ammyyadmin | 2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4

Analysis

max time kernel
151s
max time network
177s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
Size

769KB
MD5

cf8d441c3959c5a09b18b21e231d89bd
SHA1

927584c9b3cad98065c1f1a975e68f2fbd19161c
SHA256

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4
SHA512

f0c53b7f6504bebed71bb4eb6f82049fcbe292c4e8bfc329091ff459fdaf2092e0f7ae8851e474d2076b8881c971180109ab482ee0d0b4f9bafe572886bdd888
SSDEEP

12288:RC76zMontVWUL0YCb6HIKDW4eV9uOxZbYESS/gudZQFR2EH9kC0T2e9NkrsUEE0X:REWWpeB2V9u0iK//0DQrkeEmh9z

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 16 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012310-79.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-80.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-83.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-81.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-86.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-88.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-95.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-97.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-101.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-99.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-109.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-107.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-113.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-115.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-129.dat	family_ammyyadmin
behavioral1/files/0x0008000000012310-132.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 9 IoCs

pid	Process
1688	tmp2.exe
1352	wmihost.exe
1300	wmihost.exe
1812	wmihost.exe
396	wmihost.exe
1868	wmihost.exe
292	wmihost.exe
1604	wmihost.exe
588	wmihost.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	wmihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	wmihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	wmihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	wmihost.exe

Loads dropped DLL 64 IoCs

pid	Process
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
920	sc.exe
1504	sc.exe
596	sc.exe
1912	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

pid	Process
2028	taskkill.exe
584	taskkill.exe
1536	taskkill.exe
2036	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmihost.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
280	reg.exe
1936	reg.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2028	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	28
PID 1108 wrote to memory of 2028	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	28
PID 1108 wrote to memory of 2028	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	28
PID 1108 wrote to memory of 2028	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	28
PID 1108 wrote to memory of 560	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	31
PID 1108 wrote to memory of 560	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	31
PID 1108 wrote to memory of 560	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	31
PID 1108 wrote to memory of 560	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	31
PID 560 wrote to memory of 1912	560	net.exe	33
PID 560 wrote to memory of 1912	560	net.exe	33
PID 560 wrote to memory of 1912	560	net.exe	33
PID 560 wrote to memory of 1912	560	net.exe	33
PID 1108 wrote to memory of 920	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	34
PID 1108 wrote to memory of 920	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	34
PID 1108 wrote to memory of 920	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	34
PID 1108 wrote to memory of 920	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	34
PID 1108 wrote to memory of 1736	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	36
PID 1108 wrote to memory of 1736	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	36
PID 1108 wrote to memory of 1736	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	36
PID 1108 wrote to memory of 1736	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	36
PID 1736 wrote to memory of 1344	1736	net.exe	38
PID 1736 wrote to memory of 1344	1736	net.exe	38
PID 1736 wrote to memory of 1344	1736	net.exe	38
PID 1736 wrote to memory of 1344	1736	net.exe	38
PID 1108 wrote to memory of 1504	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	39
PID 1108 wrote to memory of 1504	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	39
PID 1108 wrote to memory of 1504	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	39
PID 1108 wrote to memory of 1504	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	39
PID 1108 wrote to memory of 280	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	41
PID 1108 wrote to memory of 280	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	41
PID 1108 wrote to memory of 280	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	41
PID 1108 wrote to memory of 280	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	41
PID 1108 wrote to memory of 1936	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	43
PID 1108 wrote to memory of 1936	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	43
PID 1108 wrote to memory of 1936	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	43
PID 1108 wrote to memory of 1936	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	43
PID 1108 wrote to memory of 1688	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	45
PID 1108 wrote to memory of 1688	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	45
PID 1108 wrote to memory of 1688	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	45
PID 1108 wrote to memory of 1688	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	45
PID 1108 wrote to memory of 1352	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	47
PID 1108 wrote to memory of 1352	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	47
PID 1108 wrote to memory of 1352	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	47
PID 1108 wrote to memory of 1352	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	47
PID 1108 wrote to memory of 1300	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	49
PID 1108 wrote to memory of 1300	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	49
PID 1108 wrote to memory of 1300	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	49
PID 1108 wrote to memory of 1300	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	49
PID 1108 wrote to memory of 584	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	50
PID 1108 wrote to memory of 584	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	50
PID 1108 wrote to memory of 584	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	50
PID 1108 wrote to memory of 584	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	50
PID 1108 wrote to memory of 1812	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	52
PID 1108 wrote to memory of 1812	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	52
PID 1108 wrote to memory of 1812	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	52
PID 1108 wrote to memory of 1812	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	52
PID 1108 wrote to memory of 396	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	53
PID 1108 wrote to memory of 396	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	53
PID 1108 wrote to memory of 396	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	53
PID 1108 wrote to memory of 396	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	53
PID 1108 wrote to memory of 1536	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	54
PID 1108 wrote to memory of 1536	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	54
PID 1108 wrote to memory of 1536	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	54
PID 1108 wrote to memory of 1536	1108	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	54

C:\Users\Admin\AppData\Local\Temp\2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
"C:\Users\Admin\AppData\Local\Temp\2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im wmihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ammyy /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ammyy /y
    3⤵
    PID:1912
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete ammyy /y
  2⤵
  - Launches sc.exe
  PID:920
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ammyyadmin /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ammyyadmin /y
    3⤵
    PID:1344
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete ammyyadmin /y
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\SysWOW64\reg.exe
  "reg.exe" delete HKLM\Software\Ammyy /f
  2⤵
  - Modifies registry key
  PID:280
- C:\Windows\SysWOW64\reg.exe
  "reg.exe" delete HKCU\Software\Ammyy /f
  2⤵
  - Modifies registry key
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  C:\Users\Admin\AppData\Local\Temp\tmp2.exe x C:\Users\Admin\AppData\Local\Temp\tmp1 -p1234554321 -o"C:\ProgramData\AMMYY" -aoa
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -getid -nogui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1352
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -outid
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im wmihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -getid -nogui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1812
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -outid
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im wmihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -getid -nogui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:1868
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -outid
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im wmihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" create ammyy binpath= "C:\ProgramData\AMMYY\wmihost.exe -service" start= auto displayname= "Configure System"
  2⤵
  - Launches sc.exe
  PID:596
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" description ammyy "Configure Reload System"
  2⤵
  - Launches sc.exe
  PID:1912
- C:\Windows\SysWOW64\net.exe
  "net.exe" start ammyy /y
  2⤵
  PID:584
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start ammyy /y
    3⤵
    PID:1528

C:\ProgramData\AMMYY\wmihost.exe
C:\ProgramData\AMMYY\wmihost.exe -service
1⤵
- Executes dropped EXE
PID:1604
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -nogui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\ammyy_id.log

Filesize
85B

MD5
364096e1b1ae8b695301859f5c50a93f

SHA1
16baa06085d397fb03ee9dbe9b4a4bad38b5daa3

SHA256
e04c30decd0be203bdf07f80931bacd481479284a76909376862a5df719b833b

SHA512
25c46f41f01aa0fa7bc251c1b9e48ae669b6ae0615944aa1609eb7f310ff223328be87b8c86bea58b247ce9a50a4eb80949970b99119920e9d7c6474804cacd4

Download Submit
C:\ProgramData\AMMYY\ammyy_id.log

Filesize
93B

MD5
8777a0f5f856b7242f4929aa009d82cd

SHA1
8156b72092e67a3d111ab5e5f113c49e7e218c61

SHA256
1c85ae452408c57244a67c9dde96b4bf9f6861194e99038a6e58413ee0a05b27

SHA512
63e6f0995fc6fd481ada49f96e85edf37e916b8ba448bf961548b6fb7dc0eeea62ee2019dd6ddde0ede63b209c010fb3823dc0a93091253cc6f4647f69deff8d

Download Submit
C:\ProgramData\AMMYY\ammyy_id.log

Filesize
85B

MD5
364096e1b1ae8b695301859f5c50a93f

SHA1
16baa06085d397fb03ee9dbe9b4a4bad38b5daa3

SHA256
e04c30decd0be203bdf07f80931bacd481479284a76909376862a5df719b833b

SHA512
25c46f41f01aa0fa7bc251c1b9e48ae669b6ae0615944aa1609eb7f310ff223328be87b8c86bea58b247ce9a50a4eb80949970b99119920e9d7c6474804cacd4

Download Submit
C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
9ac8ce991cc0d48e7a3cee432b4d19f0

SHA1
56bf8c364d1b4a9d900740d624a2dfd6dee42d1e

SHA256
8b078b2fbfe086bead2c557393e4718876a87919daaf2c085411f5c1d159c031

SHA512
24b48ff5e9f83ca15b58153c4abcf0567fe1847e5675afdddee51e07289ca8a8b9eb0d7c44faf6db30fba88116a5c87cc9fbbb751e1e0c60d786fef6d79b3095

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
f8fd534e91e8db90cf621de2aa17a2f5

SHA1
e500a5bbb378f6374295663deee4909d04efa64d

SHA256
9f131b7a9473a572c2609d10e91e2da0070a30056441a4090e96b386b3ab8a04

SHA512
8e6e2fec47f378d22c4df24eed523f058140c9c9e1307f899408d6a1400afbd6bfb824b86e84a07afb5159637dc1ba40956ff92f3a2d39110d07e6c035a91f7f

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
05a760dd8fba4acb5177f943f295e2ba

SHA1
372bcfe7c47ad8fb3c52650918fc198c4b6223d5

SHA256
d68e2233679b1c30e3df57e172ec053be2f67a3ccab823af487e1ec3036da877

SHA512
7e62948306d2f0beed8682cb1de7289807a0db21c837e3a9ea7ec2e1e79a4ed2a240f95ec5557686ebd8b5c06eb8bc312375e893ffad6df70a51c53b07e02f9a

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
a37c7fdfa119c78fc731b56de2db25cc

SHA1
42e682ce7320bee16672cd38d5abb6542be6ffd5

SHA256
8279c2a03469c4f33aa9db27f70f71b4c992263197ff47d70f570eae55394c73

SHA512
62efb79200d8bc7afb7682451afeba83107b3cf1fdbd4c0f65894a4318059c194e826f399e7a7c064fd64ec8597703463bfd04cb0839a6944355cf8e8eabd318

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1

Filesize
297KB

MD5
78edc98ba9b3c91d0d636b016823de20

SHA1
06baca29f62eab9f56e5a61933e7bca580a88352

SHA256
a57e611fcc4942fd0af2b2a902c1a5ac7ef07762fb6b9034a39e68161ce497cb

SHA512
00cc63d3509e43ca7f3067e11fe556c7acb4e2abbe6d0903c7ccd4c5207f3337edd002f3dcc2f1c5dfedebc3afb024b703f842c6d580001852a83150fcf17762

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\nsx76E7.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
memory/1108-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download