Malware Analysis Report

2025-01-03 06:30

Sample ID 230917-d96z3saa59
Target 3LOSH Exploit.bin.zip
SHA256 92dad0487438945ef4410b08b23cdffb677a5b47c8375176cc61c9d66c50e89c
Tags
asyncrat stormkitty default evasion persistence ransomware rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92dad0487438945ef4410b08b23cdffb677a5b47c8375176cc61c9d66c50e89c

Threat Level: Known bad

The file 3LOSH Exploit.bin.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default evasion persistence ransomware rat spyware stealer

StormKitty

AsyncRat

StormKitty payload

Modifies boot configuration data using bcdedit

Async RAT payload

Deletes shadow copies

Disables Task Manager via registry modification

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

.NET Reactor proctector

Looks up external IP address via web service

Looks up geolocation information via web service

Maps connected drives based on registry

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Opens file in notepad (likely ransom note)

Modifies system certificate store

Runs ping.exe

Modifies registry class

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-17 03:43

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-17 03:43

Reported

2023-09-17 03:48

Platform

win7-20230831-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Disables Task Manager via registry modification

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\0.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\0.EXE" C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\Admin@XOCYHKRS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2160 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\README_8874227.txt C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Program Files (x86)\README_8874227.txt C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\README_8874227.txt C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2200 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2200 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2200 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2200 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2200 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2160 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2640 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2160 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 2152 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe C:\Users\Admin\AppData\Local\Temp\0.EXE
PID 2152 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe C:\Users\Admin\AppData\Local\Temp\0.EXE
PID 2152 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe C:\Users\Admin\AppData\Local\Temp\0.EXE
PID 2152 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe C:\Users\Admin\AppData\Local\Temp\0.EXE
PID 2808 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 992 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 992 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 992 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 992 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 992 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 992 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 992 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 992 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 992 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 992 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 992 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2408 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2408 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2408 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2408 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2408 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2408 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2408 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\schtasks.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe

"C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe"

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

"C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

#cmd

C:\Users\Admin\AppData\Local\Temp\0.EXE

C:\Users\Admin\AppData\Local\Temp\0.EXE

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\PING.EXE

ping -n 1 -w 5000 10.10.254.254

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.132:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp

Files

memory/2200-0-0x0000000000B90000-0x0000000000C14000-memory.dmp

memory/2200-1-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2200-2-0x000000001B140000-0x000000001B1C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 c6b4de7dbe7927a9734bc01b9480a6ae
SHA1 174834f428e1b20b7c57326d1d4b79d3292e3b26
SHA256 ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5
SHA512 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 c6b4de7dbe7927a9734bc01b9480a6ae
SHA1 174834f428e1b20b7c57326d1d4b79d3292e3b26
SHA256 ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5
SHA512 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9

memory/2200-18-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 c6b4de7dbe7927a9734bc01b9480a6ae
SHA1 174834f428e1b20b7c57326d1d4b79d3292e3b26
SHA256 ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5
SHA512 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9

memory/2160-20-0x0000000000C10000-0x0000000000C5A000-memory.dmp

memory/2160-21-0x0000000074970000-0x000000007505E000-memory.dmp

C:\Users\Admin\AppData\Roaming\.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

memory/2160-23-0x0000000004710000-0x0000000004750000-memory.dmp

memory/2808-25-0x0000000000400000-0x0000000000440000-memory.dmp

\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

memory/2808-27-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2808-29-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2808-31-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2808-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2808-35-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2160-38-0x0000000074970000-0x000000007505E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

memory/2808-41-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2808-43-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1664-44-0x0000000070BE0000-0x000000007118B000-memory.dmp

memory/1664-45-0x0000000070BE0000-0x000000007118B000-memory.dmp

memory/2808-46-0x0000000073670000-0x0000000073D5E000-memory.dmp

memory/1664-47-0x00000000024C0000-0x0000000002500000-memory.dmp

memory/1664-48-0x00000000024C0000-0x0000000002500000-memory.dmp

\Users\Admin\AppData\Local\Temp\0.EXE

MD5 416eb366bde2537ebf88aaa8fcbb868c
SHA1 6fcd8c1cce7acf7ace95dad8664e4acb934358b1
SHA256 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890
SHA512 e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67

C:\Users\Admin\AppData\Local\Temp\0.EXE

MD5 416eb366bde2537ebf88aaa8fcbb868c
SHA1 6fcd8c1cce7acf7ace95dad8664e4acb934358b1
SHA256 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890
SHA512 e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67

C:\Users\Admin\AppData\Local\Temp\0.EXE

MD5 416eb366bde2537ebf88aaa8fcbb868c
SHA1 6fcd8c1cce7acf7ace95dad8664e4acb934358b1
SHA256 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890
SHA512 e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67

memory/2936-54-0x0000000000AD0000-0x0000000000AE4000-memory.dmp

memory/2936-55-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

memory/1664-56-0x00000000024C0000-0x0000000002500000-memory.dmp

memory/2936-57-0x000000001B3F0000-0x000000001B470000-memory.dmp

memory/2808-58-0x00000000042D0000-0x0000000004310000-memory.dmp

memory/1664-59-0x0000000070BE0000-0x000000007118B000-memory.dmp

memory/2808-60-0x0000000073670000-0x0000000073D5E000-memory.dmp

memory/2808-130-0x00000000042D0000-0x0000000004310000-memory.dmp

memory/2936-132-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

memory/2936-135-0x000000001B3F0000-0x000000001B470000-memory.dmp

memory/2808-136-0x00000000042D0000-0x0000000004310000-memory.dmp

memory/2936-137-0x000000001B3F0000-0x000000001B470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8B77.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar8C06.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6d259afd9ddfb8655f47229d6a50406
SHA1 32866c6c9aa1f484250285184eec8e4a83e13579
SHA256 97687c001eb7b88f3509a064b79ad48d655762941a85ce2c6e9b8a8e95631073
SHA512 3423813de605346ecdb15867af3f140d0e0f4ba5fe17f545f0adec39a6b8c21d6360b0b8603113eef6cbd475ca407062dea326e57e4bb89efb21a6bb46ad1ebf

memory/2808-199-0x00000000042D0000-0x0000000004310000-memory.dmp

C:\Users\Admin\AppData\Local\47246f400ddedf5d9a7757fa5b17e697\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\vcredist2010_x86.log.html

MD5 bc3f60d78a5f455a20a030480a401b0e
SHA1 1fe5cfa8bce536a01c3539fc264bc9d26ac2d9ea
SHA256 6a4b72e4a575500d7c567af65a30528d4e4eb9414b927fa135f823c91f468b9c
SHA512 7416efaa36b0c046d2ec6604b0f9ecdb5d08fa0892c3a2899120586eaf3ab3a27f91c469dc1e14455ffd62768f943d731f54f3e8a6abffecf841be260943d917

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_8874227.txt

MD5 b89b43e8db5e6c4592b7a9b9f041bf74
SHA1 52a9fedf8cb3bce49808b4de2e7106782c44019c
SHA256 70a1c7fb28ab364634d23c61624e3d3d7c947a14af137a1ce0786275e27e915f
SHA512 0149e1df1ffcfb0d9bcdd4d744397bca61f73096615e9ae4e01d7df9a039c36001bcf1352054b40ec975a2315236fc43348e511e55286adbc490566887fec196

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

MD5 ffafe5a50ff5104de862a2766450b0f7
SHA1 4275faded51062fde931907e714b15d625544da0
SHA256 d25e2a959520644a39ce9c15f6388234a85bb57438c71d33075c0a6858c54484
SHA512 42ed3f057e6fca867cb0ef7f7523fe709d94d9576dfaf83f515e78f41bbaa911f398817777ba22cf684f5bc8fa56de1cfb65555667d25edc9bc49fc4aedf3f18

memory/2936-622-0x000000001B3F0000-0x000000001B470000-memory.dmp

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

MD5 9140583e66c4833633e67d25bdf514e7
SHA1 59437db3a83b5585f30b69e63a41c4c7c34285d4
SHA256 4b35665076f17563d7be9521a8ceb73ed7c4ad61cddd5af0a42809d3d2427ea1
SHA512 97011e163561b41aac169c1e5a56051373a767acc87475a49a06110dc358369cf5fff3f19f85a744010dcf05c45fc1f69ae231501ea59e27a2ce96234aec4c3d

C:\Users\Admin\AppData\Local\Temp\update.bat

MD5 006c4a11f8f7da454e4c20b8bad85526
SHA1 7b8c5ac8182a520117e6a1a321b5b9a93e3192a6
SHA256 278b5121b5c5b09aaafcaa97e228ccbc198cf369787f74dc13790cc821f9665d
SHA512 b4a3258dc6c26695e60013cf33221a72ea9b62f5559f5e18ef579f06aef935d1b299b7c390d62d6e7f74b2e333800b4e3502afc7cd61dc0ec8187b098cb053d1

C:\Users\Admin\AppData\Roaming\delback.bat

MD5 2450c91afcc2d4cc3dea374820bed314
SHA1 dd1b61d0aa6d1769018c1d3144de9bb960a64d3c
SHA256 4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df
SHA512 b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

C:\Users\Admin\AppData\Local\Temp\update.bat

MD5 006c4a11f8f7da454e4c20b8bad85526
SHA1 7b8c5ac8182a520117e6a1a321b5b9a93e3192a6
SHA256 278b5121b5c5b09aaafcaa97e228ccbc198cf369787f74dc13790cc821f9665d
SHA512 b4a3258dc6c26695e60013cf33221a72ea9b62f5559f5e18ef579f06aef935d1b299b7c390d62d6e7f74b2e333800b4e3502afc7cd61dc0ec8187b098cb053d1

memory/2936-1264-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-17 03:43

Reported

2023-09-17 03:48

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Disables Task Manager via registry modification

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\0.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\0.EXE" C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4816 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\README_4591364.txt C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
File created C:\Program Files (x86)\README_4591364.txt C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\README_4591364.txt C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 3772 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 3772 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 3772 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 3772 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 3772 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 4816 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 4816 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe
PID 1860 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1860 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1860 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3592 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe C:\Users\Admin\AppData\Local\Temp\0.EXE
PID 3592 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe C:\Users\Admin\AppData\Local\Temp\0.EXE
PID 2492 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4360 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4360 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4360 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4360 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4360 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4360 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4360 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4360 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2492 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4908 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4908 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4908 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4908 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4908 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2492 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\schtasks.exe
PID 2492 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\schtasks.exe
PID 2492 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\0.EXE C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\0.EXE C:\Windows\System32\cmd.exe
PID 1852 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0.EXE C:\Windows\system32\cmd.exe
PID 1852 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0.EXE C:\Windows\system32\cmd.exe
PID 4108 wrote to memory of 816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4108 wrote to memory of 816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2564 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2564 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4108 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4108 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4108 wrote to memory of 348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4108 wrote to memory of 348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe

"C:\Users\Admin\AppData\Local\Temp\3LOSH Exploit.exe"

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

"C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\0.EXE

C:\Users\Admin\AppData\Local\Temp\0.EXE

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\PING.EXE

ping -n 1 -w 5000 10.10.254.254

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_4591364.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/3772-0-0x00000000007B0000-0x0000000000834000-memory.dmp

memory/3772-1-0x00007FFA31D60000-0x00007FFA32821000-memory.dmp

memory/3772-2-0x000000001B490000-0x000000001B4A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 c6b4de7dbe7927a9734bc01b9480a6ae
SHA1 174834f428e1b20b7c57326d1d4b79d3292e3b26
SHA256 ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5
SHA512 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 c6b4de7dbe7927a9734bc01b9480a6ae
SHA1 174834f428e1b20b7c57326d1d4b79d3292e3b26
SHA256 ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5
SHA512 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9

C:\Users\Admin\AppData\Local\Temp\Payload.exe

MD5 c6b4de7dbe7927a9734bc01b9480a6ae
SHA1 174834f428e1b20b7c57326d1d4b79d3292e3b26
SHA256 ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5
SHA512 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

memory/3772-26-0x00007FFA31D60000-0x00007FFA32821000-memory.dmp

memory/4816-30-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/4816-29-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4816-31-0x0000000005300000-0x00000000058A4000-memory.dmp

memory/4816-33-0x0000000004F00000-0x0000000004F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PryntVirus_protected.exe

MD5 7861bf87c6aa575225c7553655116550
SHA1 bfb46d112d51278170ae8eed3500790bad5d27f5
SHA256 36bac61c9503824c248bae9665a2e029d0573af982c72988041304827f19b3c0
SHA512 cb8b8e76a990dadc68ef554e1625be4618b0b4cfec5e58dccb022b4d428048280f29f90e9670078371e0d3612d89944eb63eb41b6abfeefe4e9e78fca6a33524

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PryntVirus_protected.exe.log

MD5 baf5d1398fdb79e947b60fe51e45397f
SHA1 49e7b8389f47b93509d621b8030b75e96bb577af
SHA256 10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8
SHA512 b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

memory/2492-34-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2492-39-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2492-41-0x0000000004EA0000-0x0000000004F06000-memory.dmp

memory/3808-42-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/3808-40-0x00000000021B0000-0x00000000021E6000-memory.dmp

memory/2492-43-0x0000000005030000-0x0000000005040000-memory.dmp

memory/3808-44-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/3808-45-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/4816-38-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/3808-46-0x0000000004C60000-0x0000000005288000-memory.dmp

memory/3808-47-0x0000000004B20000-0x0000000004B42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3uxvspr.0xd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3808-50-0x0000000005300000-0x0000000005366000-memory.dmp

memory/3808-58-0x0000000005610000-0x0000000005964000-memory.dmp

memory/3808-59-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

memory/3808-60-0x0000000005B30000-0x0000000005B7C000-memory.dmp

memory/3808-61-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/3808-63-0x000000007FC10000-0x000000007FC20000-memory.dmp

memory/3808-64-0x0000000072B00000-0x0000000072B4C000-memory.dmp

memory/3808-62-0x00000000060C0000-0x00000000060F2000-memory.dmp

memory/3808-74-0x0000000006100000-0x000000000611E000-memory.dmp

memory/3808-75-0x0000000006CD0000-0x0000000006D73000-memory.dmp

memory/3808-76-0x0000000007440000-0x0000000007ABA000-memory.dmp

memory/3808-77-0x0000000006E00000-0x0000000006E1A000-memory.dmp

memory/3808-78-0x0000000006E70000-0x0000000006E7A000-memory.dmp

memory/3808-79-0x0000000007080000-0x0000000007116000-memory.dmp

memory/3808-80-0x0000000007000000-0x0000000007011000-memory.dmp

memory/2492-81-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/3808-82-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0.EXE

MD5 416eb366bde2537ebf88aaa8fcbb868c
SHA1 6fcd8c1cce7acf7ace95dad8664e4acb934358b1
SHA256 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890
SHA512 e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67

C:\Users\Admin\AppData\Local\Temp\0.EXE

MD5 416eb366bde2537ebf88aaa8fcbb868c
SHA1 6fcd8c1cce7acf7ace95dad8664e4acb934358b1
SHA256 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890
SHA512 e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67

memory/2492-87-0x0000000005030000-0x0000000005040000-memory.dmp

memory/3808-88-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/1852-89-0x0000000000C90000-0x0000000000CA4000-memory.dmp

memory/2492-90-0x0000000005A20000-0x0000000005AB2000-memory.dmp

memory/1852-91-0x00007FFA31C30000-0x00007FFA326F1000-memory.dmp

memory/3808-92-0x0000000007050000-0x000000000705E000-memory.dmp

memory/3808-93-0x0000000007060000-0x0000000007074000-memory.dmp

memory/3808-94-0x0000000007150000-0x000000000716A000-memory.dmp

memory/3808-95-0x0000000007140000-0x0000000007148000-memory.dmp

memory/3808-96-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/3808-97-0x0000000007180000-0x00000000071A2000-memory.dmp

memory/3808-100-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/1852-212-0x00007FFA31C30000-0x00007FFA326F1000-memory.dmp

memory/1852-219-0x000000001C550000-0x000000001C560000-memory.dmp

C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\Admin@SXUYPNET_en-US\System\Process.txt

MD5 3569a6f54f3950c0d2f0e3ac511b3bda
SHA1 472495cc2a2c7fec02b37a60e5bc704513fb249a
SHA256 b1ef69f1b2cc7da21696110f129ab8d7674c1ac953e173c8411de7333ad2bf47
SHA512 73b978a017fae9c7cdc4c8b994c667758fad44f3ce27c0a9f54d319e008e17e5b0d68eadeab4d2768eeecce39c4c4576c2da9a509de248c398099257bf3e34b4

memory/2492-248-0x0000000005030000-0x0000000005040000-memory.dmp

memory/2492-253-0x00000000069B0000-0x00000000069BA000-memory.dmp

C:\Users\Admin\AppData\Local\1ceab758c98edd650520ae21478d1a98\msgid.dat

MD5 70efdf2ec9b086079795c442636b55fb
SHA1 0716d9708d321ffb6a00818614779e779925365c
SHA256 4523540f1504cd17100c4835e85b7eefd49911580f8efff0599a8f283be6b9e3
SHA512 dc2de67eb248dcdc50c63aabd1bca8335ad01106dd8ff720590077c161f558a7b61db3c56b3a32997597a3db98fd191c3e9e7fdf555aac1525f0b5342cac4088

memory/2492-259-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/2492-284-0x0000000005030000-0x0000000005040000-memory.dmp

C:\vcredist2010_x86.log.html

MD5 20ca483ecf665496cedf8883435cfab3
SHA1 6b734dd5ed63ffb5aebfc1b593cc711423633783
SHA256 bd443ae0fac788bc9d44308993f9f80ec9358779e81713d5b6a38031f6bb4c59
SHA512 15f54218421d39d7352b5e59674271664d9df4545036450e253ad0c56463efeac4434c7f61adc6a06c6e5765a142fb4fc2a415953a36df9512e391a41895582d

C:\Program Files (x86)\README_4591364.txt

MD5 44b8a5cd786fd41c33f6b413ff075a1a
SHA1 579299c3ee960f4b1bdaa7edba1c350f7c4c7808
SHA256 643634b5d8d53f17600d700a1fb2ccacf0e7d837a6e37ff88a783a60aa85ae1b
SHA512 20c8b766a680705f899cec566e6af64d79fc357428f1b24a0c3f82fd46b8081990820e72e5b61cd169ef1e239b5a1be899e418f0979b9d3f8094ae71c5a9b657

memory/2492-431-0x0000000007C90000-0x0000000007C9A000-memory.dmp

C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

MD5 88f7751e3cc77ea2061b1e7936e09f9c
SHA1 72fa6f028710f9c91050f664b9245fad90027f4e
SHA256 f908e0ae825c8e1c41a0cad70ba76fcf21ea56b8c5b103858931c50bd54e8f1f
SHA512 dcf2af626a799e6fd4010e68b1c7d5250fea482f360311d9978213cd8008142e0870d40c25abe65bb197154bccfe52f4a461289146772a91cb334ceaa6e4ca30

memory/1852-1150-0x000000001C550000-0x000000001C560000-memory.dmp

C:\Users\Admin\AppData\Roaming\delback.bat

MD5 2450c91afcc2d4cc3dea374820bed314
SHA1 dd1b61d0aa6d1769018c1d3144de9bb960a64d3c
SHA256 4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df
SHA512 b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

memory/1852-1154-0x00007FFA31C30000-0x00007FFA326F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\update.bat

MD5 006c4a11f8f7da454e4c20b8bad85526
SHA1 7b8c5ac8182a520117e6a1a321b5b9a93e3192a6
SHA256 278b5121b5c5b09aaafcaa97e228ccbc198cf369787f74dc13790cc821f9665d
SHA512 b4a3258dc6c26695e60013cf33221a72ea9b62f5559f5e18ef579f06aef935d1b299b7c390d62d6e7f74b2e333800b4e3502afc7cd61dc0ec8187b098cb053d1

C:\Users\Admin\Desktop\README_4591364.txt

MD5 44b8a5cd786fd41c33f6b413ff075a1a
SHA1 579299c3ee960f4b1bdaa7edba1c350f7c4c7808
SHA256 643634b5d8d53f17600d700a1fb2ccacf0e7d837a6e37ff88a783a60aa85ae1b
SHA512 20c8b766a680705f899cec566e6af64d79fc357428f1b24a0c3f82fd46b8081990820e72e5b61cd169ef1e239b5a1be899e418f0979b9d3f8094ae71c5a9b657