a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992

Resubmissions

28/02/2023, 20:04

230228-ytdzksch89 10

04/02/2023, 22:36

04/02/2023, 22:32

04/02/2023, 22:30

04/02/2023, 22:15

28/12/2022, 14:55

Analysis

max time kernel
137s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2023, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Size

333KB
MD5

3191feae778309eb99df4e4e25c62f1a
SHA1

d639821e3fbbb15e14b46aed5b98568e3ce045c3
SHA256

a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992
SHA512

c8d8734bb1d6e413d8b14e73952a4eb42fd5641ca49822db66f87ea7f0c1fb4c2a38232a652a11ca1c3c5564a517a2aaef8fb59fadff36a11afcce60e5d89798
SSDEEP

6144:P1S1JwNbEKcwwZTz2fYNR5OyxyM6qy9iJ4zv5fmRw9aC1oPtYdeAS9aqbGqeBD:9So4KcZbRwyxmf9iWhuw9aCqPtYMH9zs

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\Links\How To Restore Your Files.txt

Ransom Note

_ _ _____ ___ ___ ___ _ _____ | | ( )| _ || _ \ ( _ \ ( _ \ (_)(_ _) | |_| || (_) || (_) )| | ) || (_) )| | | | | _ || _ || / | | | || _ ( | | | | | | | || | | || |\ \ | |_) || (_) )| | | | (_) |_||_| |_||_| (_)(____/ (____/ |_| |_| ¦¦¦¦¦HARDBIT RANSOMWARE¦¦¦¦¦ ---- what happened? All your files have been stolen and then encrypted. But don't worry, everything is safe and will be returned to you. ---- How can I get my files back? You have to pay us to get the files back. We don't have bank or paypal accounts, you only have to pay us via Bitcoin. ---- How can I buy bitcoins? You can buy bitcoins from all reputable sites in the world and send them to us. Just search how to buy bitcoins on the internet. Our suggestion is these sites. >>https://www.binance.com/en<< >>https://www.coinbase.com/<< >>https://localbitcoins.com/<< >>https://www.bybit.com/en-US/<< ---- What is your guarantee to restore files? Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. ---- How to contact with you? Or contact us by email:>>[email protected]<< or >>[email protected]<< ---- How will the payment process be after payment? After payment, we will send you the decryption tool along with the guide and we will be with you until the last file is decrypted. ---- What happens if I don't pay you? If you don't pay us, you will never have access to your files because the private key is only in our hands. This transaction is not important to us, but it is important to you, because not only do you not have access to your files, but you also lose time. And the more time passes, the more you will lose and If you do not pay the ransom, we will attack your company again in the future. ---- What are your recommendations? - Never change the name of the files, if you want to manipulate the files, make sure you make a backup of them. If there is a problem with the files, we are not responsible for it. - Never work with intermediary companies, because they charge more money from you. For example, if we ask you for 50,000 dollars, they will tell you 55,000 dollars. Don't be afraid of us, just call us. ---- Very important! For those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information. But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Your ID :078BFBFF000306D2, 078BFBFF000306D2 Your Key :i69qOHrdCleeEDTFDc2zT7J5PG87cjUkpnPXJwlMNfIGaU8jDHm4sLWPF/GhkOfvaK6NvudzKCufSUgy9kXkl7NGqh3RRMvRcIAah759T0S4zWih5yZT21Qr6LeCMPMn96xN2yR7cWD7yXI/w0Q3FTgKqamzDKMhV+uoMcybioQ=

Emails

email:>>[email protected]<<

>>[email protected]<<

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.hta

Ransom Note

All your files have been encrypted due to a security problem with your PC. If you want to restore them, please send your ID for us Our contact information is written in file (HOW TO RESTORE YOUR FILES). Please read this file carefully so as not to make a mistake. You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay Double . We need your ID and your ID is written below the help file Please do not touch the Key written under the help file in any way, otherwise the consequences will be with you Introducing TOX messengers You can download and install TOX message from this link https://tox.chat/ Our ID in TOX: 77A904360EA7D74268E7A4F316865F1703D2D7A6AF28C9ECFACED69CD09C8610FF2C728E6A33. We are ready to answer your questions! If you have information about the company and its servers, share with us in TOX and receive a share from us when they pay. Don't worry, your identity will remain hidden. Is there a guarantee for decryption after payment? Before paying you can send us up to for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) Attention! DO NOT trust anyone except the email and the TOX ID that is in the help file, otherwise we will not be responsible for the consequences. DO NOT rename encrypted files. DO NOT try to decrypt or manipulate the files yourself. Do Not contact intermediary companies. They don't do anything special, they just message us and give us money and get the key, but if our price was $50,000, they will charge $70,000 from you. Do not pay any money for the test file. Before manipulating the files, be sure to make a backup of them, otherwise it is your responsibility.

URLs

https://tox.chat/

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\StepNew.tiff	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
File opened for modification	C:\Users\Admin\Pictures\TestUnprotect.tiff	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
File opened for modification	C:\Users\Admin\Pictures\MergeRestart.tiff	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	lsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Executes dropped EXE 1 IoCs

pid	Process
6744	lsm.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\hrdb.ico"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HARDBIT.jpg"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1356	sc.exe
9196	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.hardbit2\	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.hardbit2\DefaultIcon	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.hardbit2\DefaultIcon\ = "C:\\Users\\Admin\\Documents\\hrdb.ico"	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.hardbit2	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Runs net.exe

Runs regedit.exe 1 IoCs

pid	Process
8788	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4300	powershell.exe
4300	powershell.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
8788	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: 36	4376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: 36	4376	WMIC.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
Token: SeIncreaseQuotaPrivilege	6668	WMIC.exe
Token: SeSecurityPrivilege	6668	WMIC.exe
Token: SeTakeOwnershipPrivilege	6668	WMIC.exe
Token: SeLoadDriverPrivilege	6668	WMIC.exe
Token: SeSystemProfilePrivilege	6668	WMIC.exe
Token: SeSystemtimePrivilege	6668	WMIC.exe
Token: SeProfSingleProcessPrivilege	6668	WMIC.exe
Token: SeIncBasePriorityPrivilege	6668	WMIC.exe
Token: SeCreatePagefilePrivilege	6668	WMIC.exe
Token: SeBackupPrivilege	6668	WMIC.exe
Token: SeRestorePrivilege	6668	WMIC.exe
Token: SeShutdownPrivilege	6668	WMIC.exe
Token: SeDebugPrivilege	6668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6668	WMIC.exe
Token: SeRemoteShutdownPrivilege	6668	WMIC.exe
Token: SeUndockPrivilege	6668	WMIC.exe
Token: SeManageVolumePrivilege	6668	WMIC.exe
Token: 33	6668	WMIC.exe
Token: 34	6668	WMIC.exe
Token: 35	6668	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 892	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	90
PID 2052 wrote to memory of 892	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	90
PID 2052 wrote to memory of 892	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	90
PID 892 wrote to memory of 1356	892	cmd.exe	92
PID 892 wrote to memory of 1356	892	cmd.exe	92
PID 892 wrote to memory of 1356	892	cmd.exe	92
PID 2052 wrote to memory of 1340	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	93
PID 2052 wrote to memory of 1340	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	93
PID 2052 wrote to memory of 1340	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	93
PID 2052 wrote to memory of 1692	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	95
PID 2052 wrote to memory of 1692	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	95
PID 2052 wrote to memory of 1692	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	95
PID 1692 wrote to memory of 4376	1692	cmd.exe	97
PID 1692 wrote to memory of 4376	1692	cmd.exe	97
PID 1692 wrote to memory of 4376	1692	cmd.exe	97
PID 2052 wrote to memory of 4668	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	99
PID 2052 wrote to memory of 4668	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	99
PID 2052 wrote to memory of 4668	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	99
PID 2052 wrote to memory of 4300	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	101
PID 2052 wrote to memory of 4300	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	101
PID 2052 wrote to memory of 4300	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	101
PID 2052 wrote to memory of 4156	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	103
PID 2052 wrote to memory of 4156	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	103
PID 2052 wrote to memory of 4156	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	103
PID 2052 wrote to memory of 3744	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	104
PID 2052 wrote to memory of 3744	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	104
PID 2052 wrote to memory of 3744	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	104
PID 2052 wrote to memory of 5096	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	107
PID 2052 wrote to memory of 5096	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	107
PID 2052 wrote to memory of 5096	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	107
PID 2052 wrote to memory of 1304	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	115
PID 2052 wrote to memory of 1304	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	115
PID 2052 wrote to memory of 1304	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	115
PID 2052 wrote to memory of 3984	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	109
PID 2052 wrote to memory of 3984	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	109
PID 2052 wrote to memory of 3984	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	109
PID 2052 wrote to memory of 1176	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	110
PID 2052 wrote to memory of 1176	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	110
PID 2052 wrote to memory of 1176	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	110
PID 2052 wrote to memory of 2596	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	114
PID 2052 wrote to memory of 2596	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	114
PID 2052 wrote to memory of 2596	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	114
PID 2052 wrote to memory of 3664	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	119
PID 2052 wrote to memory of 3664	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	119
PID 2052 wrote to memory of 3664	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	119
PID 2052 wrote to memory of 3868	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	117
PID 2052 wrote to memory of 3868	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	117
PID 2052 wrote to memory of 3868	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	117
PID 3744 wrote to memory of 3292	3744	net.exe	116
PID 3744 wrote to memory of 3292	3744	net.exe	116
PID 3744 wrote to memory of 3292	3744	net.exe	116
PID 2052 wrote to memory of 4628	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	133
PID 2052 wrote to memory of 4628	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	133
PID 2052 wrote to memory of 4628	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	133
PID 2052 wrote to memory of 1600	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	121
PID 2052 wrote to memory of 1600	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	121
PID 2052 wrote to memory of 1600	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	121
PID 4156 wrote to memory of 1392	4156	net.exe	416
PID 4156 wrote to memory of 1392	4156	net.exe	416
PID 4156 wrote to memory of 1392	4156	net.exe	416
PID 2052 wrote to memory of 2588	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	130
PID 2052 wrote to memory of 2588	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	130
PID 2052 wrote to memory of 2588	2052	a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe	130
PID 1304 wrote to memory of 224	1304	net.exe	459

C:\Users\Admin\AppData\Local\Temp\a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe
"C:\Users\Admin\AppData\Local\Temp\a0138b24593483f50ae7656985b6d6cfe77f7676ba374026199ad49ad26f2992.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Windows security modification
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C sc delete VSS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\sc.exe
    sc delete VSS
    3⤵
    - Launches sc.exe
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:1392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vmware /y
      4⤵
      PID:8016
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:3292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:3764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop -n apache24
      4⤵
      PID:4800
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:3984
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2132
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:1924
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:3252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:224
- C:\Windows\SysWOW64\net.exe
  "net.exe" top SavRoam /y
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 top SavRoam /y
    3⤵
    PID:4188
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:1708
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:1600
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:4352
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:4484
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:4776
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:1384
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3508
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:4320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:4400
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sqladhlp /y
      4⤵
      PID:7784
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:312
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:4672
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:1276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:4500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:224
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:112
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:4504
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:1468
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:5436
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6916
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mysql57
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mysql57
    3⤵
    PID:6500
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:7752
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop FCS /y
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop FCS /y
    3⤵
    PID:8056
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchange$ /y
  2⤵
  PID:6276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchange$ /y
    3⤵
    PID:8440
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSExchange /y
  2⤵
  PID:6264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSExchange /y
    3⤵
    PID:8424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop WSBExchange /y
  2⤵
  PID:6256
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WSBExchange /y
    3⤵
    PID:8416
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:6248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:8408
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:6240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:8400
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:6228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:8392
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ARSM /y
  2⤵
  PID:6220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ARSM /y
    3⤵
    PID:8376
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:6212
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:8384
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6200
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:8368
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:6192
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:8336
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:6184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:8360
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:6172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:8352
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:6164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:8344
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MVarmor64 /y
  2⤵
  PID:6152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MVarmor64 /y
    3⤵
    PID:8324
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MVArmor /y
  2⤵
  PID:5588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MVArmor /y
    3⤵
    PID:8316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:8308
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:8300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:8284
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:8276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:5764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:8292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:5716
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:8456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:5704
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:8448
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:8432
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop bedbg /y
  2⤵
  PID:5608
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop bedbg /y
    3⤵
    PID:8268
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop backup /y
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop backup /y
    3⤵
    PID:8252
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:5572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:8260
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:8244
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mepocs /y
  2⤵
  PID:1092
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mepocs /y
    3⤵
    PID:8236
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop memtas /y
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop memtas /y
    3⤵
    PID:8228
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$ /y
  2⤵
  PID:5468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL$ /y
    3⤵
    PID:8220
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL /y
  2⤵
  PID:5800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MSSQL /y
    3⤵
    PID:8204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C sc delete VSS
  2⤵
  PID:6584
- - C:\Windows\SysWOW64\sc.exe
    sc delete VSS
    3⤵
    - Launches sc.exe
    PID:9196
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:4424
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop svc$ /y
  2⤵
  PID:5408
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sql /y
  2⤵
  PID:5392
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vss /y
  2⤵
  PID:5376
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5368
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5360
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBVSS /y
  2⤵
  PID:5344
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:5328
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:5320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SHAREPOINT /y
  2⤵
  PID:5312
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$SBSMONITORING /y
  2⤵
  PID:5296
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
  2⤵
  PID:5284
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SHAREPOINT /y
  2⤵
  PID:5276
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$SBSMONITORING /y
  2⤵
  PID:5268
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$MICROSOFT##SSEE /y
  2⤵
  PID:5256
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Exchange /y
  2⤵
  PID:5240
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msftesql /y
  2⤵
  PID:5232
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$KAV_CS_ADMIN_KIT /y
  2⤵
  PID:5172
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQLServerADHelper100 /y
  2⤵
  PID:5164
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$KAV_CS_ADMIN_KIT /y
  2⤵
  PID:5148
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MySQL57 /y
  2⤵
  PID:5140
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$MICROSOFT /y
  2⤵
  PID:5132
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop FishbowlMySQL /y
  2⤵
  PID:5124
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLWriter /y
  2⤵
  PID:3504
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLBrowser /y
  2⤵
  PID:4588
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SQLAgent$VEEAMSQL2012 /y
  2⤵
  PID:2040
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$VEEAMSQL2012 /y
  2⤵
  PID:4620
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ##WID /y
  2⤵
  PID:4140
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop MSSQL$MICROSOFT /y
  2⤵
  PID:2608
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop dbeng8 /y
  2⤵
  PID:1404
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop dbsrv12 /y
  2⤵
  PID:3900
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vmware-converter /y
  2⤵
  PID:3288
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop vmware /y
  2⤵
  PID:1392
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:5100
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop tomcat6 /y
  2⤵
  PID:3884
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop msmdsrv /y
  2⤵
  PID:4228
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:4264
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QuickBooks /y
  2⤵
  PID:4576
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit /y
  2⤵
  PID:2764
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:4568
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QLADHLP /y
  2⤵
  PID:4656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sqlbrowser /y
  2⤵
  PID:1004
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:4316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Culserver /y
  2⤵
  PID:3472
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sqladhlp /y
  2⤵
  PID:4400
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sqlagent /y
  2⤵
  PID:4540
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Sqlservr /y
  2⤵
  PID:3904
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:524
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:396
- C:\Windows\SysWOW64\net.exe
  "net.exe" DefWatch
  2⤵
  PID:4816
- C:\Windows\SysWOW64\net.exe
  "net.exe" wrapper
  2⤵
  PID:4304
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop -n apache24
  2⤵
  PID:3764
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:2492
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1780
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:2240
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:2000
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2940
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3436
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:3380
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:1856
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:2056
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:4176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:9140
- C:\Users\Admin\AppData\Local\Temp\lsm.exe
  "C:\Users\Admin\AppData\Local\Temp\lsm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:6828
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:8476
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:4768
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:6408
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:60
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\readme-warning.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:8444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:4560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
1⤵
PID:4796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:1324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:6784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:6612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 wrapper
1⤵
PID:7352

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100 /y
1⤵
PID:7776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 DefWatch
1⤵
PID:7768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:7760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Sqlservr /y
1⤵
PID:7744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:7332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:6536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:8188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:5112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sqlbrowser /y
1⤵
PID:8196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop svc$ /y
1⤵
PID:2232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sql /y
1⤵
PID:4276

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop dbsrv12 /y
1⤵
PID:5048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vss /y
1⤵
PID:3804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop FishbowlMySQL /y
1⤵
PID:4528

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooIT /y
1⤵
PID:5060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS /y
1⤵
PID:4272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
1⤵
PID:1152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SHAREPOINT /y
1⤵
PID:4740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sqlagent /y
1⤵
PID:8176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SBSMONITORING /y
1⤵
PID:8168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLFDLauncher$SBSMONITORING /y
1⤵
PID:8160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SHAREPOINT /y
1⤵
PID:8152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SBSMONITORING /y
1⤵
PID:8144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msftesql /y
1⤵
PID:8136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MICROSOFT##SSEE /y
1⤵
PID:8128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Exchange /y
1⤵
PID:8120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$KAV_CS_ADMIN_KIT /y
1⤵
PID:8112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Culserver /y
1⤵
PID:8104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QLADHLP /y
1⤵
PID:8096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:8088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Intuit /y
1⤵
PID:8080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:8072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooks /y
1⤵
PID:8064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop tomcat6 /y
1⤵
PID:8048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:8040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop msmdsrv /y
1⤵
PID:8032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:8024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vmware-converter /y
1⤵
PID:8008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop dbeng8 /y
1⤵
PID:8000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MICROSOFT /y
1⤵
PID:7992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ##WID /y
1⤵
PID:7984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$VEEAMSQL2012 /y
1⤵
PID:7976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$VEEAMSQL2012 /y
1⤵
PID:7968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser /y
1⤵
PID:7960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter /y
1⤵
PID:7952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MICROSOFT /y
1⤵
PID:7944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$KAV_CS_ADMIN_KIT /y
1⤵
PID:7936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MySQL57 /y
1⤵
PID:7928

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:6664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:2384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:6644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:456

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:8788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

File Deletion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsm.exe

Filesize
75KB

MD5
7065c6c8efb58c65cbf97d1139fb3998

SHA1
419e901005e12fbb7f6bbbf59e1802df4db56eb2

SHA256
73b4ab2ae70beb4637920f181ba3f175374209178c86465ca92d333f034ae960

SHA512
1f6883dae0d8f5d6877be5dc30f842bc8d7e1e69cbd45d723c0de3841b30ae042b4962c2b15b1b4c7f0eaf834374a6458d14f385a7934621a104157e91bea1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsm.exe

Filesize
75KB

MD5
7065c6c8efb58c65cbf97d1139fb3998

SHA1
419e901005e12fbb7f6bbbf59e1802df4db56eb2

SHA256
73b4ab2ae70beb4637920f181ba3f175374209178c86465ca92d333f034ae960

SHA512
1f6883dae0d8f5d6877be5dc30f842bc8d7e1e69cbd45d723c0de3841b30ae042b4962c2b15b1b4c7f0eaf834374a6458d14f385a7934621a104157e91bea1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\readme-warning.hta

Filesize
89KB

MD5
37d55dba7a6114449a2453a5e5357c04

SHA1
34ea79d82409c679e8a5c32f5c469844dd2488d7

SHA256
52003dbfea65f568115dfad09aa0402df57d488ca7f9eb23c7334a51c11deb9f

SHA512
d493512c768e9412047e2ece774a670f636d9b380b63b617f8516eac6ed0de219e0daebc196549fafcd756cab1d44b87dd8cd6ddae712f529295ce9794c0a75e

Download Submit
memory/2052-133-0x0000000009150000-0x00000000091EC000-memory.dmp

Filesize
624KB

Download
memory/2052-135-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/2052-132-0x0000000000290000-0x00000000002EA000-memory.dmp

Filesize
360KB

Download
memory/2052-134-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/4300-152-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/4300-150-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/4300-157-0x00000000078A0000-0x00000000078A8000-memory.dmp

Filesize
32KB

Download
memory/4300-156-0x00000000078C0000-0x00000000078DA000-memory.dmp

Filesize
104KB

Download
memory/4300-143-0x0000000002950000-0x0000000002986000-memory.dmp

Filesize
216KB

Download
memory/4300-144-0x0000000005370000-0x0000000005998000-memory.dmp

Filesize
6.2MB

Download
memory/4300-155-0x00000000077B0000-0x00000000077BE000-memory.dmp

Filesize
56KB

Download
memory/4300-154-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/4300-153-0x00000000075F0000-0x00000000075FA000-memory.dmp

Filesize
40KB

Download
memory/4300-145-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

Filesize
136KB

Download
memory/4300-146-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/4300-147-0x0000000006280000-0x000000000629E000-memory.dmp

Filesize
120KB

Download
memory/4300-151-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/4300-148-0x0000000006850000-0x0000000006882000-memory.dmp

Filesize
200KB

Download
memory/4300-149-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

Filesize
304KB

Download