Malware Analysis Report

2024-10-16 05:13

Sample ID 231013-efwgxsda9x
Target ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
SHA256 ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
Tags
ammyyadmin phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6

Threat Level: Known bad

The file ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat stealer trojan

Detect rhadamanthys stealer shellcode

Rhadamanthys

AmmyyAdmin payload

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Ammyy Admin

Phobos

Modifies boot configuration data using bcdedit

Deletes shadow copies

Downloads MZ/PE file

Deletes backup catalog

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Drops startup file

Deletes itself

Adds Run key to start application

Accesses Microsoft Outlook profiles

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Unsigned PE

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-13 03:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 03:53

Reported

2023-10-18 03:21

Platform

win7-20230831-en

Max time kernel

150s

Max time network

126s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2244 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\C0DF.exe C:\Users\Admin\AppData\Local\Temp\C0DF.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C0DF = "C:\\Users\\Admin\\AppData\\Local\\C0DF.exe" C:\Users\Admin\AppData\Local\Temp\C0DF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\C0DF = "C:\\Users\\Admin\\AppData\\Local\\C0DF.exe" C:\Users\Admin\AppData\Local\Temp\C0DF.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C0DF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C0DF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C572.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C0DF.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 2244 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 2244 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 2244 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 2244 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 2244 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 2244 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 2956 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 2956 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe
PID 288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe
PID 288 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe

"C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe"

C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe

C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

"C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe"

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

"C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe"

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

C:\Users\Admin\AppData\Local\Temp\C572.exe

C:\Users\Admin\AppData\Local\Temp\C572.exe

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

"C:\Users\Admin\AppData\Local\Temp\C0DF.exe"

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\C572.exe

"C:\Users\Admin\AppData\Local\Temp\C572.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe -debug

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 zamned17.xyz udp
DE 5.182.207.92:80 zamned17.xyz tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp

Files

memory/2208-1-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2208-0-0x00000000000B0000-0x000000000012C000-memory.dmp

memory/2208-2-0x0000000001F50000-0x0000000001FC8000-memory.dmp

memory/2208-3-0x0000000004420000-0x0000000004460000-memory.dmp

memory/2208-4-0x00000000006C0000-0x0000000000728000-memory.dmp

memory/2208-5-0x0000000002090000-0x00000000020DC000-memory.dmp

memory/2244-6-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2244-7-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2244-8-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2244-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2244-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2244-14-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2208-16-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2244-17-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2244-18-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2244-19-0x00000000021E0000-0x00000000025E0000-memory.dmp

memory/2244-21-0x00000000021E0000-0x00000000025E0000-memory.dmp

memory/2244-22-0x00000000021E0000-0x00000000025E0000-memory.dmp

memory/2648-23-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2648-24-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2244-25-0x0000000000280000-0x00000000002B6000-memory.dmp

memory/2244-31-0x0000000000280000-0x00000000002B6000-memory.dmp

memory/2244-32-0x00000000021E0000-0x00000000025E0000-memory.dmp

memory/2244-33-0x00000000021E0000-0x00000000025E0000-memory.dmp

memory/2244-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-36-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2648-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-47-0x0000000077030000-0x00000000771D9000-memory.dmp

memory/2648-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-51-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2648-53-0x0000000077030000-0x00000000771D9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2956-57-0x0000000000BD0000-0x0000000000C10000-memory.dmp

memory/2956-59-0x0000000000AD0000-0x0000000000B0E000-memory.dmp

memory/2956-61-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2956-60-0x00000000009B0000-0x00000000009F0000-memory.dmp

memory/2956-58-0x0000000074050000-0x000000007473E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

memory/288-65-0x0000000001190000-0x00000000011F8000-memory.dmp

memory/288-66-0x0000000074050000-0x000000007473E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/288-73-0x0000000000640000-0x0000000000684000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/2956-78-0x0000000074050000-0x000000007473E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

memory/288-79-0x0000000004AF0000-0x0000000004B30000-memory.dmp

memory/288-80-0x0000000000680000-0x00000000006B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\RYc1IPi7.exe

MD5 2544c951135bba7846e943cf22a7eb59
SHA1 099bf354174088d2c0cf68638bb441be60d7775f
SHA256 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9
SHA512 e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

memory/476-83-0x0000000000400000-0x000000000040B000-memory.dmp

memory/476-85-0x0000000000400000-0x000000000040B000-memory.dmp

memory/476-88-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Cj2R%.exe

MD5 4a97cfd7be5c68006c2e09dd71343ecd
SHA1 db5d13f2768a73eb8f72fe08575c9911b49abfc5
SHA256 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e
SHA512 a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9

memory/476-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/288-90-0x0000000074050000-0x000000007473E000-memory.dmp

memory/2648-91-0x0000000000120000-0x0000000000122000-memory.dmp

memory/2648-92-0x0000000077030000-0x00000000771D9000-memory.dmp

memory/1228-93-0x00000000029B0000-0x00000000029C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/2368-108-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2368-107-0x0000000000A80000-0x0000000000ACE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C572.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\Temp\C572.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/2368-113-0x0000000000350000-0x0000000000396000-memory.dmp

memory/2108-116-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2368-117-0x0000000004C20000-0x0000000004C60000-memory.dmp

memory/2368-115-0x00000000007B0000-0x00000000007E4000-memory.dmp

memory/1916-124-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1916-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1916-123-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1916-122-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1916-127-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1916-121-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1916-120-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1916-119-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

\Users\Admin\AppData\Local\Temp\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/1916-130-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1916-131-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2108-133-0x0000000000F60000-0x0000000000FDC000-memory.dmp

memory/2368-134-0x0000000074230000-0x000000007491E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/1016-136-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1016-137-0x0000000004DD0000-0x0000000004E10000-memory.dmp

memory/1512-139-0x0000000000190000-0x0000000000205000-memory.dmp

memory/1512-138-0x0000000000120000-0x000000000018B000-memory.dmp

memory/2108-140-0x00000000056A0000-0x00000000056E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

C:\Users\Admin\AppData\Local\Temp\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/1016-153-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2148-155-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2108-159-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2108-160-0x0000000000BA0000-0x0000000000BE2000-memory.dmp

memory/2920-173-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2920-172-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2920-174-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1512-171-0x0000000000120000-0x000000000018B000-memory.dmp

memory/2332-175-0x0000000000090000-0x0000000000094000-memory.dmp

memory/2332-177-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2204-179-0x00000000000D0000-0x00000000000DA000-memory.dmp

memory/2204-180-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/3024-181-0x0000000000090000-0x0000000000097000-memory.dmp

memory/3024-183-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2108-190-0x0000000000890000-0x00000000008AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0DF.exe

MD5 dc78f4828dbb4c0da15f789d059d700c
SHA1 c9375db9533f60612b9d4bc19965fb797e88bf6b
SHA256 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e
SHA512 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15

memory/1700-197-0x0000000000070000-0x0000000000079000-memory.dmp

memory/1700-198-0x0000000000060000-0x000000000006F000-memory.dmp

memory/2108-199-0x00000000004A0000-0x00000000004A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\C572.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/2736-214-0x0000000000090000-0x0000000000095000-memory.dmp

memory/2736-215-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2332-216-0x0000000000090000-0x0000000000094000-memory.dmp

\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\115F.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\C572.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 03:53

Reported

2023-10-18 03:24

Platform

win10v2004-20230915-en

Max time kernel

205s

Max time network

220s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4796 created 3156 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\Explorer.EXE

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 3180 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe
PID 4796 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 4796 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 4796 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe
PID 4796 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe C:\Windows\system32\certreq.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe

"C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe"

C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe

C:\Users\Admin\AppData\Local\Temp\ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp

Files

memory/3180-0-0x00000000003E0000-0x000000000045C000-memory.dmp

memory/3180-1-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/3180-2-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/3180-3-0x00000000054B0000-0x0000000005A54000-memory.dmp

memory/3180-4-0x0000000004D00000-0x0000000004D78000-memory.dmp

memory/3180-5-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/3180-6-0x0000000004D80000-0x0000000004DE8000-memory.dmp

memory/3180-7-0x0000000004E00000-0x0000000004E4C000-memory.dmp

memory/4796-8-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4796-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4796-11-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3180-13-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/4796-14-0x0000000000B20000-0x0000000000B27000-memory.dmp

memory/4796-15-0x0000000002840000-0x0000000002C40000-memory.dmp

memory/4796-16-0x0000000002840000-0x0000000002C40000-memory.dmp

memory/4796-17-0x0000000002840000-0x0000000002C40000-memory.dmp

memory/4796-18-0x0000000002840000-0x0000000002C40000-memory.dmp

memory/4796-19-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4796-20-0x0000000002840000-0x0000000002C40000-memory.dmp

memory/2780-21-0x000002A8B19A0000-0x000002A8B19A3000-memory.dmp

memory/4796-22-0x0000000003610000-0x0000000003646000-memory.dmp

memory/4796-28-0x0000000003610000-0x0000000003646000-memory.dmp

memory/4796-29-0x0000000002840000-0x0000000002C40000-memory.dmp

memory/4796-30-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4796-31-0x0000000002840000-0x0000000002C40000-memory.dmp

memory/2780-32-0x000002A8B19A0000-0x000002A8B19A3000-memory.dmp

memory/2780-33-0x000002A8B1C40000-0x000002A8B1C47000-memory.dmp

memory/2780-34-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-35-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-36-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-37-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-38-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-40-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-42-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-44-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-43-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-45-0x00007FFC832B0000-0x00007FFC834A5000-memory.dmp

memory/2780-46-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-47-0x00007FF49E430000-0x00007FF49E55F000-memory.dmp

memory/2780-48-0x00007FFC832B0000-0x00007FFC834A5000-memory.dmp