phobos | b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d18c07abced7f8fc570c83dd825bb0b.exe
Size

451KB
MD5

4d18c07abced7f8fc570c83dd825bb0b
SHA1

4e1d179697ab7536ee475494b158b969963e0bf6
SHA256

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
SHA512

daf48720ed402be15b532a32d10dd8823b564516d5f6d6628ca646c20347f7180bf911c7b8dfd75c03826badf719534bd45e1c26c5bd4857680ec77e63f4c5a4
SSDEEP

6144:ekN8IaM0bFfBmtjlfXKG/PhjPO6odPgQ4PJsL0cVeMmhi9MdNeerB+0Vsw:V8DM0blqjl/h/97MV0cGLNZxV

Score

10^/10

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Signatures

Detect rhadamanthys stealer shellcode 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3272-138-0x0000000004D80000-0x0000000005180000-memory.dmp	family_rhadamanthys
behavioral2/memory/3272-139-0x0000000004D80000-0x0000000005180000-memory.dmp	family_rhadamanthys
behavioral2/memory/3272-140-0x0000000004D80000-0x0000000005180000-memory.dmp	family_rhadamanthys
behavioral2/memory/3272-142-0x0000000004D80000-0x0000000005180000-memory.dmp	family_rhadamanthys
behavioral2/memory/3272-155-0x0000000004D80000-0x0000000005180000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

4d18c07abced7f8fc570c83dd825bb0b.exe

description pid process target process

PID 3272 created 3144 3272 4d18c07abced7f8fc570c83dd825bb0b.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1396 bcdedit.exe
4412 bcdedit.exe
Renames multiple (346) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3920 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2924 netsh.exe
4328 netsh.exe
Drops startup file 1 IoCs

Processes:

syuQ1.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\syuQ1.exe syuQ1.exe
Executes dropped EXE 6 IoCs

Processes:

syuQ1.exe[Kl.exeFy3`yV.exesyuQ1.exeFy3`yV.exe8EAA.exe

pid process

5080 syuQ1.exe
1432 [Kl.exe
4048 Fy3`yV.exe
3476 syuQ1.exe
3044 Fy3`yV.exe
1620 8EAA.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3272 created 3144	3272	4d18c07abced7f8fc570c83dd825bb0b.exe	Explorer.EXE

pid	process
1396	bcdedit.exe
4412	bcdedit.exe

pid	process
3920	wbadmin.exe

pid	process
2924	netsh.exe
4328	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\syuQ1.exe	syuQ1.exe

pid	process
5080	syuQ1.exe
1432	[Kl.exe
4048	Fy3`yV.exe
3476	syuQ1.exe
3044	Fy3`yV.exe
1620	8EAA.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

syuQ1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syuQ1 = "C:\\Users\\Admin\\AppData\\Local\\syuQ1.exe"	syuQ1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syuQ1 = "C:\\Users\\Admin\\AppData\\Local\\syuQ1.exe"	syuQ1.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

syuQ1.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini	syuQ1.exe
File opened for modification	C:\Program Files\desktop.ini	syuQ1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	syuQ1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini	syuQ1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Fy3`yV.exe

description pid process target process

PID 4048 set thread context of 3044 4048 Fy3`yV.exe Fy3`yV.exe

description	pid	process	target process
PID 4048 set thread context of 3044	4048	Fy3`yV.exe	Fy3`yV.exe

Drops file in Program Files directory 64 IoCs

Processes:

syuQ1.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\fre_background.jpg	syuQ1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms	syuQ1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_contrast-black.png	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Globalization.Extensions.dll	syuQ1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\BuildInfo.xml	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	syuQ1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	syuQ1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll	syuQ1.exe
File created	C:\Program Files\7-Zip\readme.txt.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\WideTile.scale-125.png	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png	syuQ1.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	syuQ1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms	syuQ1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	syuQ1.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png	syuQ1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	syuQ1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Mozilla Firefox\precomplete.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png	syuQ1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png	syuQ1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml	syuQ1.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jsound.dll	syuQ1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.id[6A87AEF0-3483].[[email protected]].8base	syuQ1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png	syuQ1.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui	syuQ1.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2636 3272 WerFault.exe 4d18c07abced7f8fc570c83dd825bb0b.exe
2364 3476 WerFault.exe syuQ1.exe
3780 1620 WerFault.exe 8EAA.exe

pid	pid_target	process	target process
2636	3272	WerFault.exe	4d18c07abced7f8fc570c83dd825bb0b.exe
2364	3476	WerFault.exe	syuQ1.exe
3780	1620	WerFault.exe	8EAA.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exeFy3`yV.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fy3`yV.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fy3`yV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fy3`yV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4788 vssadmin.exe

pid	process
4788	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4d18c07abced7f8fc570c83dd825bb0b.execertreq.exeFy3`yV.exesyuQ1.exeExplorer.EXE

pid	process
3272	4d18c07abced7f8fc570c83dd825bb0b.exe
3272	4d18c07abced7f8fc570c83dd825bb0b.exe
3272	4d18c07abced7f8fc570c83dd825bb0b.exe
3272	4d18c07abced7f8fc570c83dd825bb0b.exe
4576	certreq.exe
4576	certreq.exe
4576	certreq.exe
4576	certreq.exe
3044	Fy3`yV.exe
3044	Fy3`yV.exe
5080	syuQ1.exe
5080	syuQ1.exe
5080	syuQ1.exe
5080	syuQ1.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
5080	syuQ1.exe
5080	syuQ1.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
5080	syuQ1.exe
5080	syuQ1.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
5080	syuQ1.exe
5080	syuQ1.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
5080	syuQ1.exe
5080	syuQ1.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3144 Explorer.EXE

pid	process
3144	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

Fy3`yV.exeExplorer.EXE

pid	process
3044	Fy3`yV.exe
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE
3144	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

syuQ1.exevssvc.exeExplorer.EXEWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	5080	syuQ1.exe
Token: SeBackupPrivilege	4080	vssvc.exe
Token: SeRestorePrivilege	4080	vssvc.exe
Token: SeAuditPrivilege	4080	vssvc.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2300	WMIC.exe
Token: SeSecurityPrivilege	2300	WMIC.exe
Token: SeTakeOwnershipPrivilege	2300	WMIC.exe
Token: SeLoadDriverPrivilege	2300	WMIC.exe
Token: SeSystemProfilePrivilege	2300	WMIC.exe
Token: SeSystemtimePrivilege	2300	WMIC.exe
Token: SeProfSingleProcessPrivilege	2300	WMIC.exe
Token: SeIncBasePriorityPrivilege	2300	WMIC.exe
Token: SeCreatePagefilePrivilege	2300	WMIC.exe
Token: SeBackupPrivilege	2300	WMIC.exe
Token: SeRestorePrivilege	2300	WMIC.exe
Token: SeShutdownPrivilege	2300	WMIC.exe
Token: SeDebugPrivilege	2300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2300	WMIC.exe
Token: SeRemoteShutdownPrivilege	2300	WMIC.exe
Token: SeUndockPrivilege	2300	WMIC.exe
Token: SeManageVolumePrivilege	2300	WMIC.exe
Token: 33	2300	WMIC.exe
Token: 34	2300	WMIC.exe
Token: 35	2300	WMIC.exe
Token: 36	2300	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2300	WMIC.exe
Token: SeSecurityPrivilege	2300	WMIC.exe
Token: SeTakeOwnershipPrivilege	2300	WMIC.exe
Token: SeLoadDriverPrivilege	2300	WMIC.exe
Token: SeSystemProfilePrivilege	2300	WMIC.exe
Token: SeSystemtimePrivilege	2300	WMIC.exe
Token: SeProfSingleProcessPrivilege	2300	WMIC.exe
Token: SeIncBasePriorityPrivilege	2300	WMIC.exe
Token: SeCreatePagefilePrivilege	2300	WMIC.exe
Token: SeBackupPrivilege	2300	WMIC.exe
Token: SeRestorePrivilege	2300	WMIC.exe
Token: SeShutdownPrivilege	2300	WMIC.exe
Token: SeDebugPrivilege	2300	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2300	WMIC.exe
Token: SeRemoteShutdownPrivilege	2300	WMIC.exe
Token: SeUndockPrivilege	2300	WMIC.exe
Token: SeManageVolumePrivilege	2300	WMIC.exe
Token: 33	2300	WMIC.exe
Token: 34	2300	WMIC.exe
Token: 35	2300	WMIC.exe
Token: 36	2300	WMIC.exe
Token: SeBackupPrivilege	5008	wbengine.exe
Token: SeRestorePrivilege	5008	wbengine.exe
Token: SeSecurityPrivilege	5008	wbengine.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4d18c07abced7f8fc570c83dd825bb0b.exeFy3`yV.exesyuQ1.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 3272 wrote to memory of 4576	3272	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 3272 wrote to memory of 4576	3272	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 3272 wrote to memory of 4576	3272	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 3272 wrote to memory of 4576	3272	4d18c07abced7f8fc570c83dd825bb0b.exe	certreq.exe
PID 4048 wrote to memory of 3044	4048	Fy3`yV.exe	Fy3`yV.exe
PID 4048 wrote to memory of 3044	4048	Fy3`yV.exe	Fy3`yV.exe
PID 4048 wrote to memory of 3044	4048	Fy3`yV.exe	Fy3`yV.exe
PID 4048 wrote to memory of 3044	4048	Fy3`yV.exe	Fy3`yV.exe
PID 4048 wrote to memory of 3044	4048	Fy3`yV.exe	Fy3`yV.exe
PID 4048 wrote to memory of 3044	4048	Fy3`yV.exe	Fy3`yV.exe
PID 5080 wrote to memory of 4340	5080	syuQ1.exe	cmd.exe
PID 5080 wrote to memory of 4340	5080	syuQ1.exe	cmd.exe
PID 5080 wrote to memory of 3548	5080	syuQ1.exe	cmd.exe
PID 5080 wrote to memory of 3548	5080	syuQ1.exe	cmd.exe
PID 4340 wrote to memory of 4788	4340	cmd.exe	vssadmin.exe
PID 4340 wrote to memory of 4788	4340	cmd.exe	vssadmin.exe
PID 3548 wrote to memory of 2924	3548	cmd.exe	netsh.exe
PID 3548 wrote to memory of 2924	3548	cmd.exe	netsh.exe
PID 3548 wrote to memory of 4328	3548	cmd.exe	netsh.exe
PID 3548 wrote to memory of 4328	3548	cmd.exe	netsh.exe
PID 4340 wrote to memory of 2300	4340	cmd.exe	WMIC.exe
PID 4340 wrote to memory of 2300	4340	cmd.exe	WMIC.exe
PID 4340 wrote to memory of 1396	4340	cmd.exe	bcdedit.exe
PID 4340 wrote to memory of 1396	4340	cmd.exe	bcdedit.exe
PID 4340 wrote to memory of 4412	4340	cmd.exe	bcdedit.exe
PID 4340 wrote to memory of 4412	4340	cmd.exe	bcdedit.exe
PID 4340 wrote to memory of 3920	4340	cmd.exe	wbadmin.exe
PID 4340 wrote to memory of 3920	4340	cmd.exe	wbadmin.exe
PID 3144 wrote to memory of 1620	3144	Explorer.EXE	8EAA.exe
PID 3144 wrote to memory of 1620	3144	Explorer.EXE	8EAA.exe
PID 3144 wrote to memory of 1620	3144	Explorer.EXE	8EAA.exe
PID 3144 wrote to memory of 2932	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 2932	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 2932	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 2932	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 4608	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 4608	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 4608	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1316	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1316	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1316	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1316	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3396	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3396	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3396	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3396	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1748	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1748	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1748	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1748	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1160	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1160	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1160	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3164	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3164	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3164	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3164	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3816	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3816	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 3816	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1772	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1772	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1772	3144	Explorer.EXE	explorer.exe
PID 3144 wrote to memory of 1772	3144	Explorer.EXE	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe
"C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 948
3⤵
- Program crash
PID:2636

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Users\Admin\AppData\Local\Temp\8EAA.exe
C:\Users\Admin\AppData\Local\Temp\8EAA.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 496
3⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2932

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4608

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3396

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1748

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1160

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3164

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1772

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1352

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3272 -ip 3272
1⤵
PID:5008

C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe
"C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe
"C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"
2⤵
- Executes dropped EXE
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 320
3⤵
- Program crash
PID:2364

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2924

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:4328

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4788

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1396

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:4412

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3920

C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe
"C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe"
1⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
"C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
"C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3476 -ip 3476
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1620 -ip 1620
1⤵
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[6A87AEF0-3483].[[email protected]].8base
Filesize
2.7MB

MD5
2a754c0e6b8838a641ff3b13a3100317

SHA1
93cd3d69349345f6792069251fdaf05eb98775dd

SHA256
c31049c5ed25444086ff0e38787650b7a689ffa13e3b7dea3c48c45f655383f7

SHA512
b63e4af89ab3357126d556a7918cd54b01a41afec8860bb45990baedfb54fa57f967125dc3321b58eb65a4a054cf0768e03a9bab493e922406cd5f72baffcb77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
Filesize
166KB

MD5
1b2b02b4b524fe02b8b96bd781c8eceb

SHA1
36e2eb7e1ae58b103b2d1cca5991786b0118534b

SHA256
e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6

SHA512
80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe
Filesize
164KB

MD5
3524139d7687147f53dc7df4f4867093

SHA1
77a6308dc4981ac164a887ed54a0e01c63c17c63

SHA256
954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081

SHA512
48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe
Filesize
164KB

MD5
3524139d7687147f53dc7df4f4867093

SHA1
77a6308dc4981ac164a887ed54a0e01c63c17c63

SHA256
954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081

SHA512
48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EAA.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EAA.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EAA.exe
Filesize
165KB

MD5
65ba8303fabfb2652158af69f7124772

SHA1
e7a679c504b8f00c995da10f1fa66fb6458832a2

SHA256
3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8

SHA512
cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Download Submit
memory/1160-2216-0x0000000000BC0000-0x0000000000BCF000-memory.dmp

Filesize
60KB

Download
memory/1160-2937-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/1160-2211-0x0000000000BC0000-0x0000000000BCF000-memory.dmp

Filesize
60KB

Download
memory/1160-2215-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

Filesize
36KB

Download
memory/1316-2026-0x0000000001060000-0x0000000001064000-memory.dmp

Filesize
16KB

Download
memory/1316-2336-0x0000000001060000-0x0000000001064000-memory.dmp

Filesize
16KB

Download
memory/1316-2027-0x0000000001050000-0x0000000001059000-memory.dmp

Filesize
36KB

Download
memory/1316-2043-0x0000000001050000-0x0000000001059000-memory.dmp

Filesize
36KB

Download
memory/1352-3618-0x00000000012B0000-0x00000000012BB000-memory.dmp

Filesize
44KB

Download
memory/1352-3593-0x00000000012B0000-0x00000000012BB000-memory.dmp

Filesize
44KB

Download
memory/1432-205-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1432-197-0x0000000000710000-0x0000000000715000-memory.dmp

Filesize
20KB

Download
memory/1432-196-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1432-198-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1748-2139-0x0000000000350000-0x0000000000357000-memory.dmp

Filesize
28KB

Download
memory/1748-2140-0x0000000000340000-0x000000000034B000-memory.dmp

Filesize
44KB

Download
memory/1748-2137-0x0000000000340000-0x000000000034B000-memory.dmp

Filesize
44KB

Download
memory/1748-2647-0x0000000000350000-0x0000000000357000-memory.dmp

Filesize
28KB

Download
memory/1772-2436-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/1772-2437-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/1772-3624-0x0000000000140000-0x0000000000144000-memory.dmp

Filesize
16KB

Download
memory/1772-2438-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2932-2213-0x0000000000D50000-0x0000000000DBB000-memory.dmp

Filesize
428KB

Download
memory/2932-1935-0x0000000001000000-0x0000000001075000-memory.dmp

Filesize
468KB

Download
memory/2932-1924-0x0000000000D50000-0x0000000000DBB000-memory.dmp

Filesize
428KB

Download
memory/2932-1914-0x0000000000D50000-0x0000000000DBB000-memory.dmp

Filesize
428KB

Download
memory/2972-3625-0x0000000000BE0000-0x0000000000BED000-memory.dmp

Filesize
52KB

Download
memory/2972-3626-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2972-3627-0x0000000000BE0000-0x0000000000BED000-memory.dmp

Filesize
52KB

Download
memory/3044-201-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3044-342-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3044-203-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3144-327-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/3164-2307-0x0000000001050000-0x0000000001059000-memory.dmp

Filesize
36KB

Download
memory/3164-2311-0x0000000001060000-0x0000000001065000-memory.dmp

Filesize
20KB

Download
memory/3164-2327-0x0000000001050000-0x0000000001059000-memory.dmp

Filesize
36KB

Download
memory/3164-3179-0x0000000001060000-0x0000000001065000-memory.dmp

Filesize
20KB

Download
memory/3272-142-0x0000000004D80000-0x0000000005180000-memory.dmp

Filesize
4.0MB

Download
memory/3272-141-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/3272-156-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/3272-134-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/3272-155-0x0000000004D80000-0x0000000005180000-memory.dmp

Filesize
4.0MB

Download
memory/3272-136-0x0000000000400000-0x0000000002B7C000-memory.dmp

Filesize
39.5MB

Download
memory/3272-137-0x0000000004960000-0x0000000004967000-memory.dmp

Filesize
28KB

Download
memory/3272-138-0x0000000004D80000-0x0000000005180000-memory.dmp

Filesize
4.0MB

Download
memory/3272-139-0x0000000004D80000-0x0000000005180000-memory.dmp

Filesize
4.0MB

Download
memory/3272-140-0x0000000004D80000-0x0000000005180000-memory.dmp

Filesize
4.0MB

Download
memory/3272-152-0x00000000059C0000-0x00000000059F6000-memory.dmp

Filesize
216KB

Download
memory/3272-143-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/3272-145-0x0000000002E20000-0x0000000002E91000-memory.dmp

Filesize
452KB

Download
memory/3272-146-0x00000000059C0000-0x00000000059F6000-memory.dmp

Filesize
216KB

Download
memory/3272-135-0x0000000002E20000-0x0000000002E91000-memory.dmp

Filesize
452KB

Download
memory/3396-2124-0x0000000001060000-0x000000000106A000-memory.dmp

Filesize
40KB

Download
memory/3396-2147-0x0000000001050000-0x000000000105B000-memory.dmp

Filesize
44KB

Download
memory/3396-2125-0x0000000001050000-0x000000000105B000-memory.dmp

Filesize
44KB

Download
memory/3476-1525-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/3476-3202-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/3476-1526-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3476-3157-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

Filesize
36KB

Download
memory/3816-3614-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/3816-2434-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/3816-2405-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/3816-2412-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/3868-3775-0x0000000000F30000-0x0000000000F3B000-memory.dmp

Filesize
44KB

Download
memory/3868-3774-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/3868-3772-0x0000000000F30000-0x0000000000F3B000-memory.dmp

Filesize
44KB

Download
memory/4048-200-0x0000000000520000-0x0000000000529000-memory.dmp

Filesize
36KB

Download
memory/4048-199-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/4576-173-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-171-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-144-0x000001B79C670000-0x000001B79C673000-memory.dmp

Filesize
12KB

Download
memory/4576-157-0x000001B79C670000-0x000001B79C673000-memory.dmp

Filesize
12KB

Download
memory/4576-158-0x000001B79C6C0000-0x000001B79C6C7000-memory.dmp

Filesize
28KB

Download
memory/4576-159-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-160-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-161-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-162-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-163-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-165-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-190-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-189-0x000001B79C6C0000-0x000001B79C6C5000-memory.dmp

Filesize
20KB

Download
memory/4576-176-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4576-175-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-174-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-172-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-167-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-168-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-169-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

Filesize
1.2MB

Download
memory/4576-170-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

Filesize
2.0MB

Download
memory/4608-1911-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/4608-1912-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/4608-1910-0x0000000000C80000-0x0000000000C87000-memory.dmp

Filesize
28KB

Download
memory/4844-2938-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/4844-2981-0x0000000000650000-0x0000000000671000-memory.dmp

Filesize
132KB

Download
memory/4844-2898-0x0000000000620000-0x0000000000647000-memory.dmp

Filesize
156KB

Download
memory/4844-3896-0x0000000000650000-0x0000000000671000-memory.dmp

Filesize
132KB

Download
memory/5076-3773-0x00000000009E0000-0x00000000009E5000-memory.dmp

Filesize
20KB

Download
memory/5076-2629-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/5076-2672-0x00000000009E0000-0x00000000009E5000-memory.dmp

Filesize
20KB

Download
memory/5076-2682-0x00000000009D0000-0x00000000009D9000-memory.dmp

Filesize
36KB

Download
memory/5080-192-0x0000000000520000-0x000000000052F000-memory.dmp

Filesize
60KB

Download
memory/5080-193-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5080-204-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/5080-430-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5080-1297-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5080-191-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/5080-2212-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5080-3877-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5080-4495-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download