ammyyadmin | ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5b467e9309cbddb4a9ed34a82a36163.exe
Size

462KB
MD5

b5b467e9309cbddb4a9ed34a82a36163
SHA1

1e28242e9862c5b5b040a415e5db619d862a7224
SHA256

ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809
SHA512

7dd9a63d9d89564aa7a1b571a0f0095b07c02a5faca908580f871133bbe9d5ce70d345c87528c5f65228577f4c26243a1393a47126ca45166791fcaea4de4776
SSDEEP

12288:udcF8KWGUJib0PfIN2AyF5t/AKNxwkvJWaZjs:7F8KWGUcbaAWntTNlv0aB

Score

10^/10

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://servermlogs27.xyz/statweb255/

http://servmblog45.xyz/statweb255/

http://demblog575.xyz/statweb255/

http://admlogs85x.xyz/statweb255/

http://blogmstat389.xyz/statweb255/

http://blogmstat255.xyz/statweb255/

rc4.i32

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe	family_ammyyadmin

Detect rhadamanthys stealer shellcode 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4904-15-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/4904-14-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/4904-16-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/4904-17-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/4904-27-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys
behavioral2/memory/4904-29-0x00000000031D0000-0x00000000035D0000-memory.dmp	family_rhadamanthys

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

b5b467e9309cbddb4a9ed34a82a36163.exe

description pid process target process

PID 4904 created 3128 4904 b5b467e9309cbddb4a9ed34a82a36163.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2080 bcdedit.exe
4272 bcdedit.exe
Renames multiple (373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

464 wbadmin.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

3580 netsh.exe
2752 netsh.exe

description	pid	process	target process
PID 4904 created 3128	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	Explorer.EXE

pid	process
2080	bcdedit.exe
4272	bcdedit.exe

pid	process
464	wbadmin.exe

pid	process
3580	netsh.exe
2752	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 1 IoCs

Processes:

139E.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\139E.exe 139E.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\139E.exe	139E.exe

Executes dropped EXE 21 IoCs

Processes:

V]5jPPdpdb.exem_Rb%.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exeV]5jPPdpdb.exem_Rb%.exem_Rb%.exe139E.exe1544.exe139E.exe139E.exe139E.exe1544.exesvchost.exe

pid	process
2456	V]5jPPdpdb.exe
4368	m_Rb%.exe
4852	V]5jPPdpdb.exe
4596	V]5jPPdpdb.exe
1736	V]5jPPdpdb.exe
3160	V]5jPPdpdb.exe
4136	V]5jPPdpdb.exe
1764	V]5jPPdpdb.exe
2200	V]5jPPdpdb.exe
4108	V]5jPPdpdb.exe
2112	V]5jPPdpdb.exe
2444	V]5jPPdpdb.exe
264	m_Rb%.exe
1156	m_Rb%.exe
3060	139E.exe
4700	1544.exe
4436	139E.exe
2736	139E.exe
1064	139E.exe
3240	1544.exe
4356	svchost.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2976 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2976	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

139E.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\139E = "C:\\Users\\Admin\\AppData\\Local\\139E.exe"	139E.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\139E = "C:\\Users\\Admin\\AppData\\Local\\139E.exe"	139E.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

139E.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini	139E.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini	139E.exe
File opened for modification	C:\Program Files\desktop.ini	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	139E.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

b5b467e9309cbddb4a9ed34a82a36163.exem_Rb%.exe139E.exe139E.exe1544.exe

description	pid	process	target process
PID 3364 set thread context of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 4368 set thread context of 1156	4368	m_Rb%.exe	m_Rb%.exe
PID 3060 set thread context of 4436	3060	139E.exe	139E.exe
PID 2736 set thread context of 1064	2736	139E.exe	139E.exe
PID 4700 set thread context of 3240	4700	1544.exe	1544.exe

Drops file in Program Files directory 64 IoCs

Processes:

139E.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-200.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated.png	139E.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar	139E.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-200.png	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms	139E.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-pl.xrm-ms.id[805E56EE-3483].[[email protected]].8base	139E.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Authorization.dll.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\mmsogdiplusim.dll	139E.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_HK.properties	139E.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.id[805E56EE-3483].[[email protected]].8base	139E.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\jamendo.luac.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-48.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-100_contrast-white.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg.id[805E56EE-3483].[[email protected]].8base	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-125_contrast-black.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24.png	139E.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg	139E.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF.id[805E56EE-3483].[[email protected]].8base	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-100.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-100.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-150.png	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\mlib_image.dll.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-100.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_full.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.id[805E56EE-3483].[[email protected]].8base	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcfmui.msi.16.en-us.vreg.dat	139E.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-125.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-lightunplated.png	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll	139E.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SmallTile.scale-125.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-150.png	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.dll	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-32.png	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-20_altform-unplated_contrast-white.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif.id[805E56EE-3483].[[email protected]].8base	139E.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	139E.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-100.png	139E.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-focus.svg.id[805E56EE-3483].[[email protected]].8base	139E.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms	139E.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-400.png	139E.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exem_Rb%.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m_Rb%.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m_Rb%.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m_Rb%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4160 vssadmin.exe

pid	process
4160	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b5b467e9309cbddb4a9ed34a82a36163.execertreq.exeV]5jPPdpdb.exem_Rb%.exem_Rb%.exeExplorer.EXE

pid	process
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4904	b5b467e9309cbddb4a9ed34a82a36163.exe
4760	certreq.exe
4760	certreq.exe
4760	certreq.exe
4760	certreq.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
2456	V]5jPPdpdb.exe
4368	m_Rb%.exe
4368	m_Rb%.exe
1156	m_Rb%.exe
1156	m_Rb%.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE

pid	process
3128	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

m_Rb%.exeExplorer.EXEexplorer.exe

pid	process
1156	m_Rb%.exe
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3148	explorer.exe
3148	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b5b467e9309cbddb4a9ed34a82a36163.exeV]5jPPdpdb.exem_Rb%.exe139E.exe1544.exe139E.exe139E.exevssvc.exeExplorer.EXEWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	3364	b5b467e9309cbddb4a9ed34a82a36163.exe
Token: SeDebugPrivilege	2456	V]5jPPdpdb.exe
Token: SeDebugPrivilege	4368	m_Rb%.exe
Token: SeDebugPrivilege	3060	139E.exe
Token: SeDebugPrivilege	4700	1544.exe
Token: SeDebugPrivilege	2736	139E.exe
Token: SeDebugPrivilege	4436	139E.exe
Token: SeBackupPrivilege	5096	vssvc.exe
Token: SeRestorePrivilege	5096	vssvc.exe
Token: SeAuditPrivilege	5096	vssvc.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeBackupPrivilege	116	wbengine.exe
Token: SeRestorePrivilege	116	wbengine.exe
Token: SeSecurityPrivilege	116	wbengine.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svchost.exe

pid process

4356 svchost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE

pid	process
4356	svchost.exe

pid	process
3128	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5b467e9309cbddb4a9ed34a82a36163.exeb5b467e9309cbddb4a9ed34a82a36163.exeV]5jPPdpdb.exem_Rb%.exeExplorer.EXE139E.exe

description	pid	process	target process
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 3364 wrote to memory of 4904	3364	b5b467e9309cbddb4a9ed34a82a36163.exe	b5b467e9309cbddb4a9ed34a82a36163.exe
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	certreq.exe
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	certreq.exe
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	certreq.exe
PID 4904 wrote to memory of 4760	4904	b5b467e9309cbddb4a9ed34a82a36163.exe	certreq.exe
PID 2456 wrote to memory of 4852	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4852	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4852	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4596	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4596	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4596	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 1736	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 1736	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 1736	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 3160	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 3160	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 3160	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4136	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4136	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4136	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 1764	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 1764	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 1764	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2200	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2200	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2200	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4108	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4108	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 4108	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2112	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2112	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2112	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2444	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2444	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 2456 wrote to memory of 2444	2456	V]5jPPdpdb.exe	V]5jPPdpdb.exe
PID 4368 wrote to memory of 264	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 264	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 264	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	m_Rb%.exe
PID 4368 wrote to memory of 1156	4368	m_Rb%.exe	m_Rb%.exe
PID 3128 wrote to memory of 3060	3128	Explorer.EXE	139E.exe
PID 3128 wrote to memory of 3060	3128	Explorer.EXE	139E.exe
PID 3128 wrote to memory of 3060	3128	Explorer.EXE	139E.exe
PID 3128 wrote to memory of 4700	3128	Explorer.EXE	1544.exe
PID 3128 wrote to memory of 4700	3128	Explorer.EXE	1544.exe
PID 3128 wrote to memory of 4700	3128	Explorer.EXE	1544.exe
PID 3060 wrote to memory of 4436	3060	139E.exe	139E.exe
PID 3060 wrote to memory of 4436	3060	139E.exe	139E.exe
PID 3060 wrote to memory of 4436	3060	139E.exe	139E.exe
PID 3060 wrote to memory of 4436	3060	139E.exe	139E.exe
PID 3060 wrote to memory of 4436	3060	139E.exe	139E.exe
PID 3060 wrote to memory of 4436	3060	139E.exe	139E.exe
PID 3060 wrote to memory of 4436	3060	139E.exe	139E.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe
"C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe
C:\Users\Admin\AppData\Local\Temp\b5b467e9309cbddb4a9ed34a82a36163.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Users\Admin\AppData\Local\Temp\139E.exe
C:\Users\Admin\AppData\Local\Temp\139E.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\139E.exe
C:\Users\Admin\AppData\Local\Temp\139E.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Users\Admin\AppData\Local\Temp\139E.exe
"C:\Users\Admin\AppData\Local\Temp\139E.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Users\Admin\AppData\Local\Temp\139E.exe
C:\Users\Admin\AppData\Local\Temp\139E.exe
5⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:1172

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4160

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:2080

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:4272

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
5⤵
- Deletes backup catalog
PID:464

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:2300

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
5⤵
- Modifies Windows Firewall
PID:3580

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
5⤵
- Modifies Windows Firewall
PID:2752

C:\Users\Admin\AppData\Local\Temp\1544.exe
C:\Users\Admin\AppData\Local\Temp\1544.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Users\Admin\AppData\Local\Temp\1544.exe
"C:\Users\Admin\AppData\Local\Temp\1544.exe"
3⤵
- Executes dropped EXE
PID:3240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2612

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3480

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3236

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1264

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2612

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1304

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5044

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Suspicious behavior: MapViewOfSection
PID:3148

C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe -debug
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:4356

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\aa_nts.dll",run
4⤵
- Loads dropped DLL
PID:2976

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
"C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:2200

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:4136

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:3160

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
2⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
"C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1156

C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
2⤵
- Executes dropped EXE
PID:264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[805E56EE-3483].[[email protected]].8base
Filesize
2.7MB

MD5
c25964a94f7f00cd6834e168823dcdf4

SHA1
b50653f8088b199467a579bfe9f9e3f35668cce7

SHA256
036c17e7cfdbb6ad285240c757c9a05776e7fb366994f2888033cfda528b4fed

SHA512
bec58b7dacf9a88872fb37e7cef03639669bf0d3590309d35dd6514fbf307684ca83fc0e7907263bffe631cc700540425e8ac42e7527fb89f197e328420433c1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\139E.exe
Filesize
420KB

MD5
16a47e164bd3d0ded59d301a75362a09

SHA1
cd0d5d280208f0f8a93549a727df797e6ea2dd49

SHA256
68e04834ecd4bd7e4fc7c29f5314fb785e2232c43d02564feb20bc8569cbd315

SHA512
589618430010de95b7f0f8f9f3ecf5fef7d6cb79d75705fb201ace7dce1477ba459483605882cfd700aa4730dceb94b9b6735c375c82d311184ecea42adc88f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\139E.exe.log
Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\V]5jPPdpdb.exe
Filesize
227KB

MD5
2544c951135bba7846e943cf22a7eb59

SHA1
099bf354174088d2c0cf68638bb441be60d7775f

SHA256
14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9

SHA512
e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
Filesize
535KB

MD5
ecfe62777946dfed18d22fc8b2015a37

SHA1
ec602fc687056f285587b1182fa9777bbf50ab63

SHA256
4911e4611c08d1a54bbe1a3a7d8d801e468968825ed639ed22880fc7e1b0ae7a

SHA512
05657c0add30a2616042f87c0ea91d7faedf69b4e9bd9ff693bc7a1f854c8ab09a423d19ff165dfa9208e14bbfa2dbf7f468f3fce970d6aaa3cfa9fc76b0374b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
Filesize
535KB

MD5
ecfe62777946dfed18d22fc8b2015a37

SHA1
ec602fc687056f285587b1182fa9777bbf50ab63

SHA256
4911e4611c08d1a54bbe1a3a7d8d801e468968825ed639ed22880fc7e1b0ae7a

SHA512
05657c0add30a2616042f87c0ea91d7faedf69b4e9bd9ff693bc7a1f854c8ab09a423d19ff165dfa9208e14bbfa2dbf7f468f3fce970d6aaa3cfa9fc76b0374b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
Filesize
535KB

MD5
ecfe62777946dfed18d22fc8b2015a37

SHA1
ec602fc687056f285587b1182fa9777bbf50ab63

SHA256
4911e4611c08d1a54bbe1a3a7d8d801e468968825ed639ed22880fc7e1b0ae7a

SHA512
05657c0add30a2616042f87c0ea91d7faedf69b4e9bd9ff693bc7a1f854c8ab09a423d19ff165dfa9208e14bbfa2dbf7f468f3fce970d6aaa3cfa9fc76b0374b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\m_Rb%.exe
Filesize
535KB

MD5
ecfe62777946dfed18d22fc8b2015a37

SHA1
ec602fc687056f285587b1182fa9777bbf50ab63

SHA256
4911e4611c08d1a54bbe1a3a7d8d801e468968825ed639ed22880fc7e1b0ae7a

SHA512
05657c0add30a2616042f87c0ea91d7faedf69b4e9bd9ff693bc7a1f854c8ab09a423d19ff165dfa9208e14bbfa2dbf7f468f3fce970d6aaa3cfa9fc76b0374b

Download Submit
C:\Users\Admin\AppData\Local\Temp\139E.exe
Filesize
420KB

MD5
16a47e164bd3d0ded59d301a75362a09

SHA1
cd0d5d280208f0f8a93549a727df797e6ea2dd49

SHA256
68e04834ecd4bd7e4fc7c29f5314fb785e2232c43d02564feb20bc8569cbd315

SHA512
589618430010de95b7f0f8f9f3ecf5fef7d6cb79d75705fb201ace7dce1477ba459483605882cfd700aa4730dceb94b9b6735c375c82d311184ecea42adc88f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\139E.exe
Filesize
420KB

MD5
16a47e164bd3d0ded59d301a75362a09

SHA1
cd0d5d280208f0f8a93549a727df797e6ea2dd49

SHA256
68e04834ecd4bd7e4fc7c29f5314fb785e2232c43d02564feb20bc8569cbd315

SHA512
589618430010de95b7f0f8f9f3ecf5fef7d6cb79d75705fb201ace7dce1477ba459483605882cfd700aa4730dceb94b9b6735c375c82d311184ecea42adc88f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\139E.exe
Filesize
420KB

MD5
16a47e164bd3d0ded59d301a75362a09

SHA1
cd0d5d280208f0f8a93549a727df797e6ea2dd49

SHA256
68e04834ecd4bd7e4fc7c29f5314fb785e2232c43d02564feb20bc8569cbd315

SHA512
589618430010de95b7f0f8f9f3ecf5fef7d6cb79d75705fb201ace7dce1477ba459483605882cfd700aa4730dceb94b9b6735c375c82d311184ecea42adc88f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\139E.exe
Filesize
420KB

MD5
16a47e164bd3d0ded59d301a75362a09

SHA1
cd0d5d280208f0f8a93549a727df797e6ea2dd49

SHA256
68e04834ecd4bd7e4fc7c29f5314fb785e2232c43d02564feb20bc8569cbd315

SHA512
589618430010de95b7f0f8f9f3ecf5fef7d6cb79d75705fb201ace7dce1477ba459483605882cfd700aa4730dceb94b9b6735c375c82d311184ecea42adc88f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\139E.exe
Filesize
420KB

MD5
16a47e164bd3d0ded59d301a75362a09

SHA1
cd0d5d280208f0f8a93549a727df797e6ea2dd49

SHA256
68e04834ecd4bd7e4fc7c29f5314fb785e2232c43d02564feb20bc8569cbd315

SHA512
589618430010de95b7f0f8f9f3ecf5fef7d6cb79d75705fb201ace7dce1477ba459483605882cfd700aa4730dceb94b9b6735c375c82d311184ecea42adc88f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1544.exe
Filesize
468KB

MD5
20bb118569b859e64feaaf30227e04b8

SHA1
3fb2c608529575ad4b06770e130eb9d2d0750ed7

SHA256
c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674

SHA512
567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1544.exe
Filesize
468KB

MD5
20bb118569b859e64feaaf30227e04b8

SHA1
3fb2c608529575ad4b06770e130eb9d2d0750ed7

SHA256
c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674

SHA512
567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1544.exe
Filesize
468KB

MD5
20bb118569b859e64feaaf30227e04b8

SHA1
3fb2c608529575ad4b06770e130eb9d2d0750ed7

SHA256
c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674

SHA512
567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\aa_nts.dll
Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\aa_nts.msg
Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCBA.tmp\svchost.exe
Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\cookies.sqlite.id[805E56EE-3483].[[email protected]].8base
Filesize
96KB

MD5
a03719011c7f7d4d176ed5fb73c85c3c

SHA1
d6a00d0bc32ac61a6def8ba8d37b68ccd4f27db0

SHA256
beb7f0db5fb24252c5edeec8bd914984dd13e68eae61ffb527093752bd3a7e88

SHA512
928013e3a93b7ce1ac0e99fbf58e4e92ab6e0ac61de16203ea629513ff5e25bfe792c4c64cb58060862f63933a14da323731bc3c00ee90ab9fc71a981c07e6ea

Download Submit
memory/1064-130-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1156-82-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1156-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1156-79-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2456-54-0x00000000053F0000-0x000000000542E000-memory.dmp

Filesize
248KB

Download
memory/2456-55-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2456-77-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2456-58-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/2456-57-0x0000000005470000-0x000000000549C000-memory.dmp

Filesize
176KB

Download
memory/2456-52-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/2736-122-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2736-124-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/2736-131-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3060-102-0x00000000048C0000-0x0000000004906000-memory.dmp

Filesize
280KB

Download
memory/3060-118-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3060-100-0x0000000000010000-0x0000000000080000-memory.dmp

Filesize
448KB

Download
memory/3060-103-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/3060-104-0x0000000004900000-0x0000000004934000-memory.dmp

Filesize
208KB

Download
memory/3060-101-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3128-1749-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/3128-1760-0x0000000007070000-0x0000000007072000-memory.dmp

Filesize
8KB

Download
memory/3128-1771-0x00000000070B0000-0x00000000070C0000-memory.dmp

Filesize
64KB

Download
memory/3128-86-0x0000000002CA0000-0x0000000002CB6000-memory.dmp

Filesize
88KB

Download
memory/3364-2-0x00000000058A0000-0x0000000005918000-memory.dmp

Filesize
480KB

Download
memory/3364-6-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/3364-0-0x0000000000EC0000-0x0000000000F3A000-memory.dmp

Filesize
488KB

Download
memory/3364-3-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3364-11-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3364-1-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/3364-4-0x0000000005950000-0x00000000059B8000-memory.dmp

Filesize
416KB

Download
memory/3364-5-0x00000000059C0000-0x0000000005A0C000-memory.dmp

Filesize
304KB

Download
memory/4368-65-0x0000000004EC0000-0x0000000004EF2000-memory.dmp

Filesize
200KB

Download
memory/4368-64-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4368-61-0x00000000005A0000-0x000000000062C000-memory.dmp

Filesize
560KB

Download
memory/4368-63-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-62-0x0000000004DD0000-0x0000000004E14000-memory.dmp

Filesize
272KB

Download
memory/4368-83-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4436-218-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-168-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-146-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-148-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-150-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-393-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-119-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-111-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-153-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-169-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-223-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-222-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-117-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-147-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4436-221-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4700-132-0x0000000006AE0000-0x0000000006AEA000-memory.dmp

Filesize
40KB

Download
memory/4700-109-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4700-110-0x0000000000410000-0x000000000048C000-memory.dmp

Filesize
496KB

Download
memory/4700-112-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/4700-116-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/4700-133-0x0000000006720000-0x0000000006730000-memory.dmp

Filesize
64KB

Download
memory/4700-125-0x0000000006720000-0x0000000006730000-memory.dmp

Filesize
64KB

Download
memory/4700-134-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/4700-319-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4700-135-0x0000000007C40000-0x0000000007C46000-memory.dmp

Filesize
24KB

Download
memory/4700-488-0x0000000006720000-0x0000000006730000-memory.dmp

Filesize
64KB

Download
memory/4700-795-0x0000000006720000-0x0000000006730000-memory.dmp

Filesize
64KB

Download
memory/4700-123-0x0000000006730000-0x0000000006772000-memory.dmp

Filesize
264KB

Download
memory/4760-34-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-31-0x000001DD09880000-0x000001DD09887000-memory.dmp

Filesize
28KB

Download
memory/4760-44-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-45-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-46-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-47-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-18-0x000001DD095E0000-0x000001DD095E3000-memory.dmp

Filesize
12KB

Download
memory/4760-48-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-40-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-85-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4760-84-0x000001DD09880000-0x000001DD09885000-memory.dmp

Filesize
20KB

Download
memory/4760-56-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4760-43-0x00007FFB9E530000-0x00007FFB9E725000-memory.dmp

Filesize
2.0MB

Download
memory/4760-42-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-41-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-38-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-36-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-35-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-30-0x000001DD095E0000-0x000001DD095E3000-memory.dmp

Filesize
12KB

Download
memory/4760-32-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4760-33-0x00007FF402980000-0x00007FF402AAF000-memory.dmp

Filesize
1.2MB

Download
memory/4904-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4904-13-0x00000000015C0000-0x00000000015C7000-memory.dmp

Filesize
28KB

Download
memory/4904-29-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/4904-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4904-27-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/4904-26-0x0000000003F90000-0x0000000003FC6000-memory.dmp

Filesize
216KB

Download
memory/4904-20-0x0000000003F90000-0x0000000003FC6000-memory.dmp

Filesize
216KB

Download
memory/4904-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4904-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4904-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4904-17-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/4904-16-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/4904-14-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download
memory/4904-15-0x00000000031D0000-0x00000000035D0000-memory.dmp

Filesize
4.0MB

Download