ammyyadmin | 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

Analysis

max time kernel
97s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2023 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
Size

1.9MB
MD5

1b87684768db892932be3f0661c54251
SHA1

e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA256

65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA512

0fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
SSDEEP

24576:jx4Ul0rrIOGz9I6U7AeyGvHynlLghECQl4L529dktxtPCv1ri+J/ac//zWOYopmB:mUl0/2kHW8ECQl4wi+snopp2vQ

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3092-14-0x0000000003000000-0x0000000003400000-memory.dmp	family_rhadamanthys
behavioral2/memory/3092-15-0x0000000003000000-0x0000000003400000-memory.dmp	family_rhadamanthys
behavioral2/memory/3092-16-0x0000000003000000-0x0000000003400000-memory.dmp	family_rhadamanthys
behavioral2/memory/3092-17-0x0000000003000000-0x0000000003400000-memory.dmp	family_rhadamanthys
behavioral2/memory/3092-27-0x0000000003000000-0x0000000003400000-memory.dmp	family_rhadamanthys
behavioral2/memory/3092-29-0x0000000003000000-0x0000000003400000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

description pid process target process

PID 3092 created 3132 3092 SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4936 bcdedit.exe
2132 bcdedit.exe
Renames multiple (346) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2412 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

4676 netsh.exe
1380 netsh.exe

description	pid	process	target process
PID 3092 created 3132	3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	Explorer.EXE

pid	process
4936	bcdedit.exe
2132	bcdedit.exe

pid	process
2412	wbadmin.exe

pid	process
4676	netsh.exe
1380	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 1 IoCs

Processes:

pES[YI.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\pES[YI.exe pES[YI.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\pES[YI.exe	pES[YI.exe

Executes dropped EXE 17 IoCs

Processes:

pES[YI.exeX6(A({C.exepES[YI.exeX6(A({C.exeX6(A({C.exepES[YI.exepES[YI.exepES[YI.exeEC4F.exeED0C.exeEC4F.exeEC4F.exeF356.exeF356.exesvchost.exe5760.exe5760.exe

pid	process
2324	pES[YI.exe
3772	X6(A({C.exe
2812	pES[YI.exe
4288	X6(A({C.exe
3580	X6(A({C.exe
3380	pES[YI.exe
3964	pES[YI.exe
5076	pES[YI.exe
872	EC4F.exe
1296	ED0C.exe
3744	EC4F.exe
3676	EC4F.exe
2636	F356.exe
3516	F356.exe
4940	svchost.exe
4200	5760.exe
4048	5760.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2020 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2020	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pES[YI.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pES[YI = "C:\\Users\\Admin\\AppData\\Local\\pES[YI.exe"	pES[YI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pES[YI = "C:\\Users\\Admin\\AppData\\Local\\pES[YI.exe"	pES[YI.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

pES[YI.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini	pES[YI.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini	pES[YI.exe
File opened for modification	C:\Program Files\desktop.ini	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	pES[YI.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exepES[YI.exeX6(A({C.exepES[YI.exeEC4F.exeF356.exe5760.exe

description	pid	process	target process
PID 4892 set thread context of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2324 set thread context of 2812	2324	pES[YI.exe	pES[YI.exe
PID 3772 set thread context of 3580	3772	X6(A({C.exe	X6(A({C.exe
PID 3380 set thread context of 5076	3380	pES[YI.exe	pES[YI.exe
PID 872 set thread context of 3676	872	EC4F.exe	EC4F.exe
PID 2636 set thread context of 3516	2636	F356.exe	F356.exe
PID 4200 set thread context of 4048	4200	5760.exe	5760.exe

Drops file in Program Files directory 64 IoCs

Processes:

pES[YI.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc	pES[YI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\DirectionalDot.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	pES[YI.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-black.png	pES[YI.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-24.png	pES[YI.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\splashscreen.dll	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-400.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	pES[YI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac	pES[YI.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-125.png	pES[YI.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	pES[YI.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll	pES[YI.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	pES[YI.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SplashWideTile.scale-200_contrast-black.png	pES[YI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	pES[YI.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png	pES[YI.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_shmem.dll.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-locale-l1-1-0.dll	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	pES[YI.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	pES[YI.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings	pES[YI.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms	pES[YI.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll	pES[YI.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png	pES[YI.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.id[7660D832-3483].[[email protected]].8base	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	pES[YI.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF	pES[YI.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

X6(A({C.exevds.exeF356.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	X6(A({C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	X6(A({C.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F356.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F356.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F356.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	X6(A({C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

804 vssadmin.exe

pid	process
804	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exeSecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.execertreq.exeX6(A({C.exeX6(A({C.exepES[YI.exeExplorer.EXEpES[YI.exe

pid	process
4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
804	certreq.exe
804	certreq.exe
804	certreq.exe
804	certreq.exe
3772	X6(A({C.exe
3772	X6(A({C.exe
3580	X6(A({C.exe
3580	X6(A({C.exe
3380	pES[YI.exe
3380	pES[YI.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
2812	pES[YI.exe
2812	pES[YI.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
2812	pES[YI.exe
2812	pES[YI.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
2812	pES[YI.exe
2812	pES[YI.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
2812	pES[YI.exe
2812	pES[YI.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3132 Explorer.EXE

pid	process
3132	Explorer.EXE

Suspicious behavior: MapViewOfSection 34 IoCs

Processes:

X6(A({C.exeExplorer.EXEF356.exeexplorer.exe

pid	process
3580	X6(A({C.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3516	F356.exe
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3132	Explorer.EXE
3516	explorer.exe
3516	explorer.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exepES[YI.exeX6(A({C.exepES[YI.exepES[YI.exevssvc.exeExplorer.EXEWMIC.exewbengine.exeEC4F.exeF356.exeED0C.exe5760.exe5760.exe

description	pid	process
Token: SeDebugPrivilege	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
Token: SeDebugPrivilege	2324	pES[YI.exe
Token: SeDebugPrivilege	3772	X6(A({C.exe
Token: SeDebugPrivilege	3380	pES[YI.exe
Token: SeDebugPrivilege	2812	pES[YI.exe
Token: SeBackupPrivilege	5004	vssvc.exe
Token: SeRestorePrivilege	5004	vssvc.exe
Token: SeAuditPrivilege	5004	vssvc.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4820	WMIC.exe
Token: SeSecurityPrivilege	4820	WMIC.exe
Token: SeTakeOwnershipPrivilege	4820	WMIC.exe
Token: SeLoadDriverPrivilege	4820	WMIC.exe
Token: SeSystemProfilePrivilege	4820	WMIC.exe
Token: SeSystemtimePrivilege	4820	WMIC.exe
Token: SeProfSingleProcessPrivilege	4820	WMIC.exe
Token: SeIncBasePriorityPrivilege	4820	WMIC.exe
Token: SeCreatePagefilePrivilege	4820	WMIC.exe
Token: SeBackupPrivilege	4820	WMIC.exe
Token: SeRestorePrivilege	4820	WMIC.exe
Token: SeShutdownPrivilege	4820	WMIC.exe
Token: SeDebugPrivilege	4820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4820	WMIC.exe
Token: SeRemoteShutdownPrivilege	4820	WMIC.exe
Token: SeUndockPrivilege	4820	WMIC.exe
Token: SeManageVolumePrivilege	4820	WMIC.exe
Token: 33	4820	WMIC.exe
Token: 34	4820	WMIC.exe
Token: 35	4820	WMIC.exe
Token: 36	4820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4820	WMIC.exe
Token: SeSecurityPrivilege	4820	WMIC.exe
Token: SeTakeOwnershipPrivilege	4820	WMIC.exe
Token: SeLoadDriverPrivilege	4820	WMIC.exe
Token: SeSystemProfilePrivilege	4820	WMIC.exe
Token: SeSystemtimePrivilege	4820	WMIC.exe
Token: SeProfSingleProcessPrivilege	4820	WMIC.exe
Token: SeIncBasePriorityPrivilege	4820	WMIC.exe
Token: SeCreatePagefilePrivilege	4820	WMIC.exe
Token: SeBackupPrivilege	4820	WMIC.exe
Token: SeRestorePrivilege	4820	WMIC.exe
Token: SeShutdownPrivilege	4820	WMIC.exe
Token: SeDebugPrivilege	4820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4820	WMIC.exe
Token: SeRemoteShutdownPrivilege	4820	WMIC.exe
Token: SeUndockPrivilege	4820	WMIC.exe
Token: SeManageVolumePrivilege	4820	WMIC.exe
Token: 33	4820	WMIC.exe
Token: 34	4820	WMIC.exe
Token: 35	4820	WMIC.exe
Token: 36	4820	WMIC.exe
Token: SeBackupPrivilege	508	wbengine.exe
Token: SeRestorePrivilege	508	wbengine.exe
Token: SeSecurityPrivilege	508	wbengine.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeDebugPrivilege	872	EC4F.exe
Token: SeDebugPrivilege	2636	F356.exe
Token: SeDebugPrivilege	1296	ED0C.exe
Token: SeDebugPrivilege	4200	5760.exe
Token: SeDebugPrivilege	4048	5760.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid process

4940 svchost.exe

pid	process
4940	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exeSecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exepES[YI.exeX6(A({C.exepES[YI.exepES[YI.execmd.execmd.exeExplorer.EXE

description	pid	process	target process
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092	4892	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 3092 wrote to memory of 804	3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 3092 wrote to memory of 804	3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 3092 wrote to memory of 804	3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 3092 wrote to memory of 804	3092	SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe	certreq.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 2324 wrote to memory of 2812	2324	pES[YI.exe	pES[YI.exe
PID 3772 wrote to memory of 4288	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 4288	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 4288	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 3580	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 3580	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 3580	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 3580	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 3580	3772	X6(A({C.exe	X6(A({C.exe
PID 3772 wrote to memory of 3580	3772	X6(A({C.exe	X6(A({C.exe
PID 3380 wrote to memory of 3964	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 3964	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 3964	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 3380 wrote to memory of 5076	3380	pES[YI.exe	pES[YI.exe
PID 2812 wrote to memory of 3692	2812	pES[YI.exe	cmd.exe
PID 2812 wrote to memory of 3692	2812	pES[YI.exe	cmd.exe
PID 2812 wrote to memory of 2392	2812	pES[YI.exe	cmd.exe
PID 2812 wrote to memory of 2392	2812	pES[YI.exe	cmd.exe
PID 2392 wrote to memory of 4676	2392	cmd.exe	netsh.exe
PID 2392 wrote to memory of 4676	2392	cmd.exe	netsh.exe
PID 3692 wrote to memory of 804	3692	cmd.exe	vssadmin.exe
PID 3692 wrote to memory of 804	3692	cmd.exe	vssadmin.exe
PID 2392 wrote to memory of 1380	2392	cmd.exe	netsh.exe
PID 2392 wrote to memory of 1380	2392	cmd.exe	netsh.exe
PID 3692 wrote to memory of 4820	3692	cmd.exe	WMIC.exe
PID 3692 wrote to memory of 4820	3692	cmd.exe	WMIC.exe
PID 3692 wrote to memory of 4936	3692	cmd.exe	bcdedit.exe
PID 3692 wrote to memory of 4936	3692	cmd.exe	bcdedit.exe
PID 3692 wrote to memory of 2132	3692	cmd.exe	bcdedit.exe
PID 3692 wrote to memory of 2132	3692	cmd.exe	bcdedit.exe
PID 3692 wrote to memory of 2412	3692	cmd.exe	wbadmin.exe
PID 3692 wrote to memory of 2412	3692	cmd.exe	wbadmin.exe
PID 3132 wrote to memory of 872	3132	Explorer.EXE	EC4F.exe
PID 3132 wrote to memory of 872	3132	Explorer.EXE	EC4F.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:804

C:\Users\Admin\AppData\Local\Temp\EC4F.exe
C:\Users\Admin\AppData\Local\Temp\EC4F.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Local\Temp\EC4F.exe
C:\Users\Admin\AppData\Local\Temp\EC4F.exe
3⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\AppData\Local\Temp\EC4F.exe
C:\Users\Admin\AppData\Local\Temp\EC4F.exe
3⤵
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Local\Temp\ED0C.exe
C:\Users\Admin\AppData\Local\Temp\ED0C.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Users\Admin\AppData\Local\Temp\ED0C.exe
"C:\Users\Admin\AppData\Local\Temp\ED0C.exe"
3⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\F356.exe
C:\Users\Admin\AppData\Local\Temp\F356.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Users\Admin\AppData\Local\Temp\F356.exe
C:\Users\Admin\AppData\Local\Temp\F356.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3516

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1120

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:828

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3048

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1692

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:804

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3116

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious behavior: MapViewOfSection
PID:3516

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe -debug
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:4940

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.dll",run
4⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\5760.exe
C:\Users\Admin\AppData\Local\Temp\5760.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Users\Admin\AppData\Local\Temp\5760.exe
C:\Users\Admin\AppData\Local\Temp\5760.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
"C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
"C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
4⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
4⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:804

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:4936

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:2132

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:2412

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:4676

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:1380

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
"C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
2⤵
- Executes dropped EXE
PID:4288

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[7660D832-3483].[[email protected]].8base

Filesize
2.7MB

MD5
882601a28cc18c925d93e77f13491b54

SHA1
255324fd392e1efecdeaea6444e2bbb3b51bc39e

SHA256
c916dd961cfc3d5247651e248d5e323abdac10a0f29880b1823ce4b622fe53a0

SHA512
bd242c56b54f1be1974386797ecb4de846a4200fbf946930a14d38870c0d9e6b0dc6640e14c68ae02928d43328505bbdf8abd6ea03f582240a1fcb0b61e5600c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5760.exe.log

Filesize
1KB

MD5
9f5d0107d96d176b1ffcd5c7e7a42dc9

SHA1
de83788e2f18629555c42a3e6fada12f70457141

SHA256
d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097

SHA512
86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F356.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pES[YI.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

Filesize
250KB

MD5
2931ff8f30f41984e58e2bb3d4c82000

SHA1
c71353633077fadacbe07ed6e2939262f89f9ad3

SHA256
ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7

SHA512
0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

Filesize
250KB

MD5
2931ff8f30f41984e58e2bb3d4c82000

SHA1
c71353633077fadacbe07ed6e2939262f89f9ad3

SHA256
ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7

SHA512
0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

Filesize
250KB

MD5
2931ff8f30f41984e58e2bb3d4c82000

SHA1
c71353633077fadacbe07ed6e2939262f89f9ad3

SHA256
ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7

SHA512
0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

Filesize
250KB

MD5
2931ff8f30f41984e58e2bb3d4c82000

SHA1
c71353633077fadacbe07ed6e2939262f89f9ad3

SHA256
ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7

SHA512
0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.msg

Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\5760.exe

Filesize
1008KB

MD5
b198acab3a32e992031632f2b99bf083

SHA1
3750f70adfd21117a123cc498002050bbe9ec37c

SHA256
97cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2

SHA512
30752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721

Download Submit
C:\Users\Admin\AppData\Local\Temp\5760.exe

Filesize
1008KB

MD5
b198acab3a32e992031632f2b99bf083

SHA1
3750f70adfd21117a123cc498002050bbe9ec37c

SHA256
97cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2

SHA512
30752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721

Download Submit
C:\Users\Admin\AppData\Local\Temp\5760.exe

Filesize
1008KB

MD5
b198acab3a32e992031632f2b99bf083

SHA1
3750f70adfd21117a123cc498002050bbe9ec37c

SHA256
97cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2

SHA512
30752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC4F.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC4F.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC4F.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC4F.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC4F.exe

Filesize
261KB

MD5
614d1cd9e8513df074caa93ac0aeeb2e

SHA1
5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89

SHA256
3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74

SHA512
11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED0C.exe

Filesize
468KB

MD5
20bb118569b859e64feaaf30227e04b8

SHA1
3fb2c608529575ad4b06770e130eb9d2d0750ed7

SHA256
c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674

SHA512
567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED0C.exe

Filesize
468KB

MD5
20bb118569b859e64feaaf30227e04b8

SHA1
3fb2c608529575ad4b06770e130eb9d2d0750ed7

SHA256
c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674

SHA512
567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F356.exe

Filesize
413KB

MD5
a539a3b01f640912b3e70b0624d6e779

SHA1
d21349894faf0b19e292d2fe779fd25a05d347c2

SHA256
fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec

SHA512
2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\F356.exe

Filesize
413KB

MD5
a539a3b01f640912b3e70b0624d6e779

SHA1
d21349894faf0b19e292d2fe779fd25a05d347c2

SHA256
fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec

SHA512
2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\F356.exe

Filesize
413KB

MD5
a539a3b01f640912b3e70b0624d6e779

SHA1
d21349894faf0b19e292d2fe779fd25a05d347c2

SHA256
fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec

SHA512
2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\cookies.sqlite.id[7660D832-3483].[[email protected]].8base

Filesize
96KB

MD5
a6cbd4f2473ea413fcb5d112d4e4df82

SHA1
848bfd0ff65898a8d4e8504078063bf75af45aa4

SHA256
5f8b54efde3931807a21850f5490a21d581a18a212d69018d3aab2e8d3671c3a

SHA512
4eeecfc743f2422fcd95e4923d21a9f3f0ae4809929971fba5b7700ad67f944d65070a09753a31fe0f3202c1f28600e485de1d3bc9903ecbc1c73a45764a3863

Download Submit
C:\Users\Admin\AppData\Roaming\ushggau

Filesize
413KB

MD5
a539a3b01f640912b3e70b0624d6e779

SHA1
d21349894faf0b19e292d2fe779fd25a05d347c2

SHA256
fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec

SHA512
2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

Download Submit
memory/804-42-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-18-0x000001DCCAFE0000-0x000001DCCAFE3000-memory.dmp

Filesize
12KB

Download
memory/804-45-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-46-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-47-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-48-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-43-0x00007FFBC8F70000-0x00007FFBC9165000-memory.dmp

Filesize
2.0MB

Download
memory/804-30-0x000001DCCAFE0000-0x000001DCCAFE3000-memory.dmp

Filesize
12KB

Download
memory/804-91-0x00007FFBC8F70000-0x00007FFBC9165000-memory.dmp

Filesize
2.0MB

Download
memory/804-54-0x00007FFBC8F70000-0x00007FFBC9165000-memory.dmp

Filesize
2.0MB

Download
memory/804-90-0x000001DCCB280000-0x000001DCCB285000-memory.dmp

Filesize
20KB

Download
memory/804-31-0x000001DCCB280000-0x000001DCCB287000-memory.dmp

Filesize
28KB

Download
memory/804-41-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-32-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-44-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-33-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-40-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-34-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-35-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-36-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/804-38-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

Filesize
1.2MB

Download
memory/872-2603-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/872-2507-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/872-2539-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1296-3593-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1296-2533-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1296-2532-0x0000000000E60000-0x0000000000EDC000-memory.dmp

Filesize
496KB

Download
memory/1296-2774-0x0000000006210000-0x0000000006220000-memory.dmp

Filesize
64KB

Download
memory/1296-2595-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/1296-2947-0x00000000061D0000-0x00000000061DA000-memory.dmp

Filesize
40KB

Download
memory/1296-2804-0x0000000006110000-0x0000000006152000-memory.dmp

Filesize
264KB

Download
memory/1296-2621-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/2324-55-0x00000000049F0000-0x0000000004A36000-memory.dmp

Filesize
280KB

Download
memory/2324-57-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-72-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-59-0x0000000004A30000-0x0000000004A64000-memory.dmp

Filesize
208KB

Download
memory/2324-64-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/2324-52-0x0000000000160000-0x00000000001A8000-memory.dmp

Filesize
288KB

Download
memory/2636-2856-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2636-2647-0x00000000007D0000-0x000000000083E000-memory.dmp

Filesize
440KB

Download
memory/2636-2679-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/2636-2651-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2636-2658-0x0000000004FF0000-0x0000000005034000-memory.dmp

Filesize
272KB

Download
memory/2636-2664-0x00000000050C0000-0x0000000005104000-memory.dmp

Filesize
272KB

Download
memory/2636-2676-0x0000000005100000-0x0000000005132000-memory.dmp

Filesize
200KB

Download
memory/2812-130-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-70-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-117-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-113-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-109-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-132-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-137-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-111-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-107-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-66-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-77-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-112-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2812-105-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3092-20-0x0000000003E40000-0x0000000003E76000-memory.dmp

Filesize
216KB

Download
memory/3092-13-0x0000000001410000-0x0000000001417000-memory.dmp

Filesize
28KB

Download
memory/3092-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3092-29-0x0000000003000000-0x0000000003400000-memory.dmp

Filesize
4.0MB

Download
memory/3092-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3092-11-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3092-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3092-26-0x0000000003E40000-0x0000000003E76000-memory.dmp

Filesize
216KB

Download
memory/3092-27-0x0000000003000000-0x0000000003400000-memory.dmp

Filesize
4.0MB

Download
memory/3092-14-0x0000000003000000-0x0000000003400000-memory.dmp

Filesize
4.0MB

Download
memory/3092-15-0x0000000003000000-0x0000000003400000-memory.dmp

Filesize
4.0MB

Download
memory/3092-17-0x0000000003000000-0x0000000003400000-memory.dmp

Filesize
4.0MB

Download
memory/3092-16-0x0000000003000000-0x0000000003400000-memory.dmp

Filesize
4.0MB

Download
memory/3092-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3132-92-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/3240-3219-0x0000000000C00000-0x0000000000C75000-memory.dmp

Filesize
468KB

Download
memory/3240-3322-0x0000000000990000-0x00000000009FB000-memory.dmp

Filesize
428KB

Download
memory/3380-81-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/3380-87-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/3380-82-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3516-2851-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3580-76-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3580-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3580-93-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3676-2606-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3772-63-0x0000000004DC0000-0x0000000004DF2000-memory.dmp

Filesize
200KB

Download
memory/3772-61-0x0000000004D70000-0x0000000004DB4000-memory.dmp

Filesize
272KB

Download
memory/3772-60-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/3772-78-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/3772-65-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3772-62-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-3611-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/4892-12-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4892-1-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4892-6-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/4892-5-0x0000000004EC0000-0x0000000004F0C000-memory.dmp

Filesize
304KB

Download
memory/4892-4-0x0000000004E50000-0x0000000004EB8000-memory.dmp

Filesize
416KB

Download
memory/4892-3-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4892-2-0x0000000004DD0000-0x0000000004E48000-memory.dmp

Filesize
480KB

Download
memory/4892-0-0x0000000000230000-0x0000000000416000-memory.dmp

Filesize
1.9MB

Download
memory/5076-89-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download