phobos | c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
Size

374KB
MD5

a662ba3492a7d218908f5d851841ed96
SHA1

d292b20fd69fc5eb70075fb8ed3e7da940ca0b41
SHA256

c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
SHA512

38d41c8d44ab23c5cb6ea384404592f5dde3b3707bb8d3e3bf75d6e858b0c2d18e1fe27ba963ef2cefd6dad06ed1e4fd394a5f065bd5aa03b5f91b28201f72a5
SSDEEP

6144:eLXTm1bNgmdZQBEaR73L/RqEb+xms6DuPa25QkI/7qi2PKuDYDYm1kThqBAtmaqz:ezoOmdZy33zRqESYluPPmkIl2iwmYBh+

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Signatures

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3920-139-0x0000000002640000-0x0000000002A40000-memory.dmp	family_rhadamanthys
behavioral1/memory/3920-140-0x0000000002640000-0x0000000002A40000-memory.dmp	family_rhadamanthys
behavioral1/memory/3920-141-0x0000000002640000-0x0000000002A40000-memory.dmp	family_rhadamanthys
behavioral1/memory/3920-142-0x0000000002640000-0x0000000002A40000-memory.dmp	family_rhadamanthys
behavioral1/memory/3920-153-0x0000000002640000-0x0000000002A40000-memory.dmp	family_rhadamanthys
behavioral1/memory/3920-156-0x0000000002640000-0x0000000002A40000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe

description pid process target process

PID 3920 created 3180 3920 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2916 bcdedit.exe
2592 bcdedit.exe
Renames multiple (345) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3332 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4588 netsh.exe
4328 netsh.exe
Drops startup file 1 IoCs

Processes:

ZU1ED@_S.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ZU1ED@_S.exe ZU1ED@_S.exe
Executes dropped EXE 7 IoCs

Processes:

RrcF8ac9.exeZU1ED@_S.exeiPlR5R.exeRrcF8ac9.exeZU1ED@_S.exeBFFF.exethfffje

pid process

1040 RrcF8ac9.exe
4056 ZU1ED@_S.exe
1804 iPlR5R.exe
3884 RrcF8ac9.exe
3484 ZU1ED@_S.exe
4920 BFFF.exe
5956 thfffje
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3920 created 3180	3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe	Explorer.EXE

pid	process
2916	bcdedit.exe
2592	bcdedit.exe

pid	process
3332	wbadmin.exe

pid	process
4588	netsh.exe
4328	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ZU1ED@_S.exe	ZU1ED@_S.exe

pid	process
1040	RrcF8ac9.exe
4056	ZU1ED@_S.exe
1804	iPlR5R.exe
3884	RrcF8ac9.exe
3484	ZU1ED@_S.exe
4920	BFFF.exe
5956	thfffje

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZU1ED@_S.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZU1ED@_S = "C:\\Users\\Admin\\AppData\\Local\\ZU1ED@_S.exe"	ZU1ED@_S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZU1ED@_S = "C:\\Users\\Admin\\AppData\\Local\\ZU1ED@_S.exe"	ZU1ED@_S.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

ZU1ED@_S.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini	ZU1ED@_S.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini	ZU1ED@_S.exe
File opened for modification	C:\Program Files\desktop.ini	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	ZU1ED@_S.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RrcF8ac9.exe

description pid process target process

PID 1040 set thread context of 3884 1040 RrcF8ac9.exe RrcF8ac9.exe

description	pid	process	target process
PID 1040 set thread context of 3884	1040	RrcF8ac9.exe	RrcF8ac9.exe

Drops file in Program Files directory 64 IoCs

Processes:

ZU1ED@_S.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll	ZU1ED@_S.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	ZU1ED@_S.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dll.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui	ZU1ED@_S.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\AdHocReportingExcelClient.dll.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONRES.DLL.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ul-oob.xrm-ms	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013.dotx	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	ZU1ED@_S.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-awt.xml	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSVCP140_APP.DLL.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\LICENSE.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml	ZU1ED@_S.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms.id[55594697-3483].[[email protected]].8base	ZU1ED@_S.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseCore.dll	ZU1ED@_S.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3848	3920	WerFault.exe	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
5004	3484	WerFault.exe	ZU1ED@_S.exe
5496	4920	WerFault.exe	BFFF.exe
1640	4920	WerFault.exe	BFFF.exe
2852	4920	WerFault.exe	BFFF.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RrcF8ac9.exevds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RrcF8ac9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RrcF8ac9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RrcF8ac9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2880 vssadmin.exe

pid	process
2880	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.execertreq.exeRrcF8ac9.exeExplorer.EXEZU1ED@_S.exe

pid	process
3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
1756	certreq.exe
1756	certreq.exe
1756	certreq.exe
1756	certreq.exe
3884	RrcF8ac9.exe
3884	RrcF8ac9.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
4056	ZU1ED@_S.exe
4056	ZU1ED@_S.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
4056	ZU1ED@_S.exe
4056	ZU1ED@_S.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
4056	ZU1ED@_S.exe
3180	Explorer.EXE
3180	Explorer.EXE
4056	ZU1ED@_S.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
4056	ZU1ED@_S.exe
4056	ZU1ED@_S.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3180 Explorer.EXE

pid	process
3180	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

RrcF8ac9.exeExplorer.EXE

pid	process
3884	RrcF8ac9.exe
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ZU1ED@_S.exevssvc.exeExplorer.EXEWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	4056	ZU1ED@_S.exe
Token: SeBackupPrivilege	3536	vssvc.exe
Token: SeRestorePrivilege	3536	vssvc.exe
Token: SeAuditPrivilege	3536	vssvc.exe
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4076	WMIC.exe
Token: SeSecurityPrivilege	4076	WMIC.exe
Token: SeTakeOwnershipPrivilege	4076	WMIC.exe
Token: SeLoadDriverPrivilege	4076	WMIC.exe
Token: SeSystemProfilePrivilege	4076	WMIC.exe
Token: SeSystemtimePrivilege	4076	WMIC.exe
Token: SeProfSingleProcessPrivilege	4076	WMIC.exe
Token: SeIncBasePriorityPrivilege	4076	WMIC.exe
Token: SeCreatePagefilePrivilege	4076	WMIC.exe
Token: SeBackupPrivilege	4076	WMIC.exe
Token: SeRestorePrivilege	4076	WMIC.exe
Token: SeShutdownPrivilege	4076	WMIC.exe
Token: SeDebugPrivilege	4076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4076	WMIC.exe
Token: SeRemoteShutdownPrivilege	4076	WMIC.exe
Token: SeUndockPrivilege	4076	WMIC.exe
Token: SeManageVolumePrivilege	4076	WMIC.exe
Token: 33	4076	WMIC.exe
Token: 34	4076	WMIC.exe
Token: 35	4076	WMIC.exe
Token: 36	4076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4076	WMIC.exe
Token: SeSecurityPrivilege	4076	WMIC.exe
Token: SeTakeOwnershipPrivilege	4076	WMIC.exe
Token: SeLoadDriverPrivilege	4076	WMIC.exe
Token: SeSystemProfilePrivilege	4076	WMIC.exe
Token: SeSystemtimePrivilege	4076	WMIC.exe
Token: SeProfSingleProcessPrivilege	4076	WMIC.exe
Token: SeIncBasePriorityPrivilege	4076	WMIC.exe
Token: SeCreatePagefilePrivilege	4076	WMIC.exe
Token: SeBackupPrivilege	4076	WMIC.exe
Token: SeRestorePrivilege	4076	WMIC.exe
Token: SeShutdownPrivilege	4076	WMIC.exe
Token: SeDebugPrivilege	4076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4076	WMIC.exe
Token: SeRemoteShutdownPrivilege	4076	WMIC.exe
Token: SeUndockPrivilege	4076	WMIC.exe
Token: SeManageVolumePrivilege	4076	WMIC.exe
Token: 33	4076	WMIC.exe
Token: 34	4076	WMIC.exe
Token: 35	4076	WMIC.exe
Token: 36	4076	WMIC.exe
Token: SeBackupPrivilege	4116	wbengine.exe
Token: SeRestorePrivilege	4116	wbengine.exe
Token: SeSecurityPrivilege	4116	wbengine.exe
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exeRrcF8ac9.exeZU1ED@_S.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 3920 wrote to memory of 1756	3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe	certreq.exe
PID 3920 wrote to memory of 1756	3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe	certreq.exe
PID 3920 wrote to memory of 1756	3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe	certreq.exe
PID 3920 wrote to memory of 1756	3920	c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe	certreq.exe
PID 1040 wrote to memory of 3884	1040	RrcF8ac9.exe	RrcF8ac9.exe
PID 1040 wrote to memory of 3884	1040	RrcF8ac9.exe	RrcF8ac9.exe
PID 1040 wrote to memory of 3884	1040	RrcF8ac9.exe	RrcF8ac9.exe
PID 1040 wrote to memory of 3884	1040	RrcF8ac9.exe	RrcF8ac9.exe
PID 1040 wrote to memory of 3884	1040	RrcF8ac9.exe	RrcF8ac9.exe
PID 1040 wrote to memory of 3884	1040	RrcF8ac9.exe	RrcF8ac9.exe
PID 4056 wrote to memory of 4640	4056	ZU1ED@_S.exe	cmd.exe
PID 4056 wrote to memory of 4640	4056	ZU1ED@_S.exe	cmd.exe
PID 4056 wrote to memory of 116	4056	ZU1ED@_S.exe	cmd.exe
PID 4056 wrote to memory of 116	4056	ZU1ED@_S.exe	cmd.exe
PID 116 wrote to memory of 4588	116	cmd.exe	netsh.exe
PID 116 wrote to memory of 4588	116	cmd.exe	netsh.exe
PID 4640 wrote to memory of 2880	4640	cmd.exe	vssadmin.exe
PID 4640 wrote to memory of 2880	4640	cmd.exe	vssadmin.exe
PID 116 wrote to memory of 4328	116	cmd.exe	netsh.exe
PID 116 wrote to memory of 4328	116	cmd.exe	netsh.exe
PID 4640 wrote to memory of 4076	4640	cmd.exe	WMIC.exe
PID 4640 wrote to memory of 4076	4640	cmd.exe	WMIC.exe
PID 4640 wrote to memory of 2916	4640	cmd.exe	bcdedit.exe
PID 4640 wrote to memory of 2916	4640	cmd.exe	bcdedit.exe
PID 4640 wrote to memory of 2592	4640	cmd.exe	bcdedit.exe
PID 4640 wrote to memory of 2592	4640	cmd.exe	bcdedit.exe
PID 4640 wrote to memory of 3332	4640	cmd.exe	wbadmin.exe
PID 4640 wrote to memory of 3332	4640	cmd.exe	wbadmin.exe
PID 3180 wrote to memory of 4920	3180	Explorer.EXE	BFFF.exe
PID 3180 wrote to memory of 4920	3180	Explorer.EXE	BFFF.exe
PID 3180 wrote to memory of 4920	3180	Explorer.EXE	BFFF.exe
PID 3180 wrote to memory of 4452	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4452	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4452	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4452	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4028	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4028	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4028	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4024	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4024	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4024	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 4024	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3432	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3432	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3432	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3432	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3004	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3004	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3004	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3004	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 1240	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 1240	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 1240	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3796	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3796	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3796	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 3796	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 1948	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 1948	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 1948	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 2148	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 2148	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 2148	3180	Explorer.EXE	explorer.exe
PID 3180 wrote to memory of 2148	3180	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe
"C:\Users\Admin\AppData\Local\Temp\c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 968
3⤵
- Program crash
PID:3848

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Users\Admin\AppData\Local\Temp\BFFF.exe
C:\Users\Admin\AppData\Local\Temp\BFFF.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 500
3⤵
- Program crash
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 508
3⤵
- Program crash
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 544
3⤵
- Program crash
PID:2852

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4452

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3004

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3796

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2148

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:6116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3920 -ip 3920
1⤵
PID:1536

C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe
"C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe
"C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3884

C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe
"C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe
"C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe"
2⤵
- Executes dropped EXE
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 460
3⤵
- Program crash
PID:5004

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2880

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2916

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2592

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3332

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:4588

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:4328

C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exe
"C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exe"
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3484 -ip 3484
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4920 -ip 4920
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4920 -ip 4920
1⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4920 -ip 4920
1⤵
PID:5248

C:\Users\Admin\AppData\Roaming\thfffje
C:\Users\Admin\AppData\Roaming\thfffje
1⤵
- Executes dropped EXE
PID:5956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[55594697-3483].[[email protected]].8base
Filesize
3.2MB

MD5
e890c78f51617c4d46cd65f542c241cc

SHA1
fc0e42794433c1dc24e680f948463b8ba5efd835

SHA256
decb7af811a7cac3b850106a2980bdd6385559c9fdd4bd81f43a92f3e9f9f5ac

SHA512
e6c11cb980896a9028d4ae242bd9340b0c3b0e737fd225b354c793a1fe0daa69cc69ee9763b33abc45ff13aa0dfe2fd72387a185234f6907653d75097636e00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RrcF8ac9.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ZU1ED@_S.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exe
Filesize
164KB

MD5
3524139d7687147f53dc7df4f4867093

SHA1
77a6308dc4981ac164a887ed54a0e01c63c17c63

SHA256
954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081

SHA512
48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\iPlR5R.exe
Filesize
164KB

MD5
3524139d7687147f53dc7df4f4867093

SHA1
77a6308dc4981ac164a887ed54a0e01c63c17c63

SHA256
954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081

SHA512
48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFFF.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFFF.exe
Filesize
165KB

MD5
a2f3d796dc2c2f474188db58d5ca7593

SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e

SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c

SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[55594697-3483].[[email protected]].8base
Filesize
96KB

MD5
b5c96c34379cbf71bbed7c59aa64d867

SHA1
f429babcaaf019940a9a6aa4c429ded5d23a55fe

SHA256
52cea3d3bac27de5a3e16f5ba853c0993c4d7bde98638e8f0eaa75a8bda19ba5

SHA512
77f56ec68c71a2a607d122d4b033ade1f071289e1915f22fc087e79ace2c1a0ccbad5f3d9ebd95797536f7c75f78f1285f719387fe5fcd811cb61392781254ab

Download Submit
C:\Users\Admin\AppData\Roaming\thfffje
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Roaming\thfffje
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
memory/964-2885-0x0000000001200000-0x0000000001209000-memory.dmp

Filesize
36KB

Download
memory/964-2884-0x0000000001210000-0x0000000001215000-memory.dmp

Filesize
20KB

Download
memory/964-2882-0x0000000001200000-0x0000000001209000-memory.dmp

Filesize
36KB

Download
memory/1040-191-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1040-192-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/1240-2240-0x0000000000D00000-0x0000000000D09000-memory.dmp

Filesize
36KB

Download
memory/1240-2890-0x0000000000D00000-0x0000000000D09000-memory.dmp

Filesize
36KB

Download
memory/1240-2241-0x0000000000CF0000-0x0000000000CFF000-memory.dmp

Filesize
60KB

Download
memory/1240-2237-0x0000000000CF0000-0x0000000000CFF000-memory.dmp

Filesize
60KB

Download
memory/1628-2887-0x0000000000550000-0x0000000000577000-memory.dmp

Filesize
156KB

Download
memory/1628-2891-0x0000000000580000-0x00000000005A1000-memory.dmp

Filesize
132KB

Download
memory/1628-2892-0x0000000000550000-0x0000000000577000-memory.dmp

Filesize
156KB

Download
memory/1628-2899-0x0000000000550000-0x0000000000577000-memory.dmp

Filesize
156KB

Download
memory/1756-158-0x000001F62FBB0000-0x000001F62FBB7000-memory.dmp

Filesize
28KB

Download
memory/1756-170-0x00007FFC3C970000-0x00007FFC3CB65000-memory.dmp

Filesize
2.0MB

Download
memory/1756-171-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-172-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-173-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-174-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-175-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-169-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-168-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-167-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-165-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-163-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-162-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-188-0x00007FFC3C970000-0x00007FFC3CB65000-memory.dmp

Filesize
2.0MB

Download
memory/1756-189-0x000001F62FBB0000-0x000001F62FBB5000-memory.dmp

Filesize
20KB

Download
memory/1756-190-0x00007FFC3C970000-0x00007FFC3CB65000-memory.dmp

Filesize
2.0MB

Download
memory/1756-161-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-160-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-143-0x000001F62F7F0000-0x000001F62F7F3000-memory.dmp

Filesize
12KB

Download
memory/1756-159-0x00007FF46CB00000-0x00007FF46CC2D000-memory.dmp

Filesize
1.2MB

Download
memory/1756-157-0x000001F62F7F0000-0x000001F62F7F3000-memory.dmp

Filesize
12KB

Download
memory/1804-198-0x0000000001F60000-0x0000000001F65000-memory.dmp

Filesize
20KB

Download
memory/1804-200-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1804-1106-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1804-201-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1948-2517-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/1948-2518-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/1948-2515-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/1948-2914-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/2148-2520-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download
memory/2148-2521-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

Filesize
36KB

Download
memory/2148-2519-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

Filesize
36KB

Download
memory/3004-2205-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/3004-2209-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/3004-2886-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/3004-2883-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/3180-3022-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/3180-2903-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/3180-3457-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/3180-3352-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download
memory/3180-206-0x0000000003320000-0x0000000003336000-memory.dmp

Filesize
88KB

Download
memory/3432-2255-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/3432-2201-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/3432-2202-0x0000000000170000-0x000000000017B000-memory.dmp

Filesize
44KB

Download
memory/3484-1551-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3484-1784-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/3484-1548-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/3796-2338-0x0000000001190000-0x0000000001195000-memory.dmp

Filesize
20KB

Download
memory/3796-2303-0x0000000001180000-0x0000000001189000-memory.dmp

Filesize
36KB

Download
memory/3796-2894-0x0000000001190000-0x0000000001195000-memory.dmp

Filesize
20KB

Download
memory/3796-2340-0x0000000001180000-0x0000000001189000-memory.dmp

Filesize
36KB

Download
memory/3884-193-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3884-195-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3884-207-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3920-134-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/3920-135-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3920-137-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3920-138-0x00000000022B0000-0x00000000022B7000-memory.dmp

Filesize
28KB

Download
memory/3920-139-0x0000000002640000-0x0000000002A40000-memory.dmp

Filesize
4.0MB

Download
memory/3920-140-0x0000000002640000-0x0000000002A40000-memory.dmp

Filesize
4.0MB

Download
memory/3920-136-0x0000000002210000-0x0000000002281000-memory.dmp

Filesize
452KB

Download
memory/3920-145-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3920-146-0x0000000003340000-0x0000000003376000-memory.dmp

Filesize
216KB

Download
memory/3920-153-0x0000000002640000-0x0000000002A40000-memory.dmp

Filesize
4.0MB

Download
memory/3920-141-0x0000000002640000-0x0000000002A40000-memory.dmp

Filesize
4.0MB

Download
memory/3920-152-0x0000000003340000-0x0000000003376000-memory.dmp

Filesize
216KB

Download
memory/3920-142-0x0000000002640000-0x0000000002A40000-memory.dmp

Filesize
4.0MB

Download
memory/3920-155-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3920-156-0x0000000002640000-0x0000000002A40000-memory.dmp

Filesize
4.0MB

Download
memory/3920-144-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/4024-2198-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4024-2200-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4024-2199-0x0000000000410000-0x0000000000414000-memory.dmp

Filesize
16KB

Download
memory/4024-2516-0x0000000000410000-0x0000000000414000-memory.dmp

Filesize
16KB

Download
memory/4028-2197-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/4028-2195-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/4028-2196-0x0000000000910000-0x0000000000917000-memory.dmp

Filesize
28KB

Download
memory/4056-1288-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4056-628-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4056-197-0x0000000000700000-0x000000000070F000-memory.dmp

Filesize
60KB

Download
memory/4056-196-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/4056-1961-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4056-199-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4056-2888-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4056-538-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/4180-2896-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/4180-2893-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/4180-2895-0x00000000006C0000-0x00000000006C5000-memory.dmp

Filesize
20KB

Download
memory/4452-2238-0x0000000000670000-0x00000000006E5000-memory.dmp

Filesize
468KB

Download
memory/4452-1962-0x0000000000600000-0x000000000066B000-memory.dmp

Filesize
428KB

Download
memory/4452-2239-0x0000000000600000-0x000000000066B000-memory.dmp

Filesize
428KB

Download
memory/4452-2073-0x0000000000670000-0x00000000006E5000-memory.dmp

Filesize
468KB

Download
memory/4452-2082-0x0000000000600000-0x000000000066B000-memory.dmp

Filesize
428KB

Download
memory/4900-3053-0x0000000001400000-0x0000000001406000-memory.dmp

Filesize
24KB

Download
memory/4900-3050-0x00000000011F0000-0x00000000011FB000-memory.dmp

Filesize
44KB

Download
memory/4920-3140-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download