Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 07:27
Static task
static1
Behavioral task
behavioral1
Sample
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
Resource
win10v2004-20230703-en
General
-
Target
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
-
Size
374KB
-
MD5
a662ba3492a7d218908f5d851841ed96
-
SHA1
d292b20fd69fc5eb70075fb8ed3e7da940ca0b41
-
SHA256
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
-
SHA512
38d41c8d44ab23c5cb6ea384404592f5dde3b3707bb8d3e3bf75d6e858b0c2d18e1fe27ba963ef2cefd6dad06ed1e4fd394a5f065bd5aa03b5f91b28201f72a5
-
SSDEEP
6144:eLXTm1bNgmdZQBEaR73L/RqEb+xms6DuPa25QkI/7qi2PKuDYDYm1kThqBAtmaqz:ezoOmdZy33zRqESYluPPmkIl2iwmYBh+
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/3920-139-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral1/memory/3920-140-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral1/memory/3920-141-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral1/memory/3920-142-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral1/memory/3920-153-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral1/memory/3920-156-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exedescription pid process target process PID 3920 created 3180 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2916 bcdedit.exe 2592 bcdedit.exe -
Renames multiple (345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 3332 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
Processes:
ZU1ED@_S.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ZU1ED@_S.exe ZU1ED@_S.exe -
Executes dropped EXE 7 IoCs
Processes:
RrcF8ac9.exeZU1ED@_S.exeiPlR5R.exeRrcF8ac9.exeZU1ED@_S.exeBFFF.exethfffjepid process 1040 RrcF8ac9.exe 4056 ZU1ED@_S.exe 1804 iPlR5R.exe 3884 RrcF8ac9.exe 3484 ZU1ED@_S.exe 4920 BFFF.exe 5956 thfffje -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ZU1ED@_S.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZU1ED@_S = "C:\\Users\\Admin\\AppData\\Local\\ZU1ED@_S.exe" ZU1ED@_S.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZU1ED@_S = "C:\\Users\\Admin\\AppData\\Local\\ZU1ED@_S.exe" ZU1ED@_S.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
ZU1ED@_S.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini ZU1ED@_S.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini ZU1ED@_S.exe File opened for modification C:\Program Files\desktop.ini ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ZU1ED@_S.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RrcF8ac9.exedescription pid process target process PID 1040 set thread context of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ZU1ED@_S.exedescription ioc process File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL ZU1ED@_S.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll ZU1ED@_S.exe File opened for modification C:\Program Files\7-Zip\7z.dll.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc ZU1ED@_S.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dll.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF ZU1ED@_S.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo ZU1ED@_S.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui ZU1ED@_S.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui ZU1ED@_S.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui ZU1ED@_S.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm ZU1ED@_S.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF ZU1ED@_S.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml ZU1ED@_S.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-awt.xml ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Java\jdk1.8.0_66\db\LICENSE.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar ZU1ED@_S.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml ZU1ED@_S.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.id[55594697-3483].[[email protected]].8base ZU1ED@_S.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseCore.dll ZU1ED@_S.exe -
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3848 3920 WerFault.exe c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe 5004 3484 WerFault.exe ZU1ED@_S.exe 5496 4920 WerFault.exe BFFF.exe 1640 4920 WerFault.exe BFFF.exe 2852 4920 WerFault.exe BFFF.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
RrcF8ac9.exevds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RrcF8ac9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RrcF8ac9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI RrcF8ac9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2880 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.execertreq.exeRrcF8ac9.exeExplorer.EXEZU1ED@_S.exepid process 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe 1756 certreq.exe 1756 certreq.exe 1756 certreq.exe 1756 certreq.exe 3884 RrcF8ac9.exe 3884 RrcF8ac9.exe 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 4056 ZU1ED@_S.exe 4056 ZU1ED@_S.exe 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 4056 ZU1ED@_S.exe 4056 ZU1ED@_S.exe 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 4056 ZU1ED@_S.exe 3180 Explorer.EXE 3180 Explorer.EXE 4056 ZU1ED@_S.exe 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 4056 ZU1ED@_S.exe 4056 ZU1ED@_S.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3180 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
RrcF8ac9.exeExplorer.EXEpid process 3884 RrcF8ac9.exe 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE 3180 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ZU1ED@_S.exevssvc.exeExplorer.EXEWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 4056 ZU1ED@_S.exe Token: SeBackupPrivilege 3536 vssvc.exe Token: SeRestorePrivilege 3536 vssvc.exe Token: SeAuditPrivilege 3536 vssvc.exe Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeIncreaseQuotaPrivilege 4076 WMIC.exe Token: SeSecurityPrivilege 4076 WMIC.exe Token: SeTakeOwnershipPrivilege 4076 WMIC.exe Token: SeLoadDriverPrivilege 4076 WMIC.exe Token: SeSystemProfilePrivilege 4076 WMIC.exe Token: SeSystemtimePrivilege 4076 WMIC.exe Token: SeProfSingleProcessPrivilege 4076 WMIC.exe Token: SeIncBasePriorityPrivilege 4076 WMIC.exe Token: SeCreatePagefilePrivilege 4076 WMIC.exe Token: SeBackupPrivilege 4076 WMIC.exe Token: SeRestorePrivilege 4076 WMIC.exe Token: SeShutdownPrivilege 4076 WMIC.exe Token: SeDebugPrivilege 4076 WMIC.exe Token: SeSystemEnvironmentPrivilege 4076 WMIC.exe Token: SeRemoteShutdownPrivilege 4076 WMIC.exe Token: SeUndockPrivilege 4076 WMIC.exe Token: SeManageVolumePrivilege 4076 WMIC.exe Token: 33 4076 WMIC.exe Token: 34 4076 WMIC.exe Token: 35 4076 WMIC.exe Token: 36 4076 WMIC.exe Token: SeIncreaseQuotaPrivilege 4076 WMIC.exe Token: SeSecurityPrivilege 4076 WMIC.exe Token: SeTakeOwnershipPrivilege 4076 WMIC.exe Token: SeLoadDriverPrivilege 4076 WMIC.exe Token: SeSystemProfilePrivilege 4076 WMIC.exe Token: SeSystemtimePrivilege 4076 WMIC.exe Token: SeProfSingleProcessPrivilege 4076 WMIC.exe Token: SeIncBasePriorityPrivilege 4076 WMIC.exe Token: SeCreatePagefilePrivilege 4076 WMIC.exe Token: SeBackupPrivilege 4076 WMIC.exe Token: SeRestorePrivilege 4076 WMIC.exe Token: SeShutdownPrivilege 4076 WMIC.exe Token: SeDebugPrivilege 4076 WMIC.exe Token: SeSystemEnvironmentPrivilege 4076 WMIC.exe Token: SeRemoteShutdownPrivilege 4076 WMIC.exe Token: SeUndockPrivilege 4076 WMIC.exe Token: SeManageVolumePrivilege 4076 WMIC.exe Token: 33 4076 WMIC.exe Token: 34 4076 WMIC.exe Token: 35 4076 WMIC.exe Token: 36 4076 WMIC.exe Token: SeBackupPrivilege 4116 wbengine.exe Token: SeRestorePrivilege 4116 wbengine.exe Token: SeSecurityPrivilege 4116 wbengine.exe Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE Token: SeCreatePagefilePrivilege 3180 Explorer.EXE Token: SeShutdownPrivilege 3180 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exeRrcF8ac9.exeZU1ED@_S.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 3920 wrote to memory of 1756 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe certreq.exe PID 3920 wrote to memory of 1756 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe certreq.exe PID 3920 wrote to memory of 1756 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe certreq.exe PID 3920 wrote to memory of 1756 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe certreq.exe PID 1040 wrote to memory of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe PID 1040 wrote to memory of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe PID 1040 wrote to memory of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe PID 1040 wrote to memory of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe PID 1040 wrote to memory of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe PID 1040 wrote to memory of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe PID 4056 wrote to memory of 4640 4056 ZU1ED@_S.exe cmd.exe PID 4056 wrote to memory of 4640 4056 ZU1ED@_S.exe cmd.exe PID 4056 wrote to memory of 116 4056 ZU1ED@_S.exe cmd.exe PID 4056 wrote to memory of 116 4056 ZU1ED@_S.exe cmd.exe PID 116 wrote to memory of 4588 116 cmd.exe netsh.exe PID 116 wrote to memory of 4588 116 cmd.exe netsh.exe PID 4640 wrote to memory of 2880 4640 cmd.exe vssadmin.exe PID 4640 wrote to memory of 2880 4640 cmd.exe vssadmin.exe PID 116 wrote to memory of 4328 116 cmd.exe netsh.exe PID 116 wrote to memory of 4328 116 cmd.exe netsh.exe PID 4640 wrote to memory of 4076 4640 cmd.exe WMIC.exe PID 4640 wrote to memory of 4076 4640 cmd.exe WMIC.exe PID 4640 wrote to memory of 2916 4640 cmd.exe bcdedit.exe PID 4640 wrote to memory of 2916 4640 cmd.exe bcdedit.exe PID 4640 wrote to memory of 2592 4640 cmd.exe bcdedit.exe PID 4640 wrote to memory of 2592 4640 cmd.exe bcdedit.exe PID 4640 wrote to memory of 3332 4640 cmd.exe wbadmin.exe PID 4640 wrote to memory of 3332 4640 cmd.exe wbadmin.exe PID 3180 wrote to memory of 4920 3180 Explorer.EXE BFFF.exe PID 3180 wrote to memory of 4920 3180 Explorer.EXE BFFF.exe PID 3180 wrote to memory of 4920 3180 Explorer.EXE BFFF.exe PID 3180 wrote to memory of 4452 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4452 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4452 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4452 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4028 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4028 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4028 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4024 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4024 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4024 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 4024 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3432 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3432 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3432 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3432 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3004 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3004 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3004 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3004 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 1240 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 1240 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 1240 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3796 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3796 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3796 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 3796 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 1948 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 1948 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 1948 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 2148 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 2148 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 2148 3180 Explorer.EXE explorer.exe PID 3180 wrote to memory of 2148 3180 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe"C:\Users\Admin\AppData\Local\Temp\c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 9683⤵
- Program crash
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\BFFF.exeC:\Users\Admin\AppData\Local\Temp\BFFF.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 5003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 5083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 5443⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3920 -ip 39201⤵
-
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe"C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe"C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe"C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe"C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 4603⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exe"C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4920 -ip 49201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4920 -ip 49201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4920 -ip 49201⤵
-
C:\Users\Admin\AppData\Roaming\thfffjeC:\Users\Admin\AppData\Roaming\thfffje1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[55594697-3483].[[email protected]].8baseFilesize
3.2MB
MD5e890c78f51617c4d46cd65f542c241cc
SHA1fc0e42794433c1dc24e680f948463b8ba5efd835
SHA256decb7af811a7cac3b850106a2980bdd6385559c9fdd4bd81f43a92f3e9f9f5ac
SHA512e6c11cb980896a9028d4ae242bd9340b0c3b0e737fd225b354c793a1fe0daa69cc69ee9763b33abc45ff13aa0dfe2fd72387a185234f6907653d75097636e00e
-
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Temp\BFFF.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Local\Temp\BFFF.exeFilesize
165KB
MD5a2f3d796dc2c2f474188db58d5ca7593
SHA1dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA5129a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[55594697-3483].[[email protected]].8baseFilesize
96KB
MD5b5c96c34379cbf71bbed7c59aa64d867
SHA1f429babcaaf019940a9a6aa4c429ded5d23a55fe
SHA25652cea3d3bac27de5a3e16f5ba853c0993c4d7bde98638e8f0eaa75a8bda19ba5
SHA51277f56ec68c71a2a607d122d4b033ade1f071289e1915f22fc087e79ace2c1a0ccbad5f3d9ebd95797536f7c75f78f1285f719387fe5fcd811cb61392781254ab
-
C:\Users\Admin\AppData\Roaming\thfffjeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Roaming\thfffjeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
memory/964-2885-0x0000000001200000-0x0000000001209000-memory.dmpFilesize
36KB
-
memory/964-2884-0x0000000001210000-0x0000000001215000-memory.dmpFilesize
20KB
-
memory/964-2882-0x0000000001200000-0x0000000001209000-memory.dmpFilesize
36KB
-
memory/1040-191-0x00000000004C0000-0x00000000005C0000-memory.dmpFilesize
1024KB
-
memory/1040-192-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB
-
memory/1240-2240-0x0000000000D00000-0x0000000000D09000-memory.dmpFilesize
36KB
-
memory/1240-2890-0x0000000000D00000-0x0000000000D09000-memory.dmpFilesize
36KB
-
memory/1240-2241-0x0000000000CF0000-0x0000000000CFF000-memory.dmpFilesize
60KB
-
memory/1240-2237-0x0000000000CF0000-0x0000000000CFF000-memory.dmpFilesize
60KB
-
memory/1628-2887-0x0000000000550000-0x0000000000577000-memory.dmpFilesize
156KB
-
memory/1628-2891-0x0000000000580000-0x00000000005A1000-memory.dmpFilesize
132KB
-
memory/1628-2892-0x0000000000550000-0x0000000000577000-memory.dmpFilesize
156KB
-
memory/1628-2899-0x0000000000550000-0x0000000000577000-memory.dmpFilesize
156KB
-
memory/1756-158-0x000001F62FBB0000-0x000001F62FBB7000-memory.dmpFilesize
28KB
-
memory/1756-170-0x00007FFC3C970000-0x00007FFC3CB65000-memory.dmpFilesize
2.0MB
-
memory/1756-171-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-172-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-173-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-174-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-175-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-169-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-168-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-167-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-165-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-163-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-162-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-188-0x00007FFC3C970000-0x00007FFC3CB65000-memory.dmpFilesize
2.0MB
-
memory/1756-189-0x000001F62FBB0000-0x000001F62FBB5000-memory.dmpFilesize
20KB
-
memory/1756-190-0x00007FFC3C970000-0x00007FFC3CB65000-memory.dmpFilesize
2.0MB
-
memory/1756-161-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-160-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-143-0x000001F62F7F0000-0x000001F62F7F3000-memory.dmpFilesize
12KB
-
memory/1756-159-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmpFilesize
1.2MB
-
memory/1756-157-0x000001F62F7F0000-0x000001F62F7F3000-memory.dmpFilesize
12KB
-
memory/1804-198-0x0000000001F60000-0x0000000001F65000-memory.dmpFilesize
20KB
-
memory/1804-200-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1804-1106-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/1804-201-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/1948-2517-0x00000000009E0000-0x00000000009E6000-memory.dmpFilesize
24KB
-
memory/1948-2518-0x00000000009D0000-0x00000000009DC000-memory.dmpFilesize
48KB
-
memory/1948-2515-0x00000000009D0000-0x00000000009DC000-memory.dmpFilesize
48KB
-
memory/1948-2914-0x00000000009E0000-0x00000000009E6000-memory.dmpFilesize
24KB
-
memory/2148-2520-0x0000000000BC0000-0x0000000000BC4000-memory.dmpFilesize
16KB
-
memory/2148-2521-0x0000000000BB0000-0x0000000000BB9000-memory.dmpFilesize
36KB
-
memory/2148-2519-0x0000000000BB0000-0x0000000000BB9000-memory.dmpFilesize
36KB
-
memory/3004-2205-0x0000000000950000-0x0000000000957000-memory.dmpFilesize
28KB
-
memory/3004-2209-0x0000000000940000-0x000000000094B000-memory.dmpFilesize
44KB
-
memory/3004-2886-0x0000000000940000-0x000000000094B000-memory.dmpFilesize
44KB
-
memory/3004-2883-0x0000000000950000-0x0000000000957000-memory.dmpFilesize
28KB
-
memory/3180-3022-0x0000000003140000-0x0000000003150000-memory.dmpFilesize
64KB
-
memory/3180-2903-0x0000000003140000-0x0000000003150000-memory.dmpFilesize
64KB
-
memory/3180-3457-0x0000000003140000-0x0000000003150000-memory.dmpFilesize
64KB
-
memory/3180-3352-0x0000000003140000-0x0000000003150000-memory.dmpFilesize
64KB
-
memory/3180-206-0x0000000003320000-0x0000000003336000-memory.dmpFilesize
88KB
-
memory/3432-2255-0x0000000000170000-0x000000000017B000-memory.dmpFilesize
44KB
-
memory/3432-2201-0x0000000000180000-0x000000000018A000-memory.dmpFilesize
40KB
-
memory/3432-2202-0x0000000000170000-0x000000000017B000-memory.dmpFilesize
44KB
-
memory/3484-1551-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3484-1784-0x0000000000720000-0x0000000000820000-memory.dmpFilesize
1024KB
-
memory/3484-1548-0x0000000000720000-0x0000000000820000-memory.dmpFilesize
1024KB
-
memory/3796-2338-0x0000000001190000-0x0000000001195000-memory.dmpFilesize
20KB
-
memory/3796-2303-0x0000000001180000-0x0000000001189000-memory.dmpFilesize
36KB
-
memory/3796-2894-0x0000000001190000-0x0000000001195000-memory.dmpFilesize
20KB
-
memory/3796-2340-0x0000000001180000-0x0000000001189000-memory.dmpFilesize
36KB
-
memory/3884-193-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3884-195-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3884-207-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3920-134-0x00000000006F0000-0x00000000007F0000-memory.dmpFilesize
1024KB
-
memory/3920-135-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3920-137-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3920-138-0x00000000022B0000-0x00000000022B7000-memory.dmpFilesize
28KB
-
memory/3920-139-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3920-140-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3920-136-0x0000000002210000-0x0000000002281000-memory.dmpFilesize
452KB
-
memory/3920-145-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3920-146-0x0000000003340000-0x0000000003376000-memory.dmpFilesize
216KB
-
memory/3920-153-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3920-141-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3920-152-0x0000000003340000-0x0000000003376000-memory.dmpFilesize
216KB
-
memory/3920-142-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3920-155-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3920-156-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3920-144-0x00000000006F0000-0x00000000007F0000-memory.dmpFilesize
1024KB
-
memory/4024-2198-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4024-2200-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4024-2199-0x0000000000410000-0x0000000000414000-memory.dmpFilesize
16KB
-
memory/4024-2516-0x0000000000410000-0x0000000000414000-memory.dmpFilesize
16KB
-
memory/4028-2197-0x0000000000900000-0x000000000090C000-memory.dmpFilesize
48KB
-
memory/4028-2195-0x0000000000900000-0x000000000090C000-memory.dmpFilesize
48KB
-
memory/4028-2196-0x0000000000910000-0x0000000000917000-memory.dmpFilesize
28KB
-
memory/4056-1288-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4056-628-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4056-197-0x0000000000700000-0x000000000070F000-memory.dmpFilesize
60KB
-
memory/4056-196-0x0000000000770000-0x0000000000870000-memory.dmpFilesize
1024KB
-
memory/4056-1961-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4056-199-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4056-2888-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4056-538-0x0000000000770000-0x0000000000870000-memory.dmpFilesize
1024KB
-
memory/4180-2896-0x00000000006B0000-0x00000000006B9000-memory.dmpFilesize
36KB
-
memory/4180-2893-0x00000000006B0000-0x00000000006B9000-memory.dmpFilesize
36KB
-
memory/4180-2895-0x00000000006C0000-0x00000000006C5000-memory.dmpFilesize
20KB
-
memory/4452-2238-0x0000000000670000-0x00000000006E5000-memory.dmpFilesize
468KB
-
memory/4452-1962-0x0000000000600000-0x000000000066B000-memory.dmpFilesize
428KB
-
memory/4452-2239-0x0000000000600000-0x000000000066B000-memory.dmpFilesize
428KB
-
memory/4452-2073-0x0000000000670000-0x00000000006E5000-memory.dmpFilesize
468KB
-
memory/4452-2082-0x0000000000600000-0x000000000066B000-memory.dmpFilesize
428KB
-
memory/4900-3053-0x0000000001400000-0x0000000001406000-memory.dmpFilesize
24KB
-
memory/4900-3050-0x00000000011F0000-0x00000000011FB000-memory.dmpFilesize
44KB
-
memory/4920-3140-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB