phobos | b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642

Analysis

max time kernel
121s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
Size

451KB
MD5

4d18c07abced7f8fc570c83dd825bb0b
SHA1

4e1d179697ab7536ee475494b158b969963e0bf6
SHA256

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
SHA512

daf48720ed402be15b532a32d10dd8823b564516d5f6d6628ca646c20347f7180bf911c7b8dfd75c03826badf719534bd45e1c26c5bd4857680ec77e63f4c5a4
SSDEEP

6144:ekN8IaM0bFfBmtjlfXKG/PhjPO6odPgQ4PJsL0cVeMmhi9MdNeerB+0Vsw:V8DM0blqjl/h/97MV0cGLNZxV

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>324C6089-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message 324C6089-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-138-0x0000000004B00000-0x0000000004F00000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-140-0x0000000004B00000-0x0000000004F00000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-139-0x0000000004B00000-0x0000000004F00000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-141-0x0000000004B00000-0x0000000004F00000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-153-0x0000000004B00000-0x0000000004F00000-memory.dmp	family_rhadamanthys
behavioral1/memory/2708-156-0x0000000004B00000-0x0000000004F00000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe

description pid process target process

PID 2708 created 3140 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

4308 bcdedit.exe
3424 bcdedit.exe
4072 bcdedit.exe
2424 bcdedit.exe
Renames multiple (460) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

728 wbadmin.exe
3944 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4964 netsh.exe
836 netsh.exe
Drops startup file 1 IoCs

Processes:

Sdy%]L57db.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Sdy%]L57db.exe Sdy%]L57db.exe
Executes dropped EXE 6 IoCs

Processes:

LBak(x3).exeSdy%]L57db.exeuT`[email protected]LBak(x3).exeSdy%]L57db.exeD1.exe

pid process

1104 LBak(x3).exe
1524 Sdy%]L57db.exe
2260 uT`[email protected]
1244 LBak(x3).exe
2652 Sdy%]L57db.exe
3448 D1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2708 created 3140	2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe	Explorer.EXE

pid	process
4308	bcdedit.exe
3424	bcdedit.exe
4072	bcdedit.exe
2424	bcdedit.exe

pid	process
728	wbadmin.exe
3944	wbadmin.exe

pid	process
4964	netsh.exe
836	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Sdy%]L57db.exe	Sdy%]L57db.exe

pid	process
1104	LBak(x3).exe
1524	Sdy%]L57db.exe
2260	uT`[email protected]
1244	LBak(x3).exe
2652	Sdy%]L57db.exe
3448	D1.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sdy%]L57db.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdy%]L57db = "C:\\Users\\Admin\\AppData\\Local\\Sdy%]L57db.exe"	Sdy%]L57db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdy%]L57db = "C:\\Users\\Admin\\AppData\\Local\\Sdy%]L57db.exe"	Sdy%]L57db.exe

Drops desktop.ini file(s) 24 IoCs

Processes:

Sdy%]L57db.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Program Files\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini	Sdy%]L57db.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Sdy%]L57db.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Sdy%]L57db.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

LBak(x3).exe

description pid process target process

PID 1104 set thread context of 1244 1104 LBak(x3).exe LBak(x3).exe

description	pid	process	target process
PID 1104 set thread context of 1244	1104	LBak(x3).exe	LBak(x3).exe

Drops file in Program Files directory 64 IoCs

Processes:

Sdy%]L57db.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72_altform-unplated.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-125_contrast-white.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms	Sdy%]L57db.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PowerShell.PackageManagement.resources.dll	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png	Sdy%]L57db.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg	Sdy%]L57db.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kok.pak	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	Sdy%]L57db.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-black.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\sms_failure_illustration.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16.png	Sdy%]L57db.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner_process.svg.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-250.png	Sdy%]L57db.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteAudio_RecordingPlayback.gif	Sdy%]L57db.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogo.png.DATA.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar	Sdy%]L57db.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png	Sdy%]L57db.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg.id[324C6089-3483].[[email protected]].8base	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	Sdy%]L57db.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png	Sdy%]L57db.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3200	2708	WerFault.exe	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
3952	2652	WerFault.exe	Sdy%]L57db.exe
1104	3448	WerFault.exe	D1.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

LBak(x3).exevds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	LBak(x3).exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	LBak(x3).exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	LBak(x3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

316 vssadmin.exe
4400 vssadmin.exe

pid	process
316	vssadmin.exe
4400	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.execertreq.exeLBak(x3).exeExplorer.EXESdy%]L57db.exe

pid	process
2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
3056	certreq.exe
3056	certreq.exe
3056	certreq.exe
3056	certreq.exe
1244	LBak(x3).exe
1244	LBak(x3).exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
1524	Sdy%]L57db.exe
1524	Sdy%]L57db.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
1524	Sdy%]L57db.exe
1524	Sdy%]L57db.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
1524	Sdy%]L57db.exe
1524	Sdy%]L57db.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
1524	Sdy%]L57db.exe
1524	Sdy%]L57db.exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3140 Explorer.EXE

pid	process
3140	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

LBak(x3).exeExplorer.EXE

pid	process
1244	LBak(x3).exe
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE
3140	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

Sdy%]L57db.exevssvc.exeExplorer.EXEWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1524	Sdy%]L57db.exe
Token: SeBackupPrivilege	4832	vssvc.exe
Token: SeRestorePrivilege	4832	vssvc.exe
Token: SeAuditPrivilege	4832	vssvc.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3080	WMIC.exe
Token: SeSecurityPrivilege	3080	WMIC.exe
Token: SeTakeOwnershipPrivilege	3080	WMIC.exe
Token: SeLoadDriverPrivilege	3080	WMIC.exe
Token: SeSystemProfilePrivilege	3080	WMIC.exe
Token: SeSystemtimePrivilege	3080	WMIC.exe
Token: SeProfSingleProcessPrivilege	3080	WMIC.exe
Token: SeIncBasePriorityPrivilege	3080	WMIC.exe
Token: SeCreatePagefilePrivilege	3080	WMIC.exe
Token: SeBackupPrivilege	3080	WMIC.exe
Token: SeRestorePrivilege	3080	WMIC.exe
Token: SeShutdownPrivilege	3080	WMIC.exe
Token: SeDebugPrivilege	3080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3080	WMIC.exe
Token: SeRemoteShutdownPrivilege	3080	WMIC.exe
Token: SeUndockPrivilege	3080	WMIC.exe
Token: SeManageVolumePrivilege	3080	WMIC.exe
Token: 33	3080	WMIC.exe
Token: 34	3080	WMIC.exe
Token: 35	3080	WMIC.exe
Token: 36	3080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3080	WMIC.exe
Token: SeSecurityPrivilege	3080	WMIC.exe
Token: SeTakeOwnershipPrivilege	3080	WMIC.exe
Token: SeLoadDriverPrivilege	3080	WMIC.exe
Token: SeSystemProfilePrivilege	3080	WMIC.exe
Token: SeSystemtimePrivilege	3080	WMIC.exe
Token: SeProfSingleProcessPrivilege	3080	WMIC.exe
Token: SeIncBasePriorityPrivilege	3080	WMIC.exe
Token: SeCreatePagefilePrivilege	3080	WMIC.exe
Token: SeBackupPrivilege	3080	WMIC.exe
Token: SeRestorePrivilege	3080	WMIC.exe
Token: SeShutdownPrivilege	3080	WMIC.exe
Token: SeDebugPrivilege	3080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3080	WMIC.exe
Token: SeRemoteShutdownPrivilege	3080	WMIC.exe
Token: SeUndockPrivilege	3080	WMIC.exe
Token: SeManageVolumePrivilege	3080	WMIC.exe
Token: 33	3080	WMIC.exe
Token: 34	3080	WMIC.exe
Token: 35	3080	WMIC.exe
Token: 36	3080	WMIC.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeBackupPrivilege	2056	wbengine.exe
Token: SeRestorePrivilege	2056	wbengine.exe
Token: SeSecurityPrivilege	2056	wbengine.exe
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE
Token: SeShutdownPrivilege	3140	Explorer.EXE
Token: SeCreatePagefilePrivilege	3140	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exeLBak(x3).exeSdy%]L57db.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 2708 wrote to memory of 3056	2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe	certreq.exe
PID 2708 wrote to memory of 3056	2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe	certreq.exe
PID 2708 wrote to memory of 3056	2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe	certreq.exe
PID 2708 wrote to memory of 3056	2708	b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe	certreq.exe
PID 1104 wrote to memory of 1244	1104	LBak(x3).exe	LBak(x3).exe
PID 1104 wrote to memory of 1244	1104	LBak(x3).exe	LBak(x3).exe
PID 1104 wrote to memory of 1244	1104	LBak(x3).exe	LBak(x3).exe
PID 1104 wrote to memory of 1244	1104	LBak(x3).exe	LBak(x3).exe
PID 1104 wrote to memory of 1244	1104	LBak(x3).exe	LBak(x3).exe
PID 1104 wrote to memory of 1244	1104	LBak(x3).exe	LBak(x3).exe
PID 1524 wrote to memory of 4344	1524	Sdy%]L57db.exe	cmd.exe
PID 1524 wrote to memory of 4344	1524	Sdy%]L57db.exe	cmd.exe
PID 1524 wrote to memory of 4112	1524	Sdy%]L57db.exe	cmd.exe
PID 1524 wrote to memory of 4112	1524	Sdy%]L57db.exe	cmd.exe
PID 4112 wrote to memory of 4964	4112	cmd.exe	netsh.exe
PID 4112 wrote to memory of 4964	4112	cmd.exe	netsh.exe
PID 4344 wrote to memory of 316	4344	cmd.exe	vssadmin.exe
PID 4344 wrote to memory of 316	4344	cmd.exe	vssadmin.exe
PID 4112 wrote to memory of 836	4112	cmd.exe	netsh.exe
PID 4112 wrote to memory of 836	4112	cmd.exe	netsh.exe
PID 4344 wrote to memory of 3080	4344	cmd.exe	WMIC.exe
PID 4344 wrote to memory of 3080	4344	cmd.exe	WMIC.exe
PID 4344 wrote to memory of 4308	4344	cmd.exe	bcdedit.exe
PID 4344 wrote to memory of 4308	4344	cmd.exe	bcdedit.exe
PID 4344 wrote to memory of 3424	4344	cmd.exe	bcdedit.exe
PID 4344 wrote to memory of 3424	4344	cmd.exe	bcdedit.exe
PID 4344 wrote to memory of 728	4344	cmd.exe	wbadmin.exe
PID 4344 wrote to memory of 728	4344	cmd.exe	wbadmin.exe
PID 3140 wrote to memory of 3448	3140	Explorer.EXE	D1.exe
PID 3140 wrote to memory of 3448	3140	Explorer.EXE	D1.exe
PID 3140 wrote to memory of 3448	3140	Explorer.EXE	D1.exe
PID 3140 wrote to memory of 2788	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 2788	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 2788	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 2788	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5112	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5112	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5112	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1740	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1740	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1740	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1740	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4988	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4164	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4164	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4164	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4164	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5000	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5000	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 5000	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4404	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4404	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4404	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 4404	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 3516	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 3516	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 3516	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1652	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1652	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1652	3140	Explorer.EXE	explorer.exe
PID 3140 wrote to memory of 1652	3140	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
"C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 964
3⤵
- Program crash
PID:3200

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Users\Admin\AppData\Local\Temp\D1.exe
C:\Users\Admin\AppData\Local\Temp\D1.exe
2⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 492
3⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5112

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4164

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4404

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1652

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1416

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1432

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5112

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2708 -ip 2708
1⤵
PID:3736

C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
"C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
"C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1244

C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe
"C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe
"C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 468
3⤵
- Program crash
PID:3952

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:4964

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:316

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4308

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3424

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:728

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:300

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4988

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4392

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4336

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:3428

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4400

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
PID:276

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4072

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2424

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3944

C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]
"C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]"
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2652 -ip 2652
1⤵
PID:1944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3448 -ip 3448
1⤵
PID:3244

C:\Users\Admin\AppData\Roaming\vtdcetg
C:\Users\Admin\AppData\Roaming\vtdcetg
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[324C6089-3483].[[email protected]].8base
Filesize
3.2MB

MD5
7176bbf11837b6acf2f8830894012a16

SHA1
c2eac7dda754ca518d4405d7a2410b905ba7f661

SHA256
20496ba30a617b7e68da143d26123ca46d02ec6e15b325389d63e89433547a5f

SHA512
cd8914e54e2996780fa4e514b78aa59926805ba443d16e9a6073e0f894b01eaa3a88929db03c1a6bfcd3c8448b92180db8db62717e0bb2e33b9d1438364a0e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe
Filesize
232KB

MD5
e2c05722293b07319cfd5bb1fef74f44

SHA1
d3f4f66861f8bf6aae657e475bcb8222c77a2770

SHA256
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4

SHA512
92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe
Filesize
232KB

MD5
e2c05722293b07319cfd5bb1fef74f44

SHA1
d3f4f66861f8bf6aae657e475bcb8222c77a2770

SHA256
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4

SHA512
92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe
Filesize
232KB

MD5
e2c05722293b07319cfd5bb1fef74f44

SHA1
d3f4f66861f8bf6aae657e475bcb8222c77a2770

SHA256
f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4

SHA512
92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[324C6089-3483].[[email protected]].8base
Filesize
92KB

MD5
0fbc1a578ebf73f69e8e0f1b2c742207

SHA1
053eab511c8d7fa53d06a168fe05c606c49edae2

SHA256
fd108957a6a64a37a4241846ea910c54e65d6a4610dc4b9190012d1f009f0212

SHA512
2e103382b81a2b92b97bc8340940ae0c8e3861e84d3608553f3a5d8e044f9f759da9512b3eb5379502266e0b7879145a932a288bb4d985aebbf7f8bb578f9ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]
Filesize
231KB

MD5
e411054bf19f624a88719981c5eb22d6

SHA1
943df640e6c34757e60dbcb98129f3550bec7f38

SHA256
046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0

SHA512
39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]
Filesize
231KB

MD5
e411054bf19f624a88719981c5eb22d6

SHA1
943df640e6c34757e60dbcb98129f3550bec7f38

SHA256
046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0

SHA512
39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
Filesize
5.5MB

MD5
43ad1dd044c719f378d171baecf3a91c

SHA1
a55fcb4e09d4b0f73669187f47a5229e831659a9

SHA256
b88f4c053e4323b49f839298fc44244d91927045de807634308a850bb409b4ab

SHA512
1944977ae24c3ef47aef9cc2e51735e7d9e7cbe47c277f85bc3a822cf8b55d40de520710c4d81678a0361a1c1effaf30c5ef795e1d2f32abc898087fc0e2d7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
Filesize
18KB

MD5
cfe72ed40a076ae4f4157940ce0c5d44

SHA1
8010f7c746a7ba4864785f798f46ec05caae7ece

SHA256
6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32

SHA512
f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
94f90fcd2b8f7f1df69224f845d9e9b7

SHA1
a09e3072cc581cf89adaf1aa20aa89b3af7bf987

SHA256
a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0

SHA512
51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
108f130067a9df1719c590316a5245f7

SHA1
79bb9a86e7a50c85214cd7e21719f0cb4155f58a

SHA256
c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874

SHA512
d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\WalletBackgroundServiceProxy.dll
Filesize
10KB

MD5
1097d1e58872f3cf58f78730a697ce4b

SHA1
96db4e4763a957b28dd80ec1e43eb27367869b86

SHA256
83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef

SHA512
b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\WalletProxy.dll
Filesize
36KB

MD5
d09724c29a8f321f2f9c552de6ef6afa

SHA1
d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3

SHA256
23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c

SHA512
cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\Windows.ApplicationModel.Wallet.dll
Filesize
402KB

MD5
02557c141c9e153c2b7987b79a3a2dd7

SHA1
a054761382ee68608b6a3b62b68138dc205f576b

SHA256
207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4

SHA512
a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1.exe
Filesize
232KB

MD5
b2243260d077693972cc92b7302cb372

SHA1
1699650e3e6b1ab94de7d7d6630aa73ace143422

SHA256
281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290

SHA512
39f60638f5306205132e32f1e179598036cdb688c976cc7e169f304c180fceaeeb9b612862c57957241b4f3d6588bd4faf6c2ab36b9d76ac3d57a93f6649eed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1.exe
Filesize
232KB

MD5
b2243260d077693972cc92b7302cb372

SHA1
1699650e3e6b1ab94de7d7d6630aa73ace143422

SHA256
281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290

SHA512
39f60638f5306205132e32f1e179598036cdb688c976cc7e169f304c180fceaeeb9b612862c57957241b4f3d6588bd4faf6c2ab36b9d76ac3d57a93f6649eed3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[324C6089-3483].[[email protected]].8base
Filesize
52KB

MD5
fefaab7fa27d143a61af7e58f5a1887f

SHA1
fea646ffe33034100aa106421e09df9f3af228bb

SHA256
e9d5debca8b4d0634d586ae69fe93024600cf15d5f397918313d0d8484f2ab7b

SHA512
c0e6d9d60682e2a4436c4cb3a1f5d6c6e2fd2e3126fbfc29d8020da62f069ac3f82501b9c4b059c70c78e14afd6594200c438d56e46e455a6a54d97af4786924

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[324C6089-3483].[[email protected]].8base
Filesize
96KB

MD5
18571f0c2e6aa37a196cd84285087def

SHA1
4723efc495fd5ed0192530144f30bb72b1dfa9d5

SHA256
dac43dfcea84311a498a36c28108f8111470ba237bf8369f24e98ace331d7f71

SHA512
80872c621eedd4b187f94eb6cf5472f45742e4081e9b785f7305d8c84e3a857abb11e5af3dd0c4987645cacb44be929b6a53d5d7a2dc5b6b41698b0166d6dfb0

Download Submit
C:\Users\Admin\AppData\Roaming\agieddb
Filesize
438KB

MD5
0d076a7af7087f966f922c4049681e43

SHA1
583bb93f7954c5c54b1da9318902c4ddc1c50182

SHA256
13e7e6b74ef3146b9cca697ad8c101a0d18849edabc78e10dadf6f74a1218ccd

SHA512
7ec362d3d6c8384e2c195eaedcf754a609e7a34fa74b2df4f3cc0425207e3e1ce9ee9d96221343beb06c11bc07f2aee1eadcf5074c651b3d565cfcf5597e5497

Download Submit
C:\Users\Admin\AppData\Roaming\vtdcetg
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\AppData\Roaming\vtdcetg
Filesize
233KB

MD5
f56ab31379d92b546875eff976ec9148

SHA1
79ba7f22410a64adf18e36005cfa98179f128053

SHA256
d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0

SHA512
650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

Download Submit
C:\Users\Admin\Desktop\info.hta
Filesize
5KB

MD5
bf040e72e2259324c298ce34a0364807

SHA1
404be060ee0767791669ac511b6afbf0f72ef340

SHA256
046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417

SHA512
0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

Download Submit
C:\info.hta
Filesize
5KB

MD5
bf040e72e2259324c298ce34a0364807

SHA1
404be060ee0767791669ac511b6afbf0f72ef340

SHA256
046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417

SHA512
0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

Download Submit
C:\info.hta
Filesize
5KB

MD5
bf040e72e2259324c298ce34a0364807

SHA1
404be060ee0767791669ac511b6afbf0f72ef340

SHA256
046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417

SHA512
0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

Download Submit
C:\users\public\desktop\info.hta
Filesize
5KB

MD5
bf040e72e2259324c298ce34a0364807

SHA1
404be060ee0767791669ac511b6afbf0f72ef340

SHA256
046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417

SHA512
0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

Download Submit
F:\info.hta
Filesize
5KB

MD5
bf040e72e2259324c298ce34a0364807

SHA1
404be060ee0767791669ac511b6afbf0f72ef340

SHA256
046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417

SHA512
0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

Download Submit
memory/316-6122-0x0000000000C20000-0x0000000000C2B000-memory.dmp

Filesize
44KB

Download
memory/316-6121-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/1104-186-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

Filesize
1024KB

Download
memory/1104-188-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

Filesize
36KB

Download
memory/1244-201-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1244-194-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1244-191-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1416-5641-0x0000000000570000-0x0000000000591000-memory.dmp

Filesize
132KB

Download
memory/1416-5506-0x0000000000540000-0x0000000000567000-memory.dmp

Filesize
156KB

Download
memory/1416-5517-0x0000000000540000-0x0000000000567000-memory.dmp

Filesize
156KB

Download
memory/1432-5855-0x0000000001140000-0x0000000001146000-memory.dmp

Filesize
24KB

Download
memory/1432-5778-0x0000000001130000-0x000000000113B000-memory.dmp

Filesize
44KB

Download
memory/1432-5876-0x0000000001130000-0x000000000113B000-memory.dmp

Filesize
44KB

Download
memory/1524-577-0x0000000002C60000-0x0000000002C6F000-memory.dmp

Filesize
60KB

Download
memory/1524-4240-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1524-5521-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1524-189-0x0000000002C60000-0x0000000002C6F000-memory.dmp

Filesize
60KB

Download
memory/1524-193-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1524-190-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/1524-1217-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1524-609-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/1524-2611-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1524-1431-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/1652-5430-0x00000000011F0000-0x00000000011F9000-memory.dmp

Filesize
36KB

Download
memory/1652-5158-0x00000000011F0000-0x00000000011F9000-memory.dmp

Filesize
36KB

Download
memory/1740-5439-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download
memory/1740-4386-0x0000000000740000-0x0000000000744000-memory.dmp

Filesize
16KB

Download
memory/1740-4337-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/1740-4355-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/2260-700-0x0000000000400000-0x0000000002B45000-memory.dmp

Filesize
39.3MB

Download
memory/2652-802-0x0000000000400000-0x0000000002B46000-memory.dmp

Filesize
39.3MB

Download
memory/2652-735-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

Filesize
1024KB

Download
memory/2708-138-0x0000000004B00000-0x0000000004F00000-memory.dmp

Filesize
4.0MB

Download
memory/2708-135-0x00000000047E0000-0x0000000004851000-memory.dmp

Filesize
452KB

Download
memory/2708-155-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/2708-136-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/2708-141-0x0000000004B00000-0x0000000004F00000-memory.dmp

Filesize
4.0MB

Download
memory/2708-137-0x0000000002D00000-0x0000000002D07000-memory.dmp

Filesize
28KB

Download
memory/2708-145-0x00000000047E0000-0x0000000004851000-memory.dmp

Filesize
452KB

Download
memory/2708-143-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/2708-152-0x0000000004A30000-0x0000000004A66000-memory.dmp

Filesize
216KB

Download
memory/2708-156-0x0000000004B00000-0x0000000004F00000-memory.dmp

Filesize
4.0MB

Download
memory/2708-146-0x0000000004A30000-0x0000000004A66000-memory.dmp

Filesize
216KB

Download
memory/2708-142-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/2708-153-0x0000000004B00000-0x0000000004F00000-memory.dmp

Filesize
4.0MB

Download
memory/2708-139-0x0000000004B00000-0x0000000004F00000-memory.dmp

Filesize
4.0MB

Download
memory/2708-140-0x0000000004B00000-0x0000000004F00000-memory.dmp

Filesize
4.0MB

Download
memory/2708-134-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/2788-4332-0x00000000004B0000-0x0000000000525000-memory.dmp

Filesize
468KB

Download
memory/2788-4309-0x0000000000440000-0x00000000004AB000-memory.dmp

Filesize
428KB

Download
memory/2788-4344-0x0000000000440000-0x00000000004AB000-memory.dmp

Filesize
428KB

Download
memory/2788-4480-0x0000000000440000-0x00000000004AB000-memory.dmp

Filesize
428KB

Download
memory/2920-5663-0x0000000001180000-0x0000000001189000-memory.dmp

Filesize
36KB

Download
memory/2920-5675-0x0000000001180000-0x0000000001189000-memory.dmp

Filesize
36KB

Download
memory/2920-5664-0x0000000001190000-0x0000000001195000-memory.dmp

Filesize
20KB

Download
memory/3056-165-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-161-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-167-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-157-0x000001CA7FDB0000-0x000001CA7FDB3000-memory.dmp

Filesize
12KB

Download
memory/3056-144-0x000001CA7FDB0000-0x000001CA7FDB3000-memory.dmp

Filesize
12KB

Download
memory/3056-172-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-158-0x000001CA01E80000-0x000001CA01E87000-memory.dmp

Filesize
28KB

Download
memory/3056-170-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/3056-169-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-182-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/3056-160-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-168-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-159-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-173-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-197-0x000001CA01E80000-0x000001CA01E85000-memory.dmp

Filesize
20KB

Download
memory/3056-198-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

Filesize
2.0MB

Download
memory/3056-162-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-171-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-175-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-163-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3056-174-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

Filesize
1.2MB

Download
memory/3076-6124-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/3076-5432-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/3076-5431-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/3076-5356-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/3140-199-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/3448-5237-0x0000000000400000-0x0000000002B45000-memory.dmp

Filesize
39.3MB

Download
memory/3448-5133-0x0000000002E20000-0x0000000002F20000-memory.dmp

Filesize
1024KB

Download
memory/3516-6123-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/3516-5094-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/3516-5131-0x0000000000B60000-0x0000000000B66000-memory.dmp

Filesize
24KB

Download
memory/3516-5132-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/4164-4563-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/4164-5888-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/4164-5829-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/4164-4553-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/4404-4914-0x00000000011F0000-0x00000000011F9000-memory.dmp

Filesize
36KB

Download
memory/4404-6085-0x0000000001400000-0x0000000001405000-memory.dmp

Filesize
20KB

Download
memory/4404-4892-0x00000000011F0000-0x00000000011F9000-memory.dmp

Filesize
36KB

Download
memory/4404-4896-0x0000000001400000-0x0000000001405000-memory.dmp

Filesize
20KB

Download
memory/4988-4511-0x0000000000600000-0x000000000060B000-memory.dmp

Filesize
44KB

Download
memory/4988-4477-0x0000000000600000-0x000000000060B000-memory.dmp

Filesize
44KB

Download
memory/4988-4479-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/4988-5512-0x0000000000600000-0x000000000060B000-memory.dmp

Filesize
44KB

Download
memory/5000-4727-0x0000000000AA0000-0x0000000000AAF000-memory.dmp

Filesize
60KB

Download
memory/5000-5916-0x0000000000AA0000-0x0000000000AAF000-memory.dmp

Filesize
60KB

Download
memory/5000-4713-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

Filesize
36KB

Download
memory/5112-4284-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/5112-5942-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/5112-5929-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/5112-4239-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download