lumma | c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
Size

164KB
MD5

ef0ecd2f11d3b6bd090474db2a2432ba
SHA1

67127f642d92296aaa7f7d3ba9fbac77bdfaad33
SHA256

c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db
SHA512

ab7f818fe9f4f018af87f187a7c63c8aa6157e1b30b0f8ac2077ccf8c3c8fa787049f35353cb31a4f49e37bc9e4f8ea0d354bf84453f73fccd0230c90313810e
SSDEEP

3072:XiML/SFYg65k6NZt313UZgdrOiCToYGzN2uLK5wY:XVL/nDk6jteZgQoYGz3LPY

Score

10^/10

lumma phobos rhadamanthys smokeloader summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

rc4.i32

Extracted

Family

lumma

gstatic-node.io

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3128-235-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3128-237-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3128-238-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3128-239-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3128-253-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys
behavioral1/memory/3128-256-0x00000000023A0000-0x00000000027A0000-memory.dmp	family_rhadamanthys

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

3FE2.exe

description pid process target process

PID 3128 created 3240 3128 3FE2.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4168 bcdedit.exe
5116 bcdedit.exe
Renames multiple (65) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4524 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3904 netsh.exe
3616 netsh.exe
Drops startup file 1 IoCs

Processes:

y6[Gi4`1.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\y6[Gi4`1.exe y6[Gi4`1.exe
Executes dropped EXE 7 IoCs

Processes:

3FE2.exe488E.exevm[R1ZQW.exey6[Gi4`1.exetSsr`r.exevm[R1ZQW.exey6[Gi4`1.exe

pid process

3128 3FE2.exe
3900 488E.exe
2316 vm[R1ZQW.exe
3896 y6[Gi4`1.exe
4728 tSsr`r.exe
2816 vm[R1ZQW.exe
4984 y6[Gi4`1.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3128 created 3240	3128	3FE2.exe	Explorer.EXE

pid	process
4168	bcdedit.exe
5116	bcdedit.exe

pid	process
4524	wbadmin.exe

pid	process
3904	netsh.exe
3616	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\y6[Gi4`1.exe	y6[Gi4`1.exe

pid	process
3128	3FE2.exe
3900	488E.exe
2316	vm[R1ZQW.exe
3896	y6[Gi4`1.exe
4728	tSsr`r.exe
2816	vm[R1ZQW.exe
4984	y6[Gi4`1.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y6[Gi4`1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\y6[Gi4`1 = "C:\\Users\\Admin\\AppData\\Local\\y6[Gi4`1.exe"	y6[Gi4`1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\y6[Gi4`1 = "C:\\Users\\Admin\\AppData\\Local\\y6[Gi4`1.exe"	y6[Gi4`1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

Processes:

y6[Gi4`1.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini	y6[Gi4`1.exe
File opened for modification	C:\Program Files\desktop.ini	y6[Gi4`1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini	y6[Gi4`1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

vm[R1ZQW.exe

description pid process target process

PID 2316 set thread context of 2816 2316 vm[R1ZQW.exe vm[R1ZQW.exe

description	pid	process	target process
PID 2316 set thread context of 2816	2316	vm[R1ZQW.exe	vm[R1ZQW.exe

Drops file in Program Files directory 64 IoCs

Processes:

y6[Gi4`1.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack.dll	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\default.jfc	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaps.dll	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\glass.dll	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	y6[Gi4`1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	y6[Gi4`1.exe
File opened for modification	C:\Program Files\BackupHide.xhtml	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui	y6[Gi4`1.exe
File opened for modification	C:\Program Files\ConfirmRepair.shtml	y6[Gi4`1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	y6[Gi4`1.exe
File created	C:\Program Files\CloseExpand.mpe.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar	y6[Gi4`1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar	y6[Gi4`1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.id[08233F11-3483].[[email protected]].8base	y6[Gi4`1.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4216 3128 WerFault.exe 3FE2.exe
2156 3900 WerFault.exe 488E.exe
2252 4984 WerFault.exe y6[Gi4`1.exe

pid	pid_target	process	target process
4216	3128	WerFault.exe	3FE2.exe
2156	3900	WerFault.exe	488E.exe
2252	4984	WerFault.exe	y6[Gi4`1.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vm[R1ZQW.exevds.exec9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vm[R1ZQW.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vm[R1ZQW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vm[R1ZQW.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1368 vssadmin.exe

pid	process
1368	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exeExplorer.EXE

pid	process
216	c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
216	c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3240 Explorer.EXE

pid	process
3240	Explorer.EXE

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exeExplorer.EXEvm[R1ZQW.exe

pid	process
216	c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
3240	Explorer.EXE
2816	vm[R1ZQW.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEy6[Gi4`1.exevssvc.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE
Token: SeDebugPrivilege	3896	y6[Gi4`1.exe
Token: SeBackupPrivilege	3452	vssvc.exe
Token: SeRestorePrivilege	3452	vssvc.exe
Token: SeAuditPrivilege	3452	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeSecurityPrivilege	2372	WMIC.exe
Token: SeTakeOwnershipPrivilege	2372	WMIC.exe
Token: SeLoadDriverPrivilege	2372	WMIC.exe
Token: SeSystemProfilePrivilege	2372	WMIC.exe
Token: SeSystemtimePrivilege	2372	WMIC.exe
Token: SeProfSingleProcessPrivilege	2372	WMIC.exe
Token: SeIncBasePriorityPrivilege	2372	WMIC.exe
Token: SeCreatePagefilePrivilege	2372	WMIC.exe
Token: SeBackupPrivilege	2372	WMIC.exe
Token: SeRestorePrivilege	2372	WMIC.exe
Token: SeShutdownPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	2372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2372	WMIC.exe
Token: SeRemoteShutdownPrivilege	2372	WMIC.exe
Token: SeUndockPrivilege	2372	WMIC.exe
Token: SeManageVolumePrivilege	2372	WMIC.exe
Token: 33	2372	WMIC.exe
Token: 34	2372	WMIC.exe
Token: 35	2372	WMIC.exe
Token: 36	2372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeSecurityPrivilege	2372	WMIC.exe
Token: SeTakeOwnershipPrivilege	2372	WMIC.exe
Token: SeLoadDriverPrivilege	2372	WMIC.exe
Token: SeSystemProfilePrivilege	2372	WMIC.exe
Token: SeSystemtimePrivilege	2372	WMIC.exe
Token: SeProfSingleProcessPrivilege	2372	WMIC.exe
Token: SeIncBasePriorityPrivilege	2372	WMIC.exe
Token: SeCreatePagefilePrivilege	2372	WMIC.exe
Token: SeBackupPrivilege	2372	WMIC.exe
Token: SeRestorePrivilege	2372	WMIC.exe
Token: SeShutdownPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	2372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2372	WMIC.exe
Token: SeRemoteShutdownPrivilege	2372	WMIC.exe
Token: SeUndockPrivilege	2372	WMIC.exe
Token: SeManageVolumePrivilege	2372	WMIC.exe
Token: 33	2372	WMIC.exe
Token: 34	2372	WMIC.exe
Token: 35	2372	WMIC.exe
Token: 36	2372	WMIC.exe
Token: SeShutdownPrivilege	3240	Explorer.EXE
Token: SeCreatePagefilePrivilege	3240	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Explorer.EXE3FE2.exevm[R1ZQW.exey6[Gi4`1.execmd.execmd.exe

description	pid	process	target process
PID 3240 wrote to memory of 3128	3240	Explorer.EXE	3FE2.exe
PID 3240 wrote to memory of 3128	3240	Explorer.EXE	3FE2.exe
PID 3240 wrote to memory of 3128	3240	Explorer.EXE	3FE2.exe
PID 3240 wrote to memory of 3900	3240	Explorer.EXE	488E.exe
PID 3240 wrote to memory of 3900	3240	Explorer.EXE	488E.exe
PID 3240 wrote to memory of 3900	3240	Explorer.EXE	488E.exe
PID 3240 wrote to memory of 2108	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2108	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2108	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2108	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 3876	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 3876	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 3876	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1712	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1712	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1712	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1712	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1832	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1832	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1832	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 4332	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 4332	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 4332	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 4332	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2164	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2164	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2164	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2164	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2468	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2468	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2468	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 2468	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1568	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1568	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1568	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1704	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1704	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1704	3240	Explorer.EXE	explorer.exe
PID 3240 wrote to memory of 1704	3240	Explorer.EXE	explorer.exe
PID 3128 wrote to memory of 4240	3128	3FE2.exe	certreq.exe
PID 3128 wrote to memory of 4240	3128	3FE2.exe	certreq.exe
PID 3128 wrote to memory of 4240	3128	3FE2.exe	certreq.exe
PID 3128 wrote to memory of 4240	3128	3FE2.exe	certreq.exe
PID 2316 wrote to memory of 2816	2316	vm[R1ZQW.exe	vm[R1ZQW.exe
PID 2316 wrote to memory of 2816	2316	vm[R1ZQW.exe	vm[R1ZQW.exe
PID 2316 wrote to memory of 2816	2316	vm[R1ZQW.exe	vm[R1ZQW.exe
PID 2316 wrote to memory of 2816	2316	vm[R1ZQW.exe	vm[R1ZQW.exe
PID 2316 wrote to memory of 2816	2316	vm[R1ZQW.exe	vm[R1ZQW.exe
PID 2316 wrote to memory of 2816	2316	vm[R1ZQW.exe	vm[R1ZQW.exe
PID 3896 wrote to memory of 3948	3896	y6[Gi4`1.exe	cmd.exe
PID 3896 wrote to memory of 3948	3896	y6[Gi4`1.exe	cmd.exe
PID 3896 wrote to memory of 2244	3896	y6[Gi4`1.exe	cmd.exe
PID 3896 wrote to memory of 2244	3896	y6[Gi4`1.exe	cmd.exe
PID 2244 wrote to memory of 3904	2244	cmd.exe	netsh.exe
PID 2244 wrote to memory of 3904	2244	cmd.exe	netsh.exe
PID 3948 wrote to memory of 1368	3948	cmd.exe	vssadmin.exe
PID 3948 wrote to memory of 1368	3948	cmd.exe	vssadmin.exe
PID 3948 wrote to memory of 2372	3948	cmd.exe	WMIC.exe
PID 3948 wrote to memory of 2372	3948	cmd.exe	WMIC.exe
PID 2244 wrote to memory of 3616	2244	cmd.exe	netsh.exe
PID 2244 wrote to memory of 3616	2244	cmd.exe	netsh.exe
PID 3948 wrote to memory of 4168	3948	cmd.exe	bcdedit.exe
PID 3948 wrote to memory of 4168	3948	cmd.exe	bcdedit.exe
PID 3948 wrote to memory of 5116	3948	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe
"C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:216

C:\Users\Admin\AppData\Local\Temp\3FE2.exe
C:\Users\Admin\AppData\Local\Temp\3FE2.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1016
3⤵
- Program crash
PID:4216

C:\Users\Admin\AppData\Local\Temp\488E.exe
C:\Users\Admin\AppData\Local\Temp\488E.exe
2⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 3336
3⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3876

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1832

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2468

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1568

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1704

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3128 -ip 3128
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3900 -ip 3900
1⤵
PID:2920

C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
"C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
"C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2816

C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe
"C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe
"C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe"
2⤵
- Executes dropped EXE
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 428
3⤵
- Program crash
PID:2252

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:3904

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:3616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1368

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:4168

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:5116

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:4524

C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe
"C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4960

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:284

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4984 -ip 4984
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[08233F11-3483].[[email protected]].8base

Filesize
3.2MB

MD5
7687e74daa74f44efabb51f5efe72bc3

SHA1
d87a3a810e0caa2d95210c0eaff1061973094b27

SHA256
647eb7d6cb9777be0fdac10fa0b8c919127f781936e26658020cc8cb9f1a1961

SHA512
e676a69fd8d42f0d21f7e85078910075fa741344868f92295a6749d757451e2497b1b54f538032845f7505efbe71fd53b0bb640ca96a76728e6db053b74a9058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe

Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe

Filesize
164KB

MD5
6ac14216327dcfb60b33ebd914f62769

SHA1
d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b

SHA256
25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9

SHA512
6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

Filesize
164KB

MD5
09d7f30d2f8432be6087038562a029dd

SHA1
07fc20446a03a20c191e750ef21737ec948d9544

SHA256
8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8

SHA512
abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

Filesize
164KB

MD5
de348ef9eed7ccdaed5a70ae15796a86

SHA1
42914d94e8024ca94e58bb4bd9cfa4d0ae524975

SHA256
a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855

SHA512
605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE2.exe

Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE2.exe

Filesize
374KB

MD5
aaf3d68aeea347268ede50e621ca21ce

SHA1
0e7c0e38a200a9ea3af663dfd33941cc5e1657c9

SHA256
09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416

SHA512
61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\488E.exe

Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\488E.exe

Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
memory/216-138-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/216-134-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/216-135-0x0000000002230000-0x0000000002239000-memory.dmp

Filesize
36KB

Download
memory/216-136-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/216-141-0x0000000002230000-0x0000000002239000-memory.dmp

Filesize
36KB

Download
memory/1568-218-0x0000000000BC0000-0x0000000000BC7000-memory.dmp

Filesize
28KB

Download
memory/1568-219-0x0000000000BB0000-0x0000000000BBD000-memory.dmp

Filesize
52KB

Download
memory/1568-216-0x0000000000BB0000-0x0000000000BBD000-memory.dmp

Filesize
52KB

Download
memory/1568-226-0x0000000000BC0000-0x0000000000BC7000-memory.dmp

Filesize
28KB

Download
memory/1704-230-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/1704-220-0x0000000000E30000-0x0000000000E3B000-memory.dmp

Filesize
44KB

Download
memory/1704-223-0x0000000000E30000-0x0000000000E3B000-memory.dmp

Filesize
44KB

Download
memory/1704-222-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/1712-200-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1712-201-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/1712-199-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/1712-217-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/1832-203-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1832-221-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/1832-202-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/1832-204-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2108-209-0x0000000000640000-0x0000000000647000-memory.dmp

Filesize
28KB

Download
memory/2108-211-0x0000000000630000-0x000000000063B000-memory.dmp

Filesize
44KB

Download
memory/2108-194-0x0000000000640000-0x0000000000647000-memory.dmp

Filesize
28KB

Download
memory/2108-195-0x0000000000630000-0x000000000063B000-memory.dmp

Filesize
44KB

Download
memory/2164-208-0x0000000000E30000-0x0000000000E39000-memory.dmp

Filesize
36KB

Download
memory/2164-210-0x0000000000E40000-0x0000000000E45000-memory.dmp

Filesize
20KB

Download
memory/2164-225-0x0000000000E30000-0x0000000000E39000-memory.dmp

Filesize
36KB

Download
memory/2468-212-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/2468-214-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/2468-215-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/3128-252-0x0000000003160000-0x0000000003196000-memory.dmp

Filesize
216KB

Download
memory/3128-227-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/3128-256-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/3128-255-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3128-253-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/3128-246-0x0000000003160000-0x0000000003196000-memory.dmp

Filesize
216KB

Download
memory/3128-242-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/3128-241-0x0000000000680000-0x00000000006F1000-memory.dmp

Filesize
452KB

Download
memory/3128-239-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/3128-238-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/3128-237-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/3128-236-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3128-235-0x00000000023A0000-0x00000000027A0000-memory.dmp

Filesize
4.0MB

Download
memory/3128-234-0x00000000021C0000-0x00000000021C7000-memory.dmp

Filesize
28KB

Download
memory/3128-229-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3128-228-0x0000000000680000-0x00000000006F1000-memory.dmp

Filesize
452KB

Download
memory/3240-162-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-176-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3240-164-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-161-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-137-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/3240-160-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-158-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-157-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3240-155-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

Filesize
64KB

Download
memory/3240-156-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-142-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-153-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-165-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-154-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-143-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-167-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-150-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-144-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3240-145-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-146-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-168-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-170-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-171-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-172-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-147-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-148-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-149-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-174-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-281-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-278-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-276-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-175-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-166-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/3240-151-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3240-273-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

Filesize
64KB

Download
memory/3876-197-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/3876-198-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/3876-213-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/3876-196-0x00000000010F0000-0x00000000010FF000-memory.dmp

Filesize
60KB

Download
memory/3900-257-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3900-231-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/3900-232-0x00000000021A0000-0x00000000021F5000-memory.dmp

Filesize
340KB

Download
memory/3900-233-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3900-244-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/3900-245-0x00000000021A0000-0x00000000021F5000-memory.dmp

Filesize
340KB

Download
memory/4240-272-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-282-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-270-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-271-0x00007FFF06410000-0x00007FFF06605000-memory.dmp

Filesize
2.0MB

Download
memory/4240-268-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-265-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-266-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-263-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-243-0x00000261F5060000-0x00000261F5063000-memory.dmp

Filesize
12KB

Download
memory/4240-269-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-259-0x00000261F5060000-0x00000261F5063000-memory.dmp

Filesize
12KB

Download
memory/4240-260-0x00000261F5300000-0x00000261F5307000-memory.dmp

Filesize
28KB

Download
memory/4240-261-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-264-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4240-262-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

Filesize
1.2MB

Download
memory/4332-207-0x0000000000FC0000-0x0000000000FE7000-memory.dmp

Filesize
156KB

Download
memory/4332-206-0x0000000001200000-0x0000000001222000-memory.dmp

Filesize
136KB

Download
memory/4332-224-0x0000000001200000-0x0000000001222000-memory.dmp

Filesize
136KB

Download
memory/4332-205-0x0000000000FC0000-0x0000000000FE7000-memory.dmp

Filesize
156KB

Download