ammyyadmin | 6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

Analysis

max time kernel
89s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2023 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17688f03f125bb494dc7f304b8936221.exe
Size

833KB
MD5

17688f03f125bb494dc7f304b8936221
SHA1

7fadc66ba11a5b3c4582f4d9b5b245801ccf918a
SHA256

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb
SHA512

1636d32e5a59c5c3577d0dc5ecf7dbccc22cc0ce2087889974903257d500e694d2cee4218c17ddba747c4b59ea4f811889837883b40cd009c1463cdc21f65a06
SSDEEP

12288:Ib/bL1cEYZpFQOT4KpMT+msoH985+3wAFn6DQnbu7L3SpiQXYIOnUfvDrD8FEsim:WzLmQsI85mn6DQDYpmv8FEyuOGLU

Score

10^/10

ammyyadmin phobos rhadamanthys smokeloader backdoor collection evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://serverxlogs21.xyz/statweb255/

http://servxblog79.xyz/statweb255/

http://demblog289.xyz/statweb255/

http://admlogs77x.online/statweb255/

http://blogxstat38.xyz/statweb255/

http://blogxstat25.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\90E.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\90E.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3060-11-0x0000000002E80000-0x0000000003280000-memory.dmp	family_rhadamanthys
behavioral2/memory/3060-12-0x0000000002E80000-0x0000000003280000-memory.dmp	family_rhadamanthys
behavioral2/memory/3060-13-0x0000000002E80000-0x0000000003280000-memory.dmp	family_rhadamanthys
behavioral2/memory/3060-14-0x0000000002E80000-0x0000000003280000-memory.dmp	family_rhadamanthys
behavioral2/memory/3060-24-0x0000000002E80000-0x0000000003280000-memory.dmp	family_rhadamanthys
behavioral2/memory/3060-25-0x0000000002E80000-0x0000000003280000-memory.dmp	family_rhadamanthys

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exeC8EC.exe

description	pid	process	target process
PID 3060 created 3132	3060	17688f03f125bb494dc7f304b8936221.exe	Explorer.EXE
PID 2748 created 3132	2748	C8EC.exe	Explorer.EXE

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1940 bcdedit.exe
2844 bcdedit.exe
Renames multiple (331) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4524 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

1552 netsh.exe
2040 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Drops startup file 1 IoCs

Processes:

f{Rs.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\f{Rs.exe f{Rs.exe

pid	process
1940	bcdedit.exe
2844	bcdedit.exe

pid	process
4524	wbadmin.exe

pid	process
1552	netsh.exe
2040	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\f{Rs.exe	f{Rs.exe

Executes dropped EXE 16 IoCs

Processes:

f{Rs.exe[3r1N2xff.exef{Rs.exef{Rs.exef{Rs.exe[3r1N2xff.exef{Rs.exe99AB.exe9C0D.exe99AB.exe99AB.exeA48A.exe9C0D.exeC8EC.exe9C0D.exe9C0D.exe

pid	process
4792	f{Rs.exe
4020	[3r1N2xff.exe
2912	f{Rs.exe
2372	f{Rs.exe
2148	f{Rs.exe
2836	[3r1N2xff.exe
1996	f{Rs.exe
1940	99AB.exe
1088	9C0D.exe
2592	99AB.exe
2612	99AB.exe
4804	A48A.exe
2196	9C0D.exe
2748	C8EC.exe
4892	9C0D.exe
3368	9C0D.exe

Loads dropped DLL 1 IoCs

Processes:

A48A.exe

pid process

4804 A48A.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4804	A48A.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f{Rs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f{Rs = "C:\\Users\\Admin\\AppData\\Local\\f{Rs.exe"	f{Rs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f{Rs = "C:\\Users\\Admin\\AppData\\Local\\f{Rs.exe"	f{Rs.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

f{Rs.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2848203831-2014322062-3611574811-1000\desktop.ini	f{Rs.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2848203831-2014322062-3611574811-1000\desktop.ini	f{Rs.exe
File opened for modification	C:\Program Files\desktop.ini	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	f{Rs.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exef{Rs.exe[3r1N2xff.exef{Rs.exe99AB.exe

description	pid	process	target process
PID 4008 set thread context of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4792 set thread context of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4020 set thread context of 2836	4020	[3r1N2xff.exe	[3r1N2xff.exe
PID 2148 set thread context of 1996	2148	f{Rs.exe	f{Rs.exe
PID 1940 set thread context of 2612	1940	99AB.exe	99AB.exe

Drops file in Program Files directory 64 IoCs

Processes:

f{Rs.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF	f{Rs.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms	f{Rs.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\updater.jar	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTabControl.v8.1.dll.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\FM20ENU.DLL.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	f{Rs.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jfxmedia.dll.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vcruntime140.dll.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll	f{Rs.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	f{Rs.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxmedia.dll	f{Rs.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	f{Rs.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_CN.properties	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-conio-l1-1-0.dll	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ppd.xrm-ms	f{Rs.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.INF	f{Rs.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.update\platform.xml	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll	f{Rs.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.bat.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties	f{Rs.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_zh_CN.jar	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxt.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.id[2797A0F3-3483].[[email protected]].8base	f{Rs.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png	f{Rs.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2580 sc.exe
1604 sc.exe
1648 sc.exe
640 sc.exe
2284 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1272 616 WerFault.exe
1988 676 WerFault.exe

pid	process
2580	sc.exe
1604	sc.exe
1648	sc.exe
640	sc.exe
2284	sc.exe

pid	pid_target	process	target process
1272	616	WerFault.exe
1988	676	WerFault.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A48A.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\A48A.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\A48A.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\A48A.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

[3r1N2xff.exevds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	[3r1N2xff.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	[3r1N2xff.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	[3r1N2xff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4796 vssadmin.exe

pid	process
4796	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exe17688f03f125bb494dc7f304b8936221.execertreq.exef{Rs.exe[3r1N2xff.exef{Rs.exe[3r1N2xff.exef{Rs.exeExplorer.EXE

pid	process
4008	17688f03f125bb494dc7f304b8936221.exe
3060	17688f03f125bb494dc7f304b8936221.exe
3060	17688f03f125bb494dc7f304b8936221.exe
3060	17688f03f125bb494dc7f304b8936221.exe
3060	17688f03f125bb494dc7f304b8936221.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4284	certreq.exe
4792	f{Rs.exe
4020	[3r1N2xff.exe
4792	f{Rs.exe
4792	f{Rs.exe
2148	f{Rs.exe
2836	[3r1N2xff.exe
2836	[3r1N2xff.exe
2372	f{Rs.exe
2372	f{Rs.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
2372	f{Rs.exe
2372	f{Rs.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
2372	f{Rs.exe
2372	f{Rs.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
2372	f{Rs.exe
2372	f{Rs.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE

Suspicious behavior: MapViewOfSection 31 IoCs

Processes:

[3r1N2xff.exeExplorer.EXE

pid	process
2836	[3r1N2xff.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exef{Rs.exe[3r1N2xff.exef{Rs.exef{Rs.exevssvc.exeExplorer.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4008	17688f03f125bb494dc7f304b8936221.exe
Token: SeDebugPrivilege	4792	f{Rs.exe
Token: SeDebugPrivilege	4020	[3r1N2xff.exe
Token: SeDebugPrivilege	2148	f{Rs.exe
Token: SeDebugPrivilege	2372	f{Rs.exe
Token: SeBackupPrivilege	4104	vssvc.exe
Token: SeRestorePrivilege	4104	vssvc.exe
Token: SeAuditPrivilege	4104	vssvc.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe
Token: SeDebugPrivilege	3952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3952	WMIC.exe
Token: SeRemoteShutdownPrivilege	3952	WMIC.exe
Token: SeUndockPrivilege	3952	WMIC.exe
Token: SeManageVolumePrivilege	3952	WMIC.exe
Token: 33	3952	WMIC.exe
Token: 34	3952	WMIC.exe
Token: 35	3952	WMIC.exe
Token: 36	3952	WMIC.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe
Token: SeDebugPrivilege	3952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3952	WMIC.exe
Token: SeRemoteShutdownPrivilege	3952	WMIC.exe
Token: SeUndockPrivilege	3952	WMIC.exe
Token: SeManageVolumePrivilege	3952	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17688f03f125bb494dc7f304b8936221.exe17688f03f125bb494dc7f304b8936221.exef{Rs.exe[3r1N2xff.exef{Rs.exef{Rs.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 4008 wrote to memory of 3060	4008	17688f03f125bb494dc7f304b8936221.exe	17688f03f125bb494dc7f304b8936221.exe
PID 3060 wrote to memory of 4284	3060	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 3060 wrote to memory of 4284	3060	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 3060 wrote to memory of 4284	3060	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 3060 wrote to memory of 4284	3060	17688f03f125bb494dc7f304b8936221.exe	certreq.exe
PID 4792 wrote to memory of 2912	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2912	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2912	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4792 wrote to memory of 2372	4792	f{Rs.exe	f{Rs.exe
PID 4020 wrote to memory of 2836	4020	[3r1N2xff.exe	[3r1N2xff.exe
PID 4020 wrote to memory of 2836	4020	[3r1N2xff.exe	[3r1N2xff.exe
PID 4020 wrote to memory of 2836	4020	[3r1N2xff.exe	[3r1N2xff.exe
PID 4020 wrote to memory of 2836	4020	[3r1N2xff.exe	[3r1N2xff.exe
PID 4020 wrote to memory of 2836	4020	[3r1N2xff.exe	[3r1N2xff.exe
PID 4020 wrote to memory of 2836	4020	[3r1N2xff.exe	[3r1N2xff.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2148 wrote to memory of 1996	2148	f{Rs.exe	f{Rs.exe
PID 2372 wrote to memory of 4152	2372	f{Rs.exe	cmd.exe
PID 2372 wrote to memory of 4152	2372	f{Rs.exe	cmd.exe
PID 2372 wrote to memory of 4708	2372	f{Rs.exe	cmd.exe
PID 2372 wrote to memory of 4708	2372	f{Rs.exe	cmd.exe
PID 4152 wrote to memory of 4796	4152	cmd.exe	vssadmin.exe
PID 4152 wrote to memory of 4796	4152	cmd.exe	vssadmin.exe
PID 4708 wrote to memory of 1552	4708	cmd.exe	netsh.exe
PID 4708 wrote to memory of 1552	4708	cmd.exe	netsh.exe
PID 4708 wrote to memory of 2040	4708	cmd.exe	netsh.exe
PID 4708 wrote to memory of 2040	4708	cmd.exe	netsh.exe
PID 4152 wrote to memory of 3952	4152	cmd.exe	WMIC.exe
PID 4152 wrote to memory of 3952	4152	cmd.exe	WMIC.exe
PID 4152 wrote to memory of 1940	4152	cmd.exe	bcdedit.exe
PID 4152 wrote to memory of 1940	4152	cmd.exe	bcdedit.exe
PID 4152 wrote to memory of 2844	4152	cmd.exe	bcdedit.exe
PID 4152 wrote to memory of 2844	4152	cmd.exe	bcdedit.exe
PID 4152 wrote to memory of 4524	4152	cmd.exe	wbadmin.exe
PID 4152 wrote to memory of 4524	4152	cmd.exe	wbadmin.exe
PID 3132 wrote to memory of 1940	3132	Explorer.EXE	99AB.exe
PID 3132 wrote to memory of 1940	3132	Explorer.EXE	99AB.exe
PID 3132 wrote to memory of 1940	3132	Explorer.EXE	99AB.exe
PID 3132 wrote to memory of 1088	3132	Explorer.EXE	9C0D.exe
PID 3132 wrote to memory of 1088	3132	Explorer.EXE	9C0D.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe
"C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe
C:\Users\Admin\AppData\Local\Temp\17688f03f125bb494dc7f304b8936221.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Users\Admin\AppData\Local\Temp\99AB.exe
C:\Users\Admin\AppData\Local\Temp\99AB.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1940

C:\Users\Admin\AppData\Local\Temp\99AB.exe
C:\Users\Admin\AppData\Local\Temp\99AB.exe
3⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\99AB.exe
C:\Users\Admin\AppData\Local\Temp\99AB.exe
3⤵
- Executes dropped EXE
PID:2612

C:\Users\Admin\AppData\Local\Temp\9C0D.exe
C:\Users\Admin\AppData\Local\Temp\9C0D.exe
2⤵
- Executes dropped EXE
PID:1088

C:\Users\Admin\AppData\Local\Temp\9C0D.exe
"C:\Users\Admin\AppData\Local\Temp\9C0D.exe"
3⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\AppData\Local\Temp\9C0D.exe
"C:\Users\Admin\AppData\Local\Temp\9C0D.exe"
3⤵
- Executes dropped EXE
PID:4892

C:\Users\Admin\AppData\Local\Temp\9C0D.exe
"C:\Users\Admin\AppData\Local\Temp\9C0D.exe"
3⤵
- Executes dropped EXE
PID:3368

C:\Users\Admin\AppData\Local\Temp\9C0D.exe
"C:\Users\Admin\AppData\Local\Temp\9C0D.exe"
3⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\A48A.exe
C:\Users\Admin\AppData\Local\Temp\A48A.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4804

C:\Users\Admin\AppData\Local\Temp\C8EC.exe
C:\Users\Admin\AppData\Local\Temp\C8EC.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:2748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3720

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:640

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4820

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1288

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:4616

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3024

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\90E.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\90E.tmp\svchost.exe -debug
3⤵
PID:4008

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:4020

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:640

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2284

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2580

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1604

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1648

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:628

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4348

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4152

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3408

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:3404

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sqltdrz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
PID:4960

C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
"C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
2⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
"C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
4⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4796

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1940

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2844

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:4524

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:1552

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:2040

C:\Users\Admin\AppData\Local\Microsoft\[3r1N2xff.exe
"C:\Users\Admin\AppData\Local\Microsoft\[3r1N2xff.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Microsoft\[3r1N2xff.exe
C:\Users\Admin\AppData\Local\Microsoft\[3r1N2xff.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4776

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 616 -ip 616
1⤵
PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 676 -ip 676
1⤵
PID:1640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 616 -s 448
1⤵
- Program crash
PID:1272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 676 -s 4364
1⤵
- Program crash
PID:1988

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4472

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3564

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4556

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[2797A0F3-3483].[[email protected]].8base
Filesize
3.2MB

MD5
5e9dcb0f78188196b9cf9face7bf83f5

SHA1
d5cf79d367fe2fa4a77d26d07ca661f27a3073ed

SHA256
00a6870c1e150ea09951ef40595a4e382fa606c5c61d3c42ac73b3e985a19b0d

SHA512
451252c4c4471517b56b0ef7af993af2133c38d658d6d8d05e857c6a58e74f801e9fdb20a0ec526a3594710de65bfb86b4f5d5fe853b57478a4627a2877ab314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f{Rs.exe.log
Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[3r1N2xff.exe
Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[3r1N2xff.exe
Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\[3r1N2xff.exe
Filesize
618KB

MD5
3f6d5376b6d40c82644287c7621dfc5b

SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f

SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e

SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\f{Rs.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\90E.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\90E.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\99AB.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\99AB.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\99AB.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\99AB.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\99AB.exe
Filesize
628KB

MD5
cb0f99306d05042b8b3db064ac3489b9

SHA1
1a5e8b4435f97dfd09b764c82dba35868e792803

SHA256
71bd706cc0ace3774449282a9c1de5403f8f43dad118b9fbf4fc45cf4894f8e9

SHA512
fd69834d9da70fda36478de8106f288b7c7be48029a8ccc1fbc6ae8a7b4c3d47e189f262c525abad7a87ba1ed784adb57ae20794e6445af7c4d16185f5cafd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C0D.exe
Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C0D.exe
Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C0D.exe
Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C0D.exe
Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C0D.exe
Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C0D.exe
Filesize
576KB

MD5
8be029b88548450edb5e6b65a60cbfc9

SHA1
59d11404e51389f8bbadbd32cfdc574834fa1be4

SHA256
8f703dbe94ad3c9bfee41a6b920cd7765f0a948cae9bdf196b080253411a5d23

SHA512
7fadf75177261266ba0e5a24564bbbb0edbe5daaecd45ba022f9dbf11a7b86564b48782ba0a62a5462fccd1b5f7c084133f371a3480f55611a91740483977fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A48A.exe
Filesize
298KB

MD5
966f6925f2e2ea12f260ad305d5bfc69

SHA1
baeadfda934497ddc676a78e886935e4a70ce214

SHA256
0bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635

SHA512
9fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74

Download Submit
C:\Users\Admin\AppData\Local\Temp\A48A.exe
Filesize
298KB

MD5
966f6925f2e2ea12f260ad305d5bfc69

SHA1
baeadfda934497ddc676a78e886935e4a70ce214

SHA256
0bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635

SHA512
9fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8EC.exe
Filesize
9.9MB

MD5
4c328b215a84c1b2c982a3268b4a0cea

SHA1
addaaa78ce3f457d008a4958b2c1a404dcc62eaa

SHA256
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a

SHA512
bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x52mccko.3g3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA804.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA804.tmp\InetLoad.dll
Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g2w00o91.default-release\cookies.sqlite.id[2797A0F3-3483].[[email protected]].8base
Filesize
96KB

MD5
e99b73bffe8d2368c06731b3e071856f

SHA1
33297c794d1bc29690332b81610f6ef69937ac26

SHA256
2e86db552214ded504e5ee1ee4e5646d3967118e4aa6dbbae976a912f14dd625

SHA512
0e176f78840ada28ce410e1e6790cbeee4d26c9bacd16f2271826b6ce6e4e4314b82a1ae3ca725873d95b571c1769eeaffedd90f138805c356ba10d9115df6bd

Download Submit
memory/212-4849-0x0000000000560000-0x000000000056B000-memory.dmp

Filesize
44KB

Download
memory/212-4847-0x0000000000570000-0x0000000000577000-memory.dmp

Filesize
28KB

Download
memory/640-4795-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/640-4796-0x0000000000D30000-0x0000000000D3B000-memory.dmp

Filesize
44KB

Download
memory/640-4804-0x0000000000D30000-0x0000000000D3B000-memory.dmp

Filesize
44KB

Download
memory/1088-4348-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/1088-2937-0x0000000004B10000-0x0000000004BA2000-memory.dmp

Filesize
584KB

Download
memory/1088-2871-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1088-3034-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/1088-3083-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/1088-2864-0x0000000000CF0000-0x0000000000D86000-memory.dmp

Filesize
600KB

Download
memory/1088-3123-0x0000000004E10000-0x0000000004EAC000-memory.dmp

Filesize
624KB

Download
memory/1088-4702-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/1088-3808-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/1088-4156-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-2810-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1940-2984-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/1996-81-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2148-71-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/2148-69-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/2148-80-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/2372-104-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-93-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-140-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-66-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-139-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-327-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-96-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-58-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-98-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-102-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-103-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-108-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-204-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-110-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-173-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-109-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2372-121-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2612-2986-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2612-4302-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2836-100-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2836-74-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2836-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2860-4668-0x0000000001000000-0x0000000001075000-memory.dmp

Filesize
468KB

Download
memory/2860-4671-0x0000000000D30000-0x0000000000D9B000-memory.dmp

Filesize
428KB

Download
memory/2860-4802-0x0000000000D30000-0x0000000000D9B000-memory.dmp

Filesize
428KB

Download
memory/2988-4955-0x0000000000FE0000-0x0000000000FEF000-memory.dmp

Filesize
60KB

Download
memory/2988-4954-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

Filesize
36KB

Download
memory/3060-11-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download
memory/3060-23-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download
memory/3060-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3060-24-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download
memory/3060-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3060-9-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3060-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3060-25-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download
memory/3060-10-0x0000000001010000-0x0000000001017000-memory.dmp

Filesize
28KB

Download
memory/3060-4-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3060-12-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download
memory/3060-16-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download
memory/3060-13-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download
memory/3060-14-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download
memory/3132-95-0x0000000003570000-0x0000000003586000-memory.dmp

Filesize
88KB

Download
memory/3720-4792-0x0000000000F30000-0x0000000000F39000-memory.dmp

Filesize
36KB

Download
memory/3720-4790-0x0000000000F40000-0x0000000000F44000-memory.dmp

Filesize
16KB

Download
memory/4008-2-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

Filesize
64KB

Download
memory/4008-0-0x0000000000080000-0x0000000000156000-memory.dmp

Filesize
856KB

Download
memory/4008-3-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/4008-8-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4008-1-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-56-0x0000000000540000-0x00000000005E0000-memory.dmp

Filesize
640KB

Download
memory/4020-63-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/4020-57-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-75-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-4699-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/4248-4696-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/4248-4708-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/4284-38-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-29-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-40-0x00007FFBA0190000-0x00007FFBA0385000-memory.dmp

Filesize
2.0MB

Download
memory/4284-32-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-41-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-33-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-28-0x000001F401590000-0x000001F401597000-memory.dmp

Filesize
28KB

Download
memory/4284-42-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-37-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-15-0x000001F4013F0000-0x000001F4013F3000-memory.dmp

Filesize
12KB

Download
memory/4284-27-0x000001F4013F0000-0x000001F4013F3000-memory.dmp

Filesize
12KB

Download
memory/4284-39-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-31-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-30-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-35-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-43-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-44-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-45-0x00007FF4ABC10000-0x00007FF4ABD3F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-82-0x000001F401590000-0x000001F401595000-memory.dmp

Filesize
20KB

Download
memory/4284-83-0x00007FFBA0190000-0x00007FFBA0385000-memory.dmp

Filesize
2.0MB

Download
memory/4284-52-0x00007FFBA0190000-0x00007FFBA0385000-memory.dmp

Filesize
2.0MB

Download
memory/4792-53-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4792-51-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-49-0x0000000000570000-0x0000000000614000-memory.dmp

Filesize
656KB

Download
memory/4792-65-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download