
- - C:\Windows\system32\cmd.exe
    /c "ipconfig /all"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1360
- - C:\Windows\system32\cmd.exe
    /c "route print"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:656
- - C:\Windows\system32\cmd.exe
    /c "arp -a"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1872
- - C:\Windows\system32\cmd.exe
    /c "tasklist /m msfte.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\tasklist.exe
      tasklist /m msfte.dll
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2148
- - C:\Windows\system32\cmd.exe
    /c "net share"
    3⤵
    PID:2440
  - - C:\Windows\system32\net.exe
      net share
      4⤵
      PID:2448
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:2400
- - C:\Windows\system32\cmd.exe
    /c "ping server"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2100
  - - C:\Windows\system32\PING.EXE
      ping server
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2204
- - C:\Windows\system32\cmd.exe
    /c "sc query hfile.sys"
    3⤵
    PID:1812
  - - C:\Windows\system32\sc.exe
      sc query hfile.sys
      4⤵
      Launches sc.exe
      PID:2484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 548 552 560 65536 556
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
e0707a7fc169d2dafee527a575942dd4

SHA1
9934b6f171208092a010f8b5437a9023a50a489e

SHA256
1dad898b201bbca3ba2484872447d1e184522c88178e4da6d9a374920980fb20

SHA512
7c863def97ce71dd123070a2d0b63e9787c0e5671f552eced86fac5fdbb082adbf895d94e88b731e48f9ff2de8d7f03a7ade02113e84577eb50c1a638508b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BECIaRca.bat

Filesize
196B

MD5
8780de43715ddf5883fa63d8b44f29e1

SHA1
d1e945562d11c38b770b49adf66a89d1b5130664

SHA256
957d55c87b0a1947cceba2b5ef873f046757221d5f5caca8428e6abfe17cfedf

SHA512
e67c03719f5f90a800884c682c72bd4b09c29cc08d6eec7d02b51a510c43be3df9b46fb7b42cfc5a09099cb166e86811b7231b3f1f455b485a867572b17e864a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SHOWRE~1.ZIP

Filesize
19KB

MD5
e838e0ae057957e7335bbdf770a302ac

SHA1
eac8094aea0ad72358bec6289026f19b9d7ac9ce

SHA256
79ccd3c2e3f000b69508c56c6f110009e76693e3f0994eaebebda6f2f9a29e87

SHA512
38eadcfb22c019658e774bc6daab1b762677fadb2e1ea953a039b26c7a39ade9a666c7db834fd75a3a3a081564e78b9951edc95e8ca37b8ac0fc4d62a8c687dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bneuknmxqm.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
870B

MD5
fc04ffefa5c4aa784d4a02545cc594ed

SHA1
bab9f8f742753d59e87a079dc84502f20e1b4fc6

SHA256
3ee48a20bdc740cb52f8aa39c78dd400163d04a284405aac54f43a73cdacba55

SHA512
c28dba1fe093d2c8431f08d92aab6497432c3d6f6383d3c291e83914c2996b0a1f495e253a2e9bd2cd4f8faff832b1a1f9142dbe5a73419c2dd103285cfb0ba6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
2KB

MD5
c9a5694fd3464d4fc20c6254a1f65129

SHA1
182f9dcd021d6aff154dab4efd318bdccbe3a677

SHA256
f17b22aab9002328414e98ec0e3f10e8caef65fe395fa27b05e22adec19a9aca

SHA512
19c5fdb9c3f6f4481d501dbe5dd00c1a4b902f1cd8af3221479aa95f32fced584b478b3ea302bd7b6bfe7a6c8b700a1742babfd9999acf9e55c337ade479787c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
7d34761fcb40f7e7a1c05b117bc31ed2

SHA1
29e76764cfa4b2e3ee2fadda494009eb777ab903

SHA256
43b8712bda95a57cb01a53fa27bcb686d338c5a18151730aa2d1a0b92b4c2fc8

SHA512
61499acfab3344ca912747036a8e5bd4d96bbc425c48fbb3cea0f1a3951020f46c54580c66530e74b6885ad8a11ad27fb494ab3f39fa4cbc472e73566c22ee77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\CompressOut.docx

Filesize
21KB

MD5
dc158ccbfc59fababa5d7c8c62330a5e

SHA1
1978b8f0975e7e4b43b8e5298a511862063b1259

SHA256
65571caeb2036126503aa58f5e4edc17496c478a6a5d57bbbcf22a219fb3b0f4

SHA512
0ed53663adfc81f0c4d220b1f90062ac10707c8c6a578bf5f401ed48101c39eed4b4f498d095fef454883bddc2fee7442c0c1f2b6d35aebb8b3ad94826a695d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\CompressOut.txt

Filesize
12KB

MD5
6073de706a831579585729d655b92a2a

SHA1
28c2f620de1370b71172f44aeb766c96a0077c23

SHA256
0f142d81f197d5ab87f92eb16cd8f1743e794f4949ffa2d4b8587357544b1a8c

SHA512
729b8d52460815e64fb2b4d7c775ab4b0824d0a4b33aee9ee359c8537010318bbc42337cf7c9ed6abdc446a56dffd074da4f19c14b4b718af256c9d6e942acd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\ShowResume.txt

Filesize
9KB

MD5
b0086ba85fad3a39ff739a30bbfb3e2a

SHA1
86bf14124de26b38e5fb54368c506838715399f1

SHA256
1c3aa62fcbce269fdef46fa1162e7dbf9c87a01fa44cf213aa1f77c6887f22e7

SHA512
b79820c8d28da0105724a2a86a76aadcc4c3cbc66d0b859a64e554e7ef668181087160afad61426d84b0ab2a89e27a55542400c1ef63337313641c00235103fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs

Filesize
1KB

MD5
3439318cedcf37c1bf5fe6d49ddbb2cb

SHA1
e075965bb3b38abdd80668fb6101a0d10b30f080

SHA256
6484a02c2db6c9afb5659ede4047cad10b7102c2bbc4c94bf8482f88d8fd83a8

SHA512
3dffcf24b052a7fffd50ab6c76d081b1c47ba64c20f21650e4bdcf19106518e8b342691711230ba9eea5489994b8ccec8ad11f54b1509b1cd518616254176b61

Download Submit
C:\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
C:\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
C:\Windows\system32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
\Users\Admin\AppData\Local\Temp\ysybneppiq.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
memory/1236-34-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2676-16-0x0000000002B00000-0x0000000002C7A000-memory.dmp

Filesize
1.5MB

Download
memory/2736-291-0x0000000001210000-0x000000000138A000-memory.dmp

Filesize
1.5MB

Download
memory/2736-307-0x0000000001210000-0x000000000138A000-memory.dmp

Filesize
1.5MB

Download
memory/2824-328-0x0000000003A60000-0x0000000003A68000-memory.dmp

Filesize
32KB

Download
memory/2824-347-0x00000000054B0000-0x00000000054B8000-memory.dmp

Filesize
32KB

Download
memory/2824-58-0x0000000001D50000-0x0000000001D60000-memory.dmp

Filesize
64KB

Download
memory/2824-91-0x00000000014D0000-0x00000000014D8000-memory.dmp

Filesize
32KB

Download
memory/2824-93-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/2824-85-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/2824-273-0x00000000033B0000-0x00000000033B8000-memory.dmp

Filesize
32KB

Download
memory/2824-84-0x0000000001510000-0x0000000001518000-memory.dmp

Filesize
32KB

Download
memory/2824-42-0x0000000001C50000-0x0000000001C60000-memory.dmp

Filesize
64KB

Download
memory/2824-102-0x00000000016A0000-0x00000000016A8000-memory.dmp

Filesize
32KB

Download
memory/2824-348-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/2824-355-0x00000000054A0000-0x00000000054A8000-memory.dmp

Filesize
32KB

Download
memory/2824-357-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2824-363-0x0000000005010000-0x0000000005018000-memory.dmp

Filesize
32KB

Download
memory/2824-391-0x0000000003AD0000-0x0000000003AD8000-memory.dmp

Filesize
32KB

Download
memory/2824-392-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download