gozi_rm3 | 26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

Analysis

max time kernel
109s
max time network
145s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-06-2022 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
Size

238KB
MD5

c2cd821ccd6eec05ec67be3a99ba0f71
SHA1

916e018fe28774ef227e839b98dc0a85c13d64a3
SHA256

26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14
SHA512

8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Score

10^/10

gozi_rm3 banker discovery ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!HELP_SOS.hta

Ransom Note

English Deutsch Italiano Português Español Français 한국어 Nederlands العربية فارسی 中文 The file is encrypted but can be restored Die Datei ist verschlüsselt, aber kann wiederhergestellt werden Il file è crittografato, ma può essere ripristinato O arquivo está criptografado, mas poderá ser descriptografado El archivo está encriptado pero puede ser restaurado Le fichier est crypté mais peut être restauré 파일은 암호화되었지만 복원 할 수 있습니다 Het bestand is versleuteld maar kan worden hersteld الملف مشفر لكن من الممكن إسترجاعه این فایل رمزگذاری شده است اما می تواند بازیابی شود 文件已被加密，但是可以解密 The file you tried to open and other important files on your computer were encrypted by "SAGE 2.0 Ransomware". Action required to restore your files. File recovery instructions You probably noticed that you can not open your files and that some software stopped working correctly. This is expected. Your files content is still there, but it was encrypted by "SAGE 2.0 Ransomware" . Your files are not lost, it is possible to revert them back to normal state by decrypting. The only way you can do that is by getting "SAGE Decrypter" software and your personal decryption key. Using any other software which claims to be able to restore your files will result in files being damaged or destroyed. You can purchase "SAGE Decrypter" software and your decryption key at your personal page you can access by following links: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ If you are asked for your personal key, copy it to the form on the site. This is your personal key: AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA You will also be able to decrypt one file for free to make sure "SAGE Decrypter" software is able to recover your files If none of those links work for you for a prolonged period of time or you need your files recovered as fast as possible, you can also access your personal page using "Tor Browser". In order to do that you need to: open Internet Explorer or any other internet browser; copy the address https://www.torproject.org/download/download-easy.html.en into address bar and press "Enter"; once the page opens, you will be offered to download Tor Browser, download it and run the installator, follow installation instructions; once installation is finished, open the newly installed Tor Browser and press the "Connect" button (button can be named differently if you installed non-English version); Tor Browser will establish connection and open a normal browser window; copy the address http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA into this browser address bar and press "Enter"; your personal page should be opened now; if it didn't then wait for a bit and try again. If you can not perform this steps then check your internet connection and try again. If it still doesn't work, try asking some computer guy for help in performing this steps for you or look for some video guides on YouTube. You can find a copy of this instruction in files named "!HELP_SOS" stored next to your encrypted files. Anleitung zur Dateiwiederherstellung Sie haben sicherlich gemerkt, dass Sie Ihre Daten nicht öffnen können und dass Programme nicht mehr ordnungsgemäß funktionieren. Dies ist zu erwarten. Die Dateiinhalte existieren noch, aber wurden mit {us_enc}} verschlüsselt. Ihre Daten sind nicht verloren. Es ist möglich, sie mit Hilfe von Entschlüsselung in ihren Originalzustand zurückzuversetzen. Die einzige Möglichkeit das zu tun, ist die Verwendung von "SAGE Decrypter" Software und Ihr persönlicher Entschlüsselungskey. Das Verwenden von anderer Software, die angeblich ihre Daten wiederherstellen kann, wird dazu führen, dass Ihre Daten beschädigt oder zerstört werden. Sie können die "SAGE Decrypter" Software und Ihren Entschlüsselungskey auf Ihrer persönlichen Seite erwerben, indem Sie diesen Links folgen: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Falls Sie nach ihrem persönlichen Key gefragt werden, kopieren Sie ihn in das Formular auf dieser Seite. Dies ist Ihr persönlicher Key: AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA Sie können eine Datei gratis entschlüssen, um sicher zu sein, dass die "SAGE Decrypter" Software ihre Daten wiederherstellen kann Falls keine dieser Links über einen längeren Zeitraum funktionieren sollten oder Sie Ihre Daten so schnell wie möglich wiederherstellen müssen, können Sie Ihre persönliche Seite mit Hilfe des "Tor Browser" aufrufen. Dazu benötigen Sie: Öffnen Sie den Internet Explorer oder einen anderen Internetbrowser; Kopieren Sie diese Adresse https://www.torproject.org/download/download-easy.html.en in die Adressleiste und drücken Sie "Enter"; So bald sich die Seite öffnet, wird Ihnen der Download des Tor Browser angeboten. Laden Sie ihn herunter und führen Sie die Installation aus, indem Sie den Installationsanweisungen folgen; Wenn die Installation abgeschlossen ist, öffnen Sie den soeben installierten Tor Browser und drücken Sie den "Connect" Knopf (Der Namen kann abweichen, falls Sie eine nicht-englische Version installiert haben); Tor Browser wird eine Verbindung herstellen und ein normales Browserfenster öffnen; Kopieren Sie die Adresse http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA in die Browseradressleiste und drücken Sie "Enter"; Ihre persönliche Seite sollte sich nun geöffnet haben; falls nicht: Warten Sie eine Weile und versuchen Sie es erneut. Falls Sie nicht in der Lage sind, diese Schritte durchzuführen, überprüfen Sie Ihre Internetverbindung. Wenn es noch immer nicht funktioniert, fragen Sie jemanden, der sich mit Computern auskennt, um diese Schritte durchzuführen oder schauen Sie sich einige Videoanleitungen auf {a_youtube}} an. Sie finden eine Kopie dieser Anleitung in einer Datei namens "!HELP_SOS" neben Ihren verschlüsselten Daten. Istruzioni per il recupero dei file Probabilmente hai notato che non puoi più aprire i tuoi file e alcuni software hanno smesso di funzionare correttamente. Questo era previsto. I tuoi file si trovano ancora al loro posto, ma sono stati crittografati da "SAGE 2.0 Ransomware" . I tuoi file non sono persi, è possibile farli tornare al loro stato normale eseguendo una decrittazione. L'unico modo in cui è possibile farlo è scaricare il software "SAGE Decrypter" e la tua chiave personale di decrittazione. Utilizzando un qualsiasi altro software che sostiene di essere in grado di ripristinare i tuoi file, li danneggerà o distruggerà per sempre. È possibile acquistare il software "SAGE Decrypter" e la tua chiave di decrittazione nella tua pagina personale a cui puoi accedere dai seguenti collegamenti: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Se viene richiesta la chiave personale, è possibile copiarla dal modulo del sito. Questa è la chiave personale: AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA Sarà anche possibile decriptare un file gratuitamente per assicurarsi che il software "SAGE Decrypter" sia in grado di recuperare i file Se nessuno dei collegamenti funziona per un periodo di tempo prolungato o è necessario ripristinare il prima possibile, è possibile accedere alla propria pagina personale anche utilizzando "Tor Browser". Per poterlo fare è necessario: aprire Internet Explorer o qualsiasi altro browser internet; copiare l'indirizzo https://www.torproject.org/download/download-easy.html.en nella barra degli indirizzi e premere "Enter"; una volta aperta la pagina, verrà offerta la possibilità di scaricare Tor Browser, scarica ed esegui il file seguendo le istruzioni di installazione; una volta completata l'installazione, aprire il nuovo Tor Browser e premere il pulsante "Connect" (il pulsante potrebbe avere un nome diverso se non si è installata la versione inglese); Tor Browser stabilirà una connessione e aprirà una normale finestra di navigazione; copiare l'indirizzo http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA nella barra degli indirizzi del browser e premere "Enter"; ora dovrebbe essere possibile aprire la pagina personale; se così non fosse, attendere qualche istante e riprovare. Se non è possibile eseguire questo passaggio, controllare la connessione internet e riprovare. Se ancora non funziona, prova a chiedere se qualche esperto di computer può farlo al posto tuo oppure dai un'occhiata a qualche video guida su YouTube. Puoi trovare una copia di queste istruzioni nel file di nome "!HELP_SOS" conservato con i tuoi file criptati. Instruções sobre como recuperar os arquivos criptografado: Você já deve ter percebido que todos os seus arquivos não estão mais acessível e alguns dos seus programas não estão funcionando corretamente. Já era de se esperar! Os seus arquivos ainda estão salvos em seu computador, porém não estão acessível porque foram criptografados por "SAGE 2.0 Ransomware" . Os seus arquivos não foram deletados, é possível descriptografá-los. A única maneira de descriptografá-los é usando o programa, "SAGE Decrypter" e a sua chave de descriptografia pessoal. Ao tentar utilizar decodificadores de terceiros para tentar restaurar os seus arquivos, irar corromper todos os seus arquivos, podendo gerar danos irreversíveis. Você pode comprar o "SAGE Decrypter" e sua chave pessoal para decodificação nos seguintes links: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Caso seja solicitado uma chave pessoal, copie e cole no formulário no site. Essa é a sua chave pessoal: AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA Você pode descriptografar um arquivo gratuitamente para ter certeza de que o "SAGE Decrypter", seja capaz de descriptografar todos os seus arquivos no seu computador. Se nenhum dos links estiver disponível no momento ou se você precisar com urgência dos seus arquivos, você também pode acessar a sua página pessoal usando o "Tor Browser". Instruções sobre como utilizá-lo: abra o Internet Explorer ou qualquer outro navegador; copie o endereço do https://www.torproject.org/download/download-easy.html.en e cole na barra de endereço em seu navegador e pressione "Enter"; quando a página for aberta em seguida, você verá as informações sobre o Navegador Tor e o link para download, abra o arquivo e siga as instruções de instalação; Quando a instalação estiver concluída, abra o Navegador Tor e pressione o botão "Connect"(o botão pode ter outro nome, se você instalou uma versão do programa que não seja em inglês); O Navegador Tor irá estabelecer uma conexão e, em seguida, abrirá uma janela no navegador; copie o endereço do http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA e cole na barra de endereço do Navegador Tor, em seguida, pressione "Enter"; a sua página pessoal irá abrir em alguns instantes; caso a página não abra, aguarde um pouco e tente novamente. Se você não conseguir executar todas as etapas, certifique-se de que você está conectado à internet e tente novamente. Se você ainda tiver dificuldade para conectar, peça ajuda a um técnico de informática para auxiliá-lo no processo ou procure vídeos que possam ajudá-lo no YouTube. Você pode encontrar uma cópia do arquivo de instrução chamado "!HELP_SOS" salvo junto ao seus arquivos criptografados. Instrucciones para la recuperación de archivos Probablemente hayas notado que no puedes abrir tus archivos y que algunas aplicaciones dejaron de funcionar correctamente. Era de esperarse. El contenido de tus archivos aún está allí, pero fué encriptado por "SAGE 2.0 Ransomware" . Tus archivos no están perdidos, es posible regresarlos a su estado normal decodificándolos. La única forma de hacerlo es con el software "SAGE Decrypter" y su clave personal de descifrado. Usar cualquier otro software que asegure ser capaz de restaurar tus archivos resultará en un daño o destrucción de los archivos. Puedes comprar el software "SAGE Decrypter" y tu clave de descifrado en tu página personal que puedes accesar a través de los siguientes links: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Si te es solicitada la clave personal, cópiala en el formulario del sitio. Esta es tu clave personal: AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA También podrás descifrar un archivo gratis para asegurarte que el software "SAGE Decrypter" es capaz de recuperar tus archivos Si ninguno de esos links te funciona por un tiempo prolongado o si necesitas recuperar tus archivos lo más rápido posible, también puedes accesar a tu página personal usando el "Tor Browser". Con la finalidad de hacerlo necesitas: abrir Internet Explorer o cualquier otro navegador de internet; copia la dirección https://www.torproject.org/download/download-easy.html.en en la barra de direcciones y presiona "Enter"; una vez que abra la página, le será ofrecida la descarga de Tor Browser, descárgalo y ejecuta el instalador, siguiendo las instrucciones de instalación; una vez culminada la instalación, abre el recien instalado Tor Browser y presione el botón "Connect" (el botón puede tener un nombre diferente dependiendo de la versión instalada); copia la dirección http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA en la barra de direcciones del navegador y presiona "Enter"; tu página personal debería abrir ahora; si no lo hace, espera un momento e intenta de nuevo. Si no puedes hacer el procedimiento, chequea tu conexión a internet e inténtalo de nuevo. Si aún no funciona, intenta pidiéndole ayuda a un técnico de computación para seguir las instrucciones o mira algunos videos de ayuda en YouTube. Puedes encontrar una copia de estas instrucciones en los archivos llamados "!HELP_SOS" almacenados junto a tus archivos encriptados. Les instructions pour restaurer le fichier Vous avez sûrement remarqué que vous ne pouvez pas ouvrir vos fichiers et qu’un logiciel a arrêté de fonctionner correctement. C’est attendu. Le contenu de vos fichiers est encore disponible, mais il a été crypté par "SAGE 2.0 Ransomware" . Vos fichiers ne sont pas perdus, c’est possible de les récupérer et les avoir à l’état normal en les décryptant. La seule façon de le faire et en ayant le logiciel "SAGE Decrypter" et votre clé de décryptage. En utilisant un autre logiciel qui prétend pouvoir restaurer vos fichiers va endommager et détruir vos fichiers. Vous pouvez acheter le logiciel "SAGE Decrypter" et votre clé de décryptage sur votre profile auquel vous pouvez accéder en cliquant sur ce lien: http://7gie6ffnkrjykggd.op7su2.com/ http://7gie6ffnkrjykggd.pe6zawc.com/ Si vous êtes demandé de fournir votre clé, copiez la dans le formulaire du site. Voici votre clé personnelle: AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA Vous serez en mesure de décrypter un fichier gratuitement pour être sûre que le logiciel "SAGE Decrypter" est capable de restaurer vos fichiers Si aucun des liens ne marche pour vous pour une période prolongée ou si vous avez besoin de restaurer vos fichiers rapidement, vous pouvez accéder à votre profile en utilisant "Navigateut Tor". Pour le faire vous devez: Ouvrez Explorer ou n’importe quel autre navigateut; Copiez cette addresse https://www.torproject.org/download/download-easy.html.en dans la barre d’adresse et cliquez sur "Enterer"; Une fois que la page est ouverte, on va vous proposer de télécharger le navigateur Tor, Téléchargez-le et lancez l’installation, suivez les instructions d’installation ; Une fois l’installation faite, ouvrez votre nouveau navigateur Tor et appuyez sur le bouton "Connect" (Le bouton peut être nommé différemment si vous n’avez pas installé la version en anglais); Le navigateur Tor va établir une connection et ouvrir une fenêtre ordinaire de navigateur ; copiez l’adresse http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA dans la barre d’adresse et cliquez sur "Entrer"; Votr

URLs

http://7gie6ffnkrjykggd.op7su2.com/

http://7gie6ffnkrjykggd.pe6zawc.com/

http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA

http://7gie6ffnkrjykggd.onion/login/AWLuRCaH58mvGcf2v-zYdBx0xFCE8hpTIDqATpaXPhyTxLV3yKvujibA到浏览器的地址栏，然后按下"回车"键；

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Contacts a large (7701) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 6 IoCs

pid	Process
1972	Fm6kaSot.exe
520	Fm6kaSot.exe
860	Fm6kaSot.exe
1996	Fm6kaSot.exe
2328	Fm6kaSot.exe
2660	Fm6kaSot.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BlockConnect.tiff... => C:\Users\Admin\Pictures\BlockConnect.tiff.sage	Fm6kaSot.exe
File created	C:\Users\Admin\Pictures\ConvertRestore.raw...	Fm6kaSot.exe
File opened for modification	C:\Users\Admin\Pictures\BlockConnect.tiff	Fm6kaSot.exe
File created	C:\Users\Admin\Pictures\BlockConnect.tiff...	Fm6kaSot.exe
File renamed	C:\Users\Admin\Pictures\ConvertRestore.raw... => C:\Users\Admin\Pictures\ConvertRestore.raw.sage	Fm6kaSot.exe

Deletes itself 1 IoCs

pid	Process
1704	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
1972	Fm6kaSot.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JGa.bmp"	Fm6kaSot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper	Fm6kaSot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1344	schtasks.exe
1600	schtasks.exe
1080	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2800	vssadmin.exe
2420	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop	Fm6kaSot.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362131773"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A111191-ED4B-11EC-B8F5-F6DB027C05B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-19	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-20	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-18	Fm6kaSot.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\DefaultIcon	Fm6kaSot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\FriendlyTypeName\ = "encrypted by SAGE"	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\htafile\DefaultIcon	Fm6kaSot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.sage\ = "sage.notice"	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\shell	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\htafile	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.sage	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\shell\open\command	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\shell\open	Fm6kaSot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\DefaultIcon\ = "%WinDir%\\SysWow64\\shell32.dll,47"	Fm6kaSot.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\FriendlyTypeName	Fm6kaSot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\sage.notice\shell\open\command\ = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\f1.hta\" \"%1\""	Fm6kaSot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\htafile\DefaultIcon\ = "%WinDir%\\SysWow64\\shell32.dll,44"	Fm6kaSot.exe

Runs ping.exe 1 TTPs 35 IoCs

Remote System Discovery

T1018

pid	Process
864	PING.EXE
2572	PING.EXE
3056	PING.EXE
2180	PING.EXE
928	PING.EXE
1176	PING.EXE
1468	PING.EXE
2200	PING.EXE
1464	PING.EXE
1564	PING.EXE
2508	PING.EXE
2768	PING.EXE
268	PING.EXE
1664	PING.EXE
832	PING.EXE
2480	PING.EXE
2692	PING.EXE
2072	PING.EXE
864	PING.EXE
1472	PING.EXE
2104	PING.EXE
2948	PING.EXE
2000	PING.EXE
960	PING.EXE
2148	PING.EXE
2620	PING.EXE
2764	PING.EXE
2912	PING.EXE
1588	PING.EXE
2172	PING.EXE
2416	PING.EXE
2596	PING.EXE
2720	PING.EXE
2992	PING.EXE
3024	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe
1972	Fm6kaSot.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
Token: SeBackupPrivilege	2852	vssvc.exe
Token: SeRestorePrivilege	2852	vssvc.exe
Token: SeAuditPrivilege	2852	vssvc.exe
Token: 33	1824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1824	AUDIODG.EXE
Token: 33	1824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1824	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
1104	iexplore.exe
1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
1104	iexplore.exe
1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
1104	iexplore.exe
1972	Fm6kaSot.exe
1104	iexplore.exe
1708	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
1104	iexplore.exe
520	Fm6kaSot.exe
1104	iexplore.exe
860	Fm6kaSot.exe
1104	iexplore.exe
268	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
1104	iexplore.exe
1996	Fm6kaSot.exe
1104	iexplore.exe
1104	iexplore.exe
2328	Fm6kaSot.exe
2240	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
1104	iexplore.exe
2660	Fm6kaSot.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
1104	iexplore.exe
1104	iexplore.exe
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
604	IEXPLORE.EXE
604	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
1456	IEXPLORE.EXE
1456	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
240	IEXPLORE.EXE
240	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
1296	IEXPLORE.EXE
1296	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
1104	iexplore.exe
1104	iexplore.exe
604	IEXPLORE.EXE
604	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
1456	IEXPLORE.EXE
1456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1992	1104	iexplore.exe	29
PID 1104 wrote to memory of 1992	1104	iexplore.exe	29
PID 1104 wrote to memory of 1992	1104	iexplore.exe	29
PID 1104 wrote to memory of 1992	1104	iexplore.exe	29
PID 1784 wrote to memory of 1400	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	30
PID 1784 wrote to memory of 1400	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	30
PID 1784 wrote to memory of 1400	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	30
PID 1784 wrote to memory of 1400	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	30
PID 1784 wrote to memory of 1344	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	31
PID 1784 wrote to memory of 1344	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	31
PID 1784 wrote to memory of 1344	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	31
PID 1784 wrote to memory of 1344	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	31
PID 1104 wrote to memory of 1296	1104	iexplore.exe	33
PID 1104 wrote to memory of 1296	1104	iexplore.exe	33
PID 1104 wrote to memory of 1296	1104	iexplore.exe	33
PID 1104 wrote to memory of 1296	1104	iexplore.exe	33
PID 1784 wrote to memory of 1972	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	34
PID 1784 wrote to memory of 1972	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	34
PID 1784 wrote to memory of 1972	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	34
PID 1784 wrote to memory of 1972	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	34
PID 1784 wrote to memory of 1944	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	35
PID 1784 wrote to memory of 1944	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	35
PID 1784 wrote to memory of 1944	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	35
PID 1784 wrote to memory of 1944	1784	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	35
PID 1944 wrote to memory of 268	1944	cmd.exe	37
PID 1944 wrote to memory of 268	1944	cmd.exe	37
PID 1944 wrote to memory of 268	1944	cmd.exe	37
PID 1944 wrote to memory of 268	1944	cmd.exe	37
PID 1104 wrote to memory of 604	1104	iexplore.exe	38
PID 1104 wrote to memory of 604	1104	iexplore.exe	38
PID 1104 wrote to memory of 604	1104	iexplore.exe	38
PID 1104 wrote to memory of 604	1104	iexplore.exe	38
PID 1944 wrote to memory of 1664	1944	cmd.exe	39
PID 1944 wrote to memory of 1664	1944	cmd.exe	39
PID 1944 wrote to memory of 1664	1944	cmd.exe	39
PID 1944 wrote to memory of 1664	1944	cmd.exe	39
PID 1944 wrote to memory of 928	1944	cmd.exe	40
PID 1944 wrote to memory of 928	1944	cmd.exe	40
PID 1944 wrote to memory of 928	1944	cmd.exe	40
PID 1944 wrote to memory of 928	1944	cmd.exe	40
PID 1400 wrote to memory of 1600	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	50
PID 1400 wrote to memory of 1600	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	50
PID 1400 wrote to memory of 1600	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	50
PID 1400 wrote to memory of 1600	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	50
PID 1400 wrote to memory of 1708	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	41
PID 1400 wrote to memory of 1708	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	41
PID 1400 wrote to memory of 1708	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	41
PID 1400 wrote to memory of 1708	1400	26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe	41
PID 1104 wrote to memory of 1456	1104	iexplore.exe	44
PID 1104 wrote to memory of 1456	1104	iexplore.exe	44
PID 1104 wrote to memory of 1456	1104	iexplore.exe	44
PID 1104 wrote to memory of 1456	1104	iexplore.exe	44
PID 1972 wrote to memory of 520	1972	Fm6kaSot.exe	45
PID 1972 wrote to memory of 520	1972	Fm6kaSot.exe	45
PID 1972 wrote to memory of 520	1972	Fm6kaSot.exe	45
PID 1972 wrote to memory of 520	1972	Fm6kaSot.exe	45
PID 1944 wrote to memory of 1464	1944	cmd.exe	46
PID 1944 wrote to memory of 1464	1944	cmd.exe	46
PID 1944 wrote to memory of 1464	1944	cmd.exe	46
PID 1944 wrote to memory of 1464	1944	cmd.exe	46
PID 1944 wrote to memory of 864	1944	cmd.exe	58
PID 1944 wrote to memory of 864	1944	cmd.exe	58
PID 1944 wrote to memory of 864	1944	cmd.exe	58
PID 1944 wrote to memory of 864	1944	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
"C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
  "C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe" g
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
    "C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe" g
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:1708
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "SukyDDmO" /TR "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe" /SC ONLOGON /RL HIGHEST /F
      4⤵
      Creates scheduled task(s)
      PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
      "C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe" g
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:268
    - - C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14.exe" g
        5⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2240
  - - C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe
      "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:1996
    - - C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe
        
        "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe" g
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2104
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2200
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2508
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2620
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2764
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2992
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2072
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:2180
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "SukyDDmO" /TR "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe" /SC ONLOGON /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1600
- - C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe
    "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:860
  - - C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe
      "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe" g
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
    3⤵
    - Deletes itself
    PID:1704
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:832
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:960
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1472
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1468
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2172
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2480
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2596
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2720
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2948
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:3056
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1588
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /CREATE /TN "SukyDDmO" /TR "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe" /SC ONLOGON /RL HIGHEST /F
  2⤵
  - Creates scheduled task(s)
  PID:1344
- C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe
  "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe
    "C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe" g
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:520
- - C:\Windows\SysWOW64\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2800
- - C:\Windows\SysWOW64\vssadmin.exe
    "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2420
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:2676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /DELETE /TN /F "SukyDDmO"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config16184093.bat"
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\__config252888.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:268
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:1664
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:928
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:1464
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:864
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:1176
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:864
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:1564
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2148
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2416
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2572
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2692
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2912
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:3024
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:2000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:275461 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1296
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:406535 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:668680 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1456
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:865291 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:472105 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:1127443 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2067855430-1549759958872018622-7151042121154561831168042451916639795511941049114"
1⤵
PID:1600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
9b7dcaf38192eb3b5e7144b6a3dbf4d2

SHA1
58fb9c8fd367e61ed8167d04a1d4df668a59dbee

SHA256
a99531e8f38b203751e7510c3bdc0eaa9ca21f8730d722fe92682d4c651e1016

SHA512
809ca2efa89ce0c2f1dd7b14f11a258ae229b22c344d3d07a64cd0e52617065f976958cef9070b44f90d364a423815715803c51d6e68c7990be249926bc5bcb3

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
ff53757979f4d8001238f8f6e3be1987

SHA1
3ff1700050cb703fcad77ce31f616f1273e555f8

SHA256
41d64174b95816bdf8ab00836286fdcf1d6bd3783227bc24b4f86249e063f5d7

SHA512
9a996ea7dabae8cff66535f844364e67f9efcc9c38e8fd6e8287d271ba9a8578258597b6828f22367b16687ecd05ba3955020bcccafba4d326d8eb27ea056d7c

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
9c7ce01d7cfa9c0856a568aa2f7a573e

SHA1
c10655e9b440630a63981821406f7f4ac7cf56e5

SHA256
fe1ce382a27f4ce3c5aebf3ae4b1ef48fe4b32a4cf06996935d2b996862965a6

SHA512
d518e03d274e80a16b79a3c4e78b7379570139c85d7555bd8c9ec340e1096458ca1207c093786f7fc57443f1096876093a2f9bebbb6b3e3ed55ad3c1448d6334

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
cd10e7420f48d30b87d3ac75ff514f7b

SHA1
91fdf0e45a59ed366742598c72e9d7f22518af38

SHA256
c8a3dbc3c0ae5e96cde1c8e35af55d0d37d67b9173da00fd6f7ffc65fefc66b9

SHA512
574e0968b55dcdfc4df074fb7a3feab41cd92623da0e69480c480389756209f8b00c05d805776e28b5f1c662fee794179c48ef05756067ba77ef80f356881e41

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
cd10e7420f48d30b87d3ac75ff514f7b

SHA1
91fdf0e45a59ed366742598c72e9d7f22518af38

SHA256
c8a3dbc3c0ae5e96cde1c8e35af55d0d37d67b9173da00fd6f7ffc65fefc66b9

SHA512
574e0968b55dcdfc4df074fb7a3feab41cd92623da0e69480c480389756209f8b00c05d805776e28b5f1c662fee794179c48ef05756067ba77ef80f356881e41

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
cb04cbc7b09f9db2fc7aa0fe84ff4263

SHA1
2fdb0dc4e214af4452641f8944f47a2cb87311e6

SHA256
a1937303913955d55a4fa0203af3253d4f102d08f0ee558403c687197d35c077

SHA512
edfae903754f521979b171156c612b550616cac3fafc73190ed4244a25fafda21f39c4917151138edc09eeecf00b0c3579806777b70d502b47807e9e65a7fb82

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
9d3838df380a4dd58af0a0b05399e16d

SHA1
c397be4fdafd2cb888215fc7a4b44d866755b16b

SHA256
43f4a98030e8c5161d14157cd257e687bcc80f39f0a131fe2eb771584269b7d8

SHA512
950ccf02adfa3fc3b9b5142f914db82c968664a9abf89b474632f0f0601b4b31af7f22c7df87f8233efd5e928ab3df2dd45b69c36a048110549e324f1f99bfba

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
8c2c0d5c6279d16ffa424e122f04bdcf

SHA1
61ee1f9ef3c0fa52168f65bdee3c076eb63deb9c

SHA256
a11f3fa543682031c88e0fc2fee169e58fd272a62831a22732d080734132ef17

SHA512
d69ceacb694f74998113c53a32bd62b899169b860c4d38787dbb0468a16fa19ae8fff548ed4b8733b33c5a7a3d948e11afb08d2e0afae025a03d5482b032b650

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
4df1d33ca3cff73a99c07db90be64aa5

SHA1
f84e6525a268550b2a81148b524381f222a8594b

SHA256
df4a2f7c2bc91e886c9dc94d9014c7e0672d2984a0640948576d8a4cafa40868

SHA512
80cb5b25b8bc87b934b3636de4049366a4a716ecedd15facb0e236ca9a12669a7ba95083805d0a8d2d8b0322215547aca4b6bf0230fd148b84cbc2eec96866e5

Download Submit
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

Filesize
1KB

MD5
e414be65bcf0fcdf0677f77d4bb504a3

SHA1
a9b9d87e6902c04797c5cd74e61c4853bc758622

SHA256
713f05c9db1684bed6efeeead8b7a602e4dc0bc265bb4ee5116d3e4e816756f6

SHA512
85d15d62733b333079e91e04aeec85d2a1a84593bb49f93014507912bd1d79eb7f0425e1a4291550ff1b3eb010829ef8036ad73d80bc1ae51465a8588c925a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__config16184093.bat

Filesize
218B

MD5
af7bc87459bbfcfbc37a5e1f3b595a5d

SHA1
12ace2b5a0e112bf2d97b584933446c78ca0090e

SHA256
016961a808ab6829d06b1fbab44b93fe0ab718059299123fcfa07c5041dd6234

SHA512
9e74ac29e5542f061daa524a35f9cab1d52f528adf7d4ff5f56c4ecf640df5cc4ab7a04d998ef74b3e1438cf3bd59f0cc1793071294de24fc4b429ca1ffa02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__config252888.bat

Filesize
227B

MD5
1e8c5838db63b92198de92957ef20172

SHA1
31609e51b5ddbddedfcc78a9ab8201749b17d18b

SHA256
accba60a1555d17f7d990e8e40280c2f344120de968280b212b714edc690561d

SHA512
58c3027427749dfb78387f90b88e76c8d8eb3242f43c62cb9aede72f288caafc78126e140a1874a20649fa75523809526d7f2936e4dce53aaf9b9f4527b82bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__config252888.bat

Filesize
227B

MD5
1e8c5838db63b92198de92957ef20172

SHA1
31609e51b5ddbddedfcc78a9ab8201749b17d18b

SHA256
accba60a1555d17f7d990e8e40280c2f344120de968280b212b714edc690561d

SHA512
58c3027427749dfb78387f90b88e76c8d8eb3242f43c62cb9aede72f288caafc78126e140a1874a20649fa75523809526d7f2936e4dce53aaf9b9f4527b82bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__config252888.bat

Filesize
227B

MD5
1e8c5838db63b92198de92957ef20172

SHA1
31609e51b5ddbddedfcc78a9ab8201749b17d18b

SHA256
accba60a1555d17f7d990e8e40280c2f344120de968280b212b714edc690561d

SHA512
58c3027427749dfb78387f90b88e76c8d8eb3242f43c62cb9aede72f288caafc78126e140a1874a20649fa75523809526d7f2936e4dce53aaf9b9f4527b82bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1.vbs

Filesize
3KB

MD5
4c999bbfddd5513d08d2d414c92ac2f4

SHA1
23e40ea4b75dc037a5cdfce521826737090dce09

SHA256
9a55ac3ff3c115b686c19da0a88a9e7525aa62d49c69b107addf8efd33a16215

SHA512
7b48cbff08a98f273afb78262167030395fab421718df559625867b91f98fbb0eb0152e8002568428086d1bd3f03f9c9ab26fdabdf9e33ffcea8f5c56529b944

Download Submit
C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
C:\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V6NRIMA0.txt

Filesize
601B

MD5
2b9c118a3a96bbc88ac10a48a80bfcb6

SHA1
8c59af5158fe72add2be15e2c4923745eef68b46

SHA256
e9c628962c2be070266abb226d80f0c3230a9674f05dd17e1e22c9de62f588bd

SHA512
091c7174d6135a8b953676bf171dc0d75a0785f7023aa20e727e7c7437f3909b659dbf7c3f51f99d9dd5350b790591942efbe1b89d93940e4489d6e7dad667bf

Download Submit
C:\Users\Admin\AppData\Roaming\bflXdysX.tmp

Filesize
65B

MD5
b5fc575bfa62a8f865222c36b615e634

SHA1
0a374e12de396f3dc0c1e655fd6710053c2b69fc

SHA256
392ee501fc0a66e7ac47debf5ad6a690fd3d57c80c0bdc7ad531e3a2edfc29c6

SHA512
c3b5396efbca6b4f9003f49d1a7691d53f47708d012b699042c5441f0ab4e513578702e52285de0d7a8a7bc5ed90fcc5e5dff89f2c5fce3949e64a06f845f983

Download Submit
C:\Users\Admin\Desktop\!HELP_SOS.hta

Filesize
52KB

MD5
c75c3142425c5f4810bf768adb03bb44

SHA1
8c0924969e3e74f5454c7e1c0793e077ee4c0987

SHA256
f547037d57d325c72ac1f941b74bcd9464551e76220aa19ca0b162ba3b9b0801

SHA512
0298a65b6b0220eca76621d0f0d19fc4e57fecb04056ae667114bfa8ebfd3e2a5bfc8fcd0c2a54332f506fb1b36dc7b58315a2f65d7f7bd45246c6355bb4c138

Download Submit
\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
\Users\Admin\AppData\Roaming\Fm6kaSot.exe

Filesize
238KB

MD5
c2cd821ccd6eec05ec67be3a99ba0f71

SHA1
916e018fe28774ef227e839b98dc0a85c13d64a3

SHA256
26f5a4b79ee5a6cc0acacd5d285a10907ff9eb2d32af5bddef3ad81f663a5b14

SHA512
8fbe6edcd6c58ec34815e5ba422cf335445a50a958de5758bcefa29fc9179a7fe9c31fb7f5d5c5f310304709496e7e64f539a25d907a349c1e15bf8861f3d548

Download Submit
memory/268-160-0x00000000038F0000-0x000000000391F000-memory.dmp

Filesize
188KB

Download
memory/268-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/268-111-0x00000000038F0000-0x000000000391F000-memory.dmp

Filesize
188KB

Download
memory/520-138-0x0000000003700000-0x000000000372F000-memory.dmp

Filesize
188KB

Download
memory/520-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/520-89-0x0000000003700000-0x000000000372F000-memory.dmp

Filesize
188KB

Download
memory/860-110-0x0000000003840000-0x000000000386F000-memory.dmp

Filesize
188KB

Download
memory/860-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/860-159-0x0000000003840000-0x000000000386F000-memory.dmp

Filesize
188KB

Download
memory/1400-75-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1400-66-0x0000000003720000-0x000000000374F000-memory.dmp

Filesize
188KB

Download
memory/1400-97-0x0000000003720000-0x000000000374F000-memory.dmp

Filesize
188KB

Download
memory/1708-88-0x0000000003870000-0x000000000389F000-memory.dmp

Filesize
188KB

Download
memory/1708-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-70-0x00000000038A0000-0x00000000038CF000-memory.dmp

Filesize
188KB

Download
memory/1784-54-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1784-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-55-0x00000000038A0000-0x00000000038CF000-memory.dmp

Filesize
188KB

Download
memory/1972-118-0x0000000003980000-0x00000000039AF000-memory.dmp

Filesize
188KB

Download
memory/1972-72-0x0000000003980000-0x00000000039AF000-memory.dmp

Filesize
188KB

Download
memory/1972-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-139-0x00000000039E0000-0x0000000003A0F000-memory.dmp

Filesize
188KB

Download
memory/1996-145-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-169-0x0000000003A00000-0x0000000003A2F000-memory.dmp

Filesize
188KB

Download
memory/2240-141-0x0000000003A00000-0x0000000003A2F000-memory.dmp

Filesize
188KB

Download
memory/2328-140-0x00000000039B0000-0x00000000039DF000-memory.dmp

Filesize
188KB

Download
memory/2328-170-0x00000000039B0000-0x00000000039DF000-memory.dmp

Filesize
188KB

Download
memory/2328-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-161-0x00000000039B0000-0x00000000039DF000-memory.dmp

Filesize
188KB

Download
memory/2660-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2660-172-0x00000000039B0000-0x00000000039DF000-memory.dmp

Filesize
188KB

Download