Malware Analysis Report

2024-11-16 12:17

Sample ID 230626-q15rwaah2v
Target b5237a3f0b1db945c1fe3f9ba71e3ff2
SHA256 239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
Tags
phobos redline smokeloader systembc 1 backdoor collection evasion infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2

Threat Level: Known bad

The file b5237a3f0b1db945c1fe3f9ba71e3ff2 was found to be: Known bad.

Malicious Activity Summary

phobos redline smokeloader systembc 1 backdoor collection evasion infostealer persistence ransomware spyware stealer trojan

SystemBC

SmokeLoader

Phobos

RedLine

Renames multiple (481) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies extensions of user files

Deletes backup catalog

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Drops startup file

Adds Run key to start application

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

outlook_win_path

Interacts with shadow copies

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 13:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 13:44

Reported

2023-06-26 13:47

Platform

win7-20230621-en

Max time kernel

28s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

Network

N/A

Files

memory/1508-54-0x0000000000390000-0x00000000003E8000-memory.dmp

memory/1508-55-0x0000000001EE0000-0x0000000001F20000-memory.dmp

memory/1768-58-0x0000000002660000-0x00000000026A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-26 13:44

Reported

2023-06-26 13:47

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

Signatures

Phobos

ransomware phobos

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (481) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ReadRestart.tiff C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeRepair.tiff C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\1B87.exe C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1B87 = "C:\\Users\\Admin\\AppData\\Local\\1B87.exe" C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1B87 = "C:\\Users\\Admin\\AppData\\Local\\1B87.exe" C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\s777mx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\s777mx.exe'\"" C:\Users\Admin\AppData\Local\Temp\s777mx.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4129409437-3162877118-52503038-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1472 set thread context of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3356 set thread context of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldExist.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\psmachine.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointPortalSite.ico.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt-br_get.svg.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.ps1 C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\zip.dll.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\meBoot.min.js C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\MSFT_PackageManagementSource.strings.psd1 C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLL.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-100.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\BridgedWebBrowser.xaml C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\46.jpg C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-125.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\scanAppLogo.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sq.pak.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\jsse.jar.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode.png C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\Cryptomining.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_unselected_18.svg.id[56C78627-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1472 wrote to memory of 2508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 2508 wrote to memory of 3356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 2508 wrote to memory of 3356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 2508 wrote to memory of 3356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 2508 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 2508 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 2508 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 3356 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 3356 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 3356 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 3356 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 3356 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 3356 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 2568 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe
PID 2568 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe
PID 2568 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe
PID 2568 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D4D.exe
PID 2568 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D4D.exe
PID 2568 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\1D4D.exe
PID 2568 wrote to memory of 3864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 3864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 3864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 3864 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 4624 N/A N/A C:\Windows\explorer.exe
PID 2568 wrote to memory of 4624 N/A N/A C:\Windows\explorer.exe
PID 2568 wrote to memory of 4624 N/A N/A C:\Windows\explorer.exe
PID 2568 wrote to memory of 828 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 828 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 828 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 828 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 436 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 436 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 436 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 436 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 380 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 948 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\1B87.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 4632 N/A N/A C:\Windows\explorer.exe
PID 2568 wrote to memory of 4632 N/A N/A C:\Windows\explorer.exe
PID 2568 wrote to memory of 4632 N/A N/A C:\Windows\explorer.exe
PID 2568 wrote to memory of 5052 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 5052 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 5052 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2568 wrote to memory of 5052 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1388 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1388 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1104 wrote to memory of 3732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1104 wrote to memory of 3732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1104 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"

C:\Users\Admin\AppData\Local\Temp\1B87.exe

C:\Users\Admin\AppData\Local\Temp\1B87.exe

C:\Users\Admin\AppData\Local\Temp\1D4D.exe

C:\Users\Admin\AppData\Local\Temp\1D4D.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\1B87.exe

"C:\Users\Admin\AppData\Local\Temp\1B87.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 460

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4244 -ip 4244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 252

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 126.136.241.8.in-addr.arpa udp
RU 91.215.85.210:49189 91.215.85.210 tcp
US 8.8.8.8:53 210.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 dexstat255.xyz udp
DE 185.234.72.142:46578 dexstat255.xyz tcp
US 8.8.8.8:53 142.72.234.185.in-addr.arpa udp
US 8.8.8.8:53 sentrex37.xyz udp
DE 5.182.207.8:80 sentrex37.xyz tcp
US 8.8.8.8:53 8.207.182.5.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 52.168.117.169:443 tcp
US 8.8.8.8:53 serverlogs37.xyz udp
US 8.8.8.8:53 servblog757.xyz udp
DE 45.89.127.159:80 servblog757.xyz tcp
US 8.8.8.8:53 admhexlogs25.xyz udp
EE 159.253.18.136:80 admhexlogs25.xyz tcp
US 8.8.8.8:53 159.127.89.45.in-addr.arpa udp
US 8.8.8.8:53 136.18.253.159.in-addr.arpa udp
DE 45.89.127.159:80 servblog757.xyz tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
DE 45.89.127.159:80 servblog757.xyz tcp

Files

memory/2384-133-0x0000000000800000-0x0000000000858000-memory.dmp

memory/2384-134-0x00000000057C0000-0x0000000005D64000-memory.dmp

memory/2384-135-0x0000000005210000-0x00000000052A2000-memory.dmp

memory/2384-136-0x00000000051C0000-0x00000000051E2000-memory.dmp

memory/2384-137-0x0000000005460000-0x0000000005470000-memory.dmp

memory/2384-138-0x0000000005400000-0x000000000540A000-memory.dmp

memory/1472-139-0x0000000002340000-0x0000000002376000-memory.dmp

memory/1472-140-0x0000000004E90000-0x00000000054B8000-memory.dmp

memory/1472-141-0x0000000004D70000-0x0000000004DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idpjjg5a.3x4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1472-142-0x0000000004DE0000-0x0000000004E46000-memory.dmp

memory/1472-149-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/1472-150-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/1472-154-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/1472-155-0x0000000006210000-0x0000000006254000-memory.dmp

memory/1472-156-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/1472-157-0x0000000006F60000-0x0000000006FD6000-memory.dmp

memory/1472-158-0x0000000007660000-0x0000000007CDA000-memory.dmp

memory/1472-159-0x0000000007000000-0x000000000701A000-memory.dmp

memory/1472-160-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/1472-161-0x0000000007D50000-0x0000000007D72000-memory.dmp

memory/2508-162-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2508-163-0x0000000018800000-0x0000000018E18000-memory.dmp

memory/2508-164-0x00000000182F0000-0x00000000183FA000-memory.dmp

memory/2508-165-0x0000000017AC0000-0x0000000017AD2000-memory.dmp

memory/2508-166-0x0000000018220000-0x000000001825C000-memory.dmp

memory/2384-167-0x0000000005460000-0x0000000005470000-memory.dmp

memory/1472-169-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/1472-168-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/1472-170-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/1472-171-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/2508-172-0x0000000019560000-0x0000000019722000-memory.dmp

memory/2508-173-0x000000001AA90000-0x000000001AFBC000-memory.dmp

memory/2508-175-0x0000000019830000-0x0000000019880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

memory/4856-202-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3356-204-0x0000000001C80000-0x0000000001C89000-memory.dmp

memory/2964-206-0x0000000001B70000-0x0000000001B75000-memory.dmp

memory/4856-207-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2568-209-0x0000000003570000-0x0000000003586000-memory.dmp

memory/4856-210-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2964-214-0x0000000000400000-0x0000000001B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B87.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

C:\Users\Admin\AppData\Local\Temp\1B87.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

C:\Users\Admin\AppData\Local\Temp\1D4D.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\1D4D.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\1B87.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/3864-233-0x0000000001280000-0x00000000012EB000-memory.dmp

memory/948-235-0x0000000000710000-0x000000000071F000-memory.dmp

memory/3864-237-0x00000000012F0000-0x0000000001370000-memory.dmp

memory/3864-238-0x0000000001280000-0x00000000012EB000-memory.dmp

memory/4624-257-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

memory/4624-258-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

memory/3864-259-0x0000000001280000-0x00000000012EB000-memory.dmp

memory/64-260-0x0000000000400000-0x0000000000695000-memory.dmp

memory/828-261-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/828-262-0x0000000001B70000-0x0000000001B75000-memory.dmp

memory/828-263-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/436-264-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

memory/436-265-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

memory/380-266-0x0000000000A80000-0x0000000000A8B000-memory.dmp

memory/380-267-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/380-268-0x0000000000A80000-0x0000000000A8B000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1B87.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/4632-314-0x0000000000BE0000-0x0000000000BEF000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[56C78627-3483].[[email protected]].8base

MD5 89c44b8f8f4ad7079cd1eb0bddb91dd6
SHA1 ff624ecc60037fbe0260ef6e860242fefa484380
SHA256 1815233a7cec67d412f58de7ba870657e5890b7be1b395aeb1f94e8fea80feae
SHA512 1060c5d838aad6f61b1bb156e283477476acdc74eb312c4f783be14bd46bcd702d0177e1c757ddb989264ff1f299af3ae3a7d2a482a1246b81bdc29c8cb51528

memory/4632-473-0x0000000000A80000-0x0000000000A8B000-memory.dmp

memory/4632-475-0x0000000000BE0000-0x0000000000BEF000-memory.dmp

memory/5052-512-0x0000000000A50000-0x0000000000A59000-memory.dmp

memory/5052-821-0x0000000000BE0000-0x0000000000BEF000-memory.dmp

memory/1800-842-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

memory/5052-844-0x0000000000A50000-0x0000000000A59000-memory.dmp

memory/1800-854-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

memory/536-1125-0x0000000001280000-0x0000000001289000-memory.dmp

memory/536-1195-0x0000000001280000-0x0000000001289000-memory.dmp

memory/4928-1696-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/948-1820-0x0000000000400000-0x0000000000695000-memory.dmp

memory/4928-1864-0x0000000001280000-0x0000000001289000-memory.dmp

memory/4928-1872-0x00000000003C0000-0x00000000003C9000-memory.dmp

memory/620-1940-0x0000000000940000-0x0000000000967000-memory.dmp

memory/620-1944-0x0000000000940000-0x0000000000967000-memory.dmp

memory/4244-1955-0x0000000000400000-0x0000000001B38000-memory.dmp

memory/620-1992-0x0000000000970000-0x0000000000971000-memory.dmp

memory/972-2029-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

memory/972-2096-0x0000000000940000-0x0000000000967000-memory.dmp

memory/972-2097-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

memory/1564-2098-0x00000000009A0000-0x00000000009AB000-memory.dmp

memory/1564-2125-0x00000000009A0000-0x00000000009AB000-memory.dmp

memory/1980-2161-0x00000000010A0000-0x00000000010AD000-memory.dmp

memory/828-2278-0x0000000001B70000-0x0000000001B75000-memory.dmp

memory/1980-2282-0x00000000009A0000-0x00000000009AB000-memory.dmp

memory/1980-2284-0x00000000010A0000-0x00000000010AD000-memory.dmp

memory/1224-2339-0x00000000012A0000-0x00000000012AB000-memory.dmp

memory/1224-2425-0x00000000010A0000-0x00000000010AD000-memory.dmp

memory/1224-2427-0x00000000012A0000-0x00000000012AB000-memory.dmp

memory/380-2470-0x00000000001E0000-0x00000000001E9000-memory.dmp

memory/4632-2472-0x0000000000A80000-0x0000000000A8B000-memory.dmp

memory/948-2663-0x0000000000400000-0x0000000000695000-memory.dmp

memory/948-4718-0x0000000000400000-0x0000000000695000-memory.dmp

memory/948-6223-0x0000000000400000-0x0000000000695000-memory.dmp

memory/948-8291-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 34d461b8b826e81426975ca16787672f
SHA1 82737839fcf9e0f0eca8a879035ea512fd2edaa4
SHA256 45f4b6bf317f54ca9f783d88793ffd40ea9b43f3d89ac3d4c494031945a03705
SHA512 1891e62ecff1cc6b96b9834358a07dd33818e8f4f42f67967fdc72da5cf68df6bb8d7ac26e1401aef51af480514e7ee5582cc0af7abfbc879597ffc2e8d6f89e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe.log

MD5 fe0908886369b89d8054d60627e3a368
SHA1 49eae30bd2067c7750f978dabb47114eaf16015d
SHA256 213132b28845eeec2a3907abab14ffe8e3656e5dd809b71621e067a4282f692b
SHA512 e0c9cbf7fecf4a880aeaa5b367ae52d8f10e885514df33c1c559c4ff320bda0764f51c5af592758536fc829740ee541dddd4e947c74cef9db2bb0a3e6d8348df

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

memory/948-10786-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000023.db.id[56C78627-3483].[[email protected]].8base

MD5 fb46ea0b68b69326f621c0cf2488ce7e
SHA1 13ebf68d8ceae14aba66d94a9f62d5f004413f15
SHA256 fe67de9e002b2ca8747a12ad0a10e642a33ce1932cb8727b3e40ce96fecc6d12
SHA512 19aaae677e644b03890c1955e623cc7a2ac04b41ec9c44ecaac6dd3423881a16bbac532d1312c0e77935a68e0b705a5c99ab07b67d14fb3b1d30a15ee3cc07c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 be7e1d310d3d21c2721265966a51e081
SHA1 c0ed93cd48d1cbe75f1623aef1d20f667a6541d1
SHA256 60afce48d3afaa612505064eb7d48a42c2de1a82e90c8aaa3665725114a56f4f
SHA512 e820d6c3d3bb0573fc8fb0802190a7584cf647d5e880011a3c3dde3d99245b0448a261f351e77844c3108efe935766d61fcc2be32c33e41572fe64d19fd3cde0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 3337d66209faa998d52d781d0ff2d804
SHA1 6594b85a70f998f79f43cdf1ca56137997534156
SHA256 9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA512 8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

memory/4244-11404-0x0000000000400000-0x0000000001B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\465F\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Local\Temp\465F\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 197e685df6a238a6a94f9a4a46d55f11
SHA1 4f4c45b8371a11f79520395313fd5b0aca272006
SHA256 45b4c3d0652e160bbf96bfc9dcb373bae937352d510a15b54c054ff3b774c13b
SHA512 a30efa859db1f7e9af70d435432fcc9c072e21c4eadb686a613da8611935cf9521c04498dc51f093cc28de2331f8065125fced68d130ae6333ffd6a4190153f8

C:\Users\Admin\AppData\Local\Temp\465F\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\465F\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\465F\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\465F\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Roaming\fcfgthi

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

C:\Users\Admin\AppData\Roaming\erwegwd

MD5 8ae1cc677e2d090310297d8850acfecc
SHA1 70eefbd35714f855c54ba8fb60192abc8d329081
SHA256 7325d6496196de05d8acc9862d43d32e412c28c85a5d3868d0fd935f64da8790
SHA512 b157e196fd9fe3ce2d1f8b7b8c3a0341be83e091166b83834b110a78999c862a06590846dd39a426660329e4cb079d76a33b905866b5a8bc1cda10bbf671a209

C:\info.hta

MD5 38b7d293145a86018f6f2b40077ddd28
SHA1 0d948706a00a7863368dfcfaadfd90de9ac41f61
SHA256 c35f671ad7c2be8c64097ba44f2e5b5d8bbf1d00064a1612fd113c1f50944d9d
SHA512 72e47c2603b6ae954aff9ea18b53b183a7f50a03cfd2769de0c2e48374f6a40f3cad6df532a18d7506026b038998e04c8ac0f00ca8fbac473ccf9b8561d31e04

C:\Users\Admin\Desktop\info.hta

MD5 38b7d293145a86018f6f2b40077ddd28
SHA1 0d948706a00a7863368dfcfaadfd90de9ac41f61
SHA256 c35f671ad7c2be8c64097ba44f2e5b5d8bbf1d00064a1612fd113c1f50944d9d
SHA512 72e47c2603b6ae954aff9ea18b53b183a7f50a03cfd2769de0c2e48374f6a40f3cad6df532a18d7506026b038998e04c8ac0f00ca8fbac473ccf9b8561d31e04

C:\users\public\desktop\info.hta

MD5 38b7d293145a86018f6f2b40077ddd28
SHA1 0d948706a00a7863368dfcfaadfd90de9ac41f61
SHA256 c35f671ad7c2be8c64097ba44f2e5b5d8bbf1d00064a1612fd113c1f50944d9d
SHA512 72e47c2603b6ae954aff9ea18b53b183a7f50a03cfd2769de0c2e48374f6a40f3cad6df532a18d7506026b038998e04c8ac0f00ca8fbac473ccf9b8561d31e04

C:\info.hta

MD5 38b7d293145a86018f6f2b40077ddd28
SHA1 0d948706a00a7863368dfcfaadfd90de9ac41f61
SHA256 c35f671ad7c2be8c64097ba44f2e5b5d8bbf1d00064a1612fd113c1f50944d9d
SHA512 72e47c2603b6ae954aff9ea18b53b183a7f50a03cfd2769de0c2e48374f6a40f3cad6df532a18d7506026b038998e04c8ac0f00ca8fbac473ccf9b8561d31e04

F:\info.hta

MD5 38b7d293145a86018f6f2b40077ddd28
SHA1 0d948706a00a7863368dfcfaadfd90de9ac41f61
SHA256 c35f671ad7c2be8c64097ba44f2e5b5d8bbf1d00064a1612fd113c1f50944d9d
SHA512 72e47c2603b6ae954aff9ea18b53b183a7f50a03cfd2769de0c2e48374f6a40f3cad6df532a18d7506026b038998e04c8ac0f00ca8fbac473ccf9b8561d31e04

memory/948-12213-0x0000000000400000-0x0000000000695000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\465F\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[56C78627-3483].[[email protected]].8base

MD5 cbf81faa91432cae86651c682c523a6a
SHA1 692e73b9032d48ee6c2ef6b791338aae30e79f30
SHA256 2ddf1d2e796426d865e9ddbda338cdb716fda6a39de5550770c8aafe063f8c47
SHA512 47a293ace9b6d9e37cb1a3b2602c546bdec1eb3a1d448f0b1d521411778bafccbb2e8f1a51badc7481ef16d77d57574981249ede092b5940f8e961122afc08f9

C:\Users\Admin\AppData\Local\Temp\465F\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[56C78627-3483].[[email protected]].8base

MD5 5c84be18452016bc548ecae6f1a2f839
SHA1 19001fa2d58120439b719e56b9e3eb142007d1de
SHA256 e4d962c0c90085bb263d9df8d46d3ece77dba94e8ab42724b96bec8a7a13bd98
SHA512 82de1d1d8f8c923526ff9bed3558bd4fb4439db840318856464c0aa25a4d21b4fbd48ad7ac288207a07ea5641accd841708c3d7c726c4aafb0b7bd091a18fdda

C:\Users\Admin\AppData\Local\Temp\465F\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[56C78627-3483].[[email protected]].8base

MD5 10f8e322ca5f720847caf977ba0bf88b
SHA1 615396325ac84a0063ce40182782ce82324b1e7e
SHA256 9dc17782bdbbe2b3d14fb8f877256a29af302660f8da5ac577a51c9f76210ed4
SHA512 e15b592a4e5820a22a40c9f7447402f4f5cf98d57839f88713277c321f621c411c6821d2ced9ff3f6aa78f12576295740190e4ca7f33a06c2bc89ae38a40c69a

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\System32\WalletBackgroundServiceProxy.dll.id[56C78627-3483].[[email protected]].8base

MD5 dba4b32bdef8e10ad3765526ce4c3524
SHA1 9ae7e130aa349ed0c948aa99d773d7e8ce8a7e24
SHA256 78970317970a94b3b56eb4bb9dd3785b26c9241abcb1a6f2dfcbed0f730e3044
SHA512 39fd7b9152321ccb57fe945e0c6b38dc04bb42f252ba9fbfb8aa0fcbf4c48737eed0e157eb372de10d6154ea29bbb28804cbbffea906c926f69570b79ba8f478

C:\Users\Admin\AppData\Local\Temp\465F\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[56C78627-3483].[[email protected]].8base

MD5 33bda5c81c2b8841da58a87a85a73007
SHA1 031fe2ae9092f7cc5855e2f27cda8e1207cf68f6
SHA256 caa69cd3cb5f066d728b4748ac0729c1fba929cd0ec30998932a171d416d4a30
SHA512 7bbe0f7ac0fcff61d59b880bc8b13c895a1b6a8543f185c5f4d3eba4f6b62752ccd806d917c04325979370a4dd7cee2b61417a87845d05d7766d27f4a514bec6

C:\Users\Admin\AppData\Local\Temp\465F\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[56C78627-3483].[[email protected]].8base

MD5 ac5b176103125fa40747e84aa53ef32d
SHA1 b9ade97e6d2619c11d37dda2a430feedebb42379
SHA256 d6cf3dc51e43ff965024cbff1041f4bb9b7de87dbfa11677d495df9d7a399314
SHA512 9c02d3554923afcee14053fd20157c5a77cea96a9b9471e6ead4abdbba8c41c114d47812cc6340d14cacf05d72fb10675a51f7bfba5ebb1657d060fbd05dcfb3

C:\Users\Admin\AppData\Local\Temp\465F\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[56C78627-3483].[[email protected]].8base

MD5 3bee50de7dcb7913ac35c79912efa464
SHA1 0890c03f69ea0309f738ac6cb3b06b1b0d542b7e
SHA256 e55a5abddf9fcc756cfabe8da73f5ff4cec369e36b1c26ea925d8d471bd883b2
SHA512 da7dab755cc3ca8309f2aa01c75cf6810aa1b13c12a65d3a40dc3981e4952380ec445a82bc34ea66d25519c98ec58184ed6fb9962a3a4fb1144cb648a664bb56

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\System32\WalletProxy.dll.id[56C78627-3483].[[email protected]].8base

MD5 c5636957e53e8450d76389d57267b553
SHA1 5f65ce8b456e2929e760cc01dc86c551a584a04f
SHA256 c19b64e88a82d169e31ef57f697cba8f61e4c7c2786de44fc9e44637a2888183
SHA512 14258fac86c59c1ea00e9f00f900b35105554d97bc14a0f2ec289ee0a7a19ab59cfeec8ff81217f0088d410ab360938803edfc4b0e1a0b147460969059046180

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\System32\Windows.ApplicationModel.Wallet.dll.id[56C78627-3483].[[email protected]].8base

MD5 63ee93aaf0aa8f0c2a4111fb505f7ab2
SHA1 53705cb08764bc50c2fa47ae3316008ad0f6d3c3
SHA256 66382092765a2788a4fc0930d986ae8ce1f8f826fe99aca190d6f3acf525450f
SHA512 5d153aad7c92b27b126e12b21354f8c9b2b2eaa1e369120e2484e3fd3e57a81e8d2e0b93f1686a6dff88b8f0d04466869cb5e31df62fc22854e32c093aa5a239

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll.id[56C78627-3483].[[email protected]].8base

MD5 b88cf31210a52086e96dd2c52d24f20d
SHA1 83e7d36022597e892f73d6c09b4a0019840d9221
SHA256 bdebbe47f927bc50615ca4160d1184eae999499b1cbc02ce0b6debd1ad0d654a
SHA512 c46bb55bad12a070af47ab1176654b06980fb31b34aec90a4696a7c67db6829d12f16b4d0326384580f8285f56bcaf6cf72c7340057d386a8bf8a6e403904e13

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\SysWOW64\WalletProxy.dll.id[56C78627-3483].[[email protected]].8base

MD5 a89f329b51cc460ad4d97e0d823d8fd0
SHA1 b51726ba231e6b3a9b808a19cc0bdadfc03d3f94
SHA256 c0fbe11f9aeddc836b08fa7f6b7aff02ce77c45ea4ba2b87e317f5ba9ddc836c
SHA512 7eb5d714c6222fed5f515f36c2d56bc1dd3ebdb1a0c15eaa7f83cf35808257f18d24826a1bebd23134979db4be86308ee8cdb241444b174c09296053c0e708d0

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll.id[56C78627-3483].[[email protected]].8base

MD5 6043482b046a54327d9daa52df802105
SHA1 949cb79dd3e908b97d01cb791ba815f5c511e518
SHA256 aa2559cd315ad950efab700d65c5ccd7c6e6d19b20c43a4d01dfc342fa663bcc
SHA512 7af8924b57a6c6b0ed914a2243cd51164fbfba5672714a7d62410d466b253d3dfc225c515ca87fdbd230147eaec215018e6bf939090e968bbfe6f3ee9d14e3e4

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\465F\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[56C78627-3483].[[email protected]].8base

MD5 23e95b2d7cb3d4bd73c69c213741ccea
SHA1 21b889f6956b95b5ba7f6bdea155b550a78d19b3
SHA256 410c23963fa6bb9cb3838f7de85742f2c947e148649454c4707bb5d833e529bc
SHA512 ebb263f021fdc3df7d7a988a0c3a61f110543fd11bdc99a5f772e70db7ba2418a18c718dc57bb7ab08a5f4fb39e0104b71f18c11233e12ead82d002d574abf9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 2257fa8cef64a74c33655bd5f74ef5e5
SHA1 b9f8baf96166f99cb1983563e632e6e69984ad5c
SHA256 ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3
SHA512 7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9