ammyyadmin | 2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
Size

769KB
MD5

cf8d441c3959c5a09b18b21e231d89bd
SHA1

927584c9b3cad98065c1f1a975e68f2fbd19161c
SHA256

2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4
SHA512

f0c53b7f6504bebed71bb4eb6f82049fcbe292c4e8bfc329091ff459fdaf2092e0f7ae8851e474d2076b8881c971180109ab482ee0d0b4f9bafe572886bdd888
SSDEEP

12288:RC76zMontVWUL0YCb6HIKDW4eV9uOxZbYESS/gudZQFR2EH9kC0T2e9NkrsUEE0X:REWWpeB2V9u0iK//0DQrkeEmh9z

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022df8-169.dat	family_ammyyadmin
behavioral2/files/0x0001000000022df8-168.dat	family_ammyyadmin
behavioral2/files/0x0001000000022df8-172.dat	family_ammyyadmin
behavioral2/files/0x0001000000022df8-181.dat	family_ammyyadmin
behavioral2/files/0x0001000000022df8-185.dat	family_ammyyadmin
behavioral2/files/0x0001000000022df8-204.dat	family_ammyyadmin
behavioral2/files/0x0001000000022df8-206.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Executes dropped EXE 7 IoCs

pid	Process
4532	tmp2.exe
5068	wmihost.exe
3444	wmihost.exe
4264	wmihost.exe
4884	wmihost.exe
3936	wmihost.exe
4868	wmihost.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wmihost.exe

Loads dropped DLL 64 IoCs

pid	Process
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	wmihost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	wmihost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	wmihost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	wmihost.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3716	sc.exe
3480	sc.exe
680	sc.exe
1040	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
2300	taskkill.exe
4576	taskkill.exe
2188	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wmihost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wmihost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wmihost.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
60	reg.exe
1788	reg.exe

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 2188	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	83
PID 4960 wrote to memory of 2188	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	83
PID 4960 wrote to memory of 2188	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	83
PID 4960 wrote to memory of 2024	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	84
PID 4960 wrote to memory of 2024	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	84
PID 4960 wrote to memory of 2024	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	84
PID 2024 wrote to memory of 364	2024	net.exe	86
PID 2024 wrote to memory of 364	2024	net.exe	86
PID 2024 wrote to memory of 364	2024	net.exe	86
PID 4960 wrote to memory of 1040	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	87
PID 4960 wrote to memory of 1040	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	87
PID 4960 wrote to memory of 1040	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	87
PID 4960 wrote to memory of 3752	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	89
PID 4960 wrote to memory of 3752	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	89
PID 4960 wrote to memory of 3752	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	89
PID 3752 wrote to memory of 1960	3752	net.exe	91
PID 3752 wrote to memory of 1960	3752	net.exe	91
PID 3752 wrote to memory of 1960	3752	net.exe	91
PID 4960 wrote to memory of 3716	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	92
PID 4960 wrote to memory of 3716	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	92
PID 4960 wrote to memory of 3716	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	92
PID 4960 wrote to memory of 60	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	94
PID 4960 wrote to memory of 60	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	94
PID 4960 wrote to memory of 60	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	94
PID 4960 wrote to memory of 1788	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	96
PID 4960 wrote to memory of 1788	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	96
PID 4960 wrote to memory of 1788	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	96
PID 4960 wrote to memory of 4532	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	98
PID 4960 wrote to memory of 4532	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	98
PID 4960 wrote to memory of 4532	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	98
PID 4960 wrote to memory of 5068	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	103
PID 4960 wrote to memory of 5068	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	103
PID 4960 wrote to memory of 5068	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	103
PID 4960 wrote to memory of 3444	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	105
PID 4960 wrote to memory of 3444	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	105
PID 4960 wrote to memory of 3444	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	105
PID 4960 wrote to memory of 2300	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	108
PID 4960 wrote to memory of 2300	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	108
PID 4960 wrote to memory of 2300	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	108
PID 4960 wrote to memory of 4264	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	110
PID 4960 wrote to memory of 4264	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	110
PID 4960 wrote to memory of 4264	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	110
PID 4960 wrote to memory of 4884	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	111
PID 4960 wrote to memory of 4884	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	111
PID 4960 wrote to memory of 4884	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	111
PID 4960 wrote to memory of 4576	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	112
PID 4960 wrote to memory of 4576	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	112
PID 4960 wrote to memory of 4576	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	112
PID 4960 wrote to memory of 3480	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	115
PID 4960 wrote to memory of 3480	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	115
PID 4960 wrote to memory of 3480	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	115
PID 4960 wrote to memory of 680	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	117
PID 4960 wrote to memory of 680	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	117
PID 4960 wrote to memory of 680	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	117
PID 4960 wrote to memory of 5108	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	119
PID 4960 wrote to memory of 5108	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	119
PID 4960 wrote to memory of 5108	4960	2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe	119
PID 5108 wrote to memory of 4064	5108	net.exe	121
PID 5108 wrote to memory of 4064	5108	net.exe	121
PID 5108 wrote to memory of 4064	5108	net.exe	121
PID 3936 wrote to memory of 4868	3936	wmihost.exe	123
PID 3936 wrote to memory of 4868	3936	wmihost.exe	123
PID 3936 wrote to memory of 4868	3936	wmihost.exe	123

C:\Users\Admin\AppData\Local\Temp\2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe
"C:\Users\Admin\AppData\Local\Temp\2c6daaf2cf193afdc8557069be4b7e344e3fd3b727a66e2dff450f80a2cf09d4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im wmihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ammyy /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ammyy /y
    3⤵
    PID:364
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete ammyy /y
  2⤵
  - Launches sc.exe
  PID:1040
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ammyyadmin /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ammyyadmin /y
    3⤵
    PID:1960
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" delete ammyyadmin /y
  2⤵
  - Launches sc.exe
  PID:3716
- C:\Windows\SysWOW64\reg.exe
  "reg.exe" delete HKLM\Software\Ammyy /f
  2⤵
  - Modifies registry key
  PID:60
- C:\Windows\SysWOW64\reg.exe
  "reg.exe" delete HKCU\Software\Ammyy /f
  2⤵
  - Modifies registry key
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\tmp2.exe
  C:\Users\Admin\AppData\Local\Temp\tmp2.exe x C:\Users\Admin\AppData\Local\Temp\tmp1 -p1234554321 -o"C:\ProgramData\AMMYY" -aoa
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -getid -nogui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:5068
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -outid
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im wmihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -getid -nogui
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4264
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -outid
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /t /im wmihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" create ammyy binpath= "C:\ProgramData\AMMYY\wmihost.exe -service" start= auto displayname= "Configure System"
  2⤵
  - Launches sc.exe
  PID:3480
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" description ammyy "Configure Reload System"
  2⤵
  - Launches sc.exe
  PID:680
- C:\Windows\SysWOW64\net.exe
  "net.exe" start ammyy /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start ammyy /y
    3⤵
    PID:4064

C:\ProgramData\AMMYY\wmihost.exe
C:\ProgramData\AMMYY\wmihost.exe -service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936
- C:\ProgramData\AMMYY\wmihost.exe
  "C:\ProgramData\AMMYY\wmihost.exe" -nogui
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\ammyy_id.log

Filesize
85B

MD5
d0af23f3577896a1ab7960cdf10240b5

SHA1
f31fb9dda0af7d9aec1264fed45488977ffd11b7

SHA256
df284f21dd1de8cc4080f97c946853ca98438457596fafccbd26ccf304f25d87

SHA512
ce6157010752c1ee1f4d0f297d0405ad8d9e9072583f9b928e7661a6c702fccad37bbf89aadaccfeeb052b8f591ce126065b15f5d7f7373b287c111752bd6e71

Download Submit
C:\ProgramData\AMMYY\ammyy_id.log

Filesize
93B

MD5
9c1dbc99206520f7f4aece898e014a19

SHA1
207849997b9ed47cbd31d80d9d7ee2c36af4a223

SHA256
e00c9a968b416d4f19705cfc8619815957fa2354ae673eb11cb5e4f48b917897

SHA512
4eac76e803dc0b1f602eaafc5b9984ce12f7ac8a43b8bb23790d4914e0a0e76884d362896b4fc9b53f3519bb0c904370a21ec02653a1881c1e83b7117b26f506

Download Submit
C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
4b3d1e1c6dd31cfa912a8928a3bebde4

SHA1
ce7027717651d55c4ce5b318d8f0729bb7709b85

SHA256
ac522e231cbc085e624c6d3e20cd3746c2ed70bd9ea2742037d897ac5e55a395

SHA512
cfe5aae7a0d388dbb485ad362c1276b19b3548ba3f9937e4e7907e7cc5e2231c5be98fca3d3190337b7189ce8bae99d545b922c51aae4104e2c4b729687b2cb4

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
b36c9526d776b4beef287f2fd9bf500e

SHA1
c9e77babea1a1b3456bc8d43333b0df7b5f02b85

SHA256
434200159c8be16eac42dc8b3d0de27d0fc87531954995bf68bda2b79838e7c5

SHA512
6704fc6382c3f3841d54de9464d2be020e823cc58987592416eca3d4bfc120e847574738d2eaf0c2018574b979c4766c884d5edbaf7a46cbda1bdde88353d9e1

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
05a760dd8fba4acb5177f943f295e2ba

SHA1
372bcfe7c47ad8fb3c52650918fc198c4b6223d5

SHA256
d68e2233679b1c30e3df57e172ec053be2f67a3ccab823af487e1ec3036da877

SHA512
7e62948306d2f0beed8682cb1de7289807a0db21c837e3a9ea7ec2e1e79a4ed2a240f95ec5557686ebd8b5c06eb8bc312375e893ffad6df70a51c53b07e02f9a

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
305B

MD5
f008052ac57525b8f6dbd5c79720acec

SHA1
a16820d7fc64e37d602568a34c9895d70c4ca2c3

SHA256
74eb5cf999ef8b3d84b79cdab8810acd727a0f06f7e502711645ed960ce2e05a

SHA512
488354219e7b0caf95915ffea39b99a0a2d53e3784bb9ccb2cdff0d11842e2f3c095d854ca78c60e65c02dff39ae15e8756396f69c982d6086b7c6eb6506d1a8

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\ProgramData\AMMYY\wmihost.exe

Filesize
746KB

MD5
2cbf5657ffd8858a9597f296a60270c2

SHA1
b130611c92788337c4f6bb9e9454ff06eb409166

SHA256
9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

SHA512
06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\UserInfo.dll

Filesize
4KB

MD5
031ec9b12afb1fafc9fc397f3b90f29c

SHA1
de26ddfe3ef452f8205bfbd5520a8eff6328619f

SHA256
2dc320488b636b9dce9581a95e5a833a07500622c1a64fc05023ba6482d2a6e1

SHA512
cbebded4e3a87234899e2b67121f898c9060671d25088b7de29bbcbda90a5410dd3afd110417caa6c46ba656e1a863da39127e15c2122fedaa5054f4d43b90a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoABF6.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1

Filesize
297KB

MD5
78edc98ba9b3c91d0d636b016823de20

SHA1
06baca29f62eab9f56e5a61933e7bca580a88352

SHA256
a57e611fcc4942fd0af2b2a902c1a5ac7ef07762fb6b9034a39e68161ce497cb

SHA512
00cc63d3509e43ca7f3067e11fe556c7acb4e2abbe6d0903c7ccd4c5207f3337edd002f3dcc2f1c5dfedebc3afb024b703f842c6d580001852a83150fcf17762

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
memory/4960-213-0x0000000002351000-0x0000000002354000-memory.dmp

Filesize
12KB

Download